Loading ...

Analysis Report 5PURCHASE ORDER.exe

Overview

General Information

Joe Sandbox Version:25.0.0 Tiger's Eye
Analysis ID:116881
Start date:15.03.2019
Start time:04:32:36
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 7m 3s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:5PURCHASE ORDER.exe
Cookbook file name:default.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:21
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:1
Technologies
  • HCA enabled
  • EGA enabled
  • HDC enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.phis.troj.spyw.evad.winEXE@25/14@4/2
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 0
  • Number of non-executed functions: 0
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .exe
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, consent.exe, conhost.exe, CompatTelRunner.exe, svchost.exe
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtProtectVirtualMemory calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: 5PURCHASE ORDER.exe, microsoftword.exe, microsoftword.exe, microsoftword.exe, MyOtApp.exe, MyOtApp.exe, microsoftword.exe, microsoftword.exe, microsoftword.exe, microsoftword.exe, microsoftword.exe, microsoftword.exe

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold1000 - 100Report FP / FNfalsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid AccountsScripting21Startup Items2Startup Items2Software Packing1Input Capture1Process Discovery1Application Deployment SoftwareInput Capture1Data CompressedStandard Non-Application Layer Protocol2
Replication Through Removable MediaService ExecutionRegistry Run Keys / Startup Folder11Process Injection111Disabling Security Tools1Credentials in Registry1Security Software Discovery41Remote ServicesData from Local System2Exfiltration Over Other Network MediumStandard Application Layer Protocol2
Drive-by CompromiseWindows Management InstrumentationAccessibility FeaturesPath InterceptionProcess Injection111Credentials in Files2Remote System Discovery1Windows Remote ManagementClipboard Data1Automated ExfiltrationCustom Cryptographic Protocol
Exploit Public-Facing ApplicationScheduled TaskSystem FirmwareDLL Search Order HijackingNTFS File Attributes1Credentials in FilesSystem Network Configuration Discovery1Logon ScriptsInput CaptureData EncryptedMultiband Communication
Spearphishing LinkCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessScripting21Account ManipulationSystem Information Discovery112Shared WebrootData StagedScheduled TransferStandard Cryptographic Protocol

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for unpacked fileShow sources
Source: 21.2.microsoftword.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 3.2.microsoftword.exe.20e0000.2.unpackAvira: Label: TR/Dropper.Gen
Source: 3.2.microsoftword.exe.2120000.3.unpackAvira: Label: TR/Dropper.Gen
Source: 13.2.microsoftword.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 13.2.microsoftword.exe.a70000.2.unpackAvira: Label: TR/Dropper.Gen
Source: 3.2.microsoftword.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 21.2.microsoftword.exe.ac0000.3.unpackAvira: Label: TR/Dropper.Gen
Source: 13.2.microsoftword.exe.ab0000.3.unpackAvira: Label: TR/Dropper.Gen
Source: 12.2.microsoftword.exe.400000.0.unpackAvira: Label: TR/Dropper.Gen
Source: 21.2.microsoftword.exe.a80000.2.unpackAvira: Label: TR/Dropper.Gen
Source: 12.2.microsoftword.exe.2260000.3.unpackAvira: Label: TR/Dropper.Gen
Source: 12.2.microsoftword.exe.2210000.2.unpackAvira: Label: TR/Dropper.Gen

Networking:

barindex
May check the online IP address of the machineShow sources
Source: unknownDNS query: name: checkip.dyndns.org
Source: unknownDNS query: name: checkip.dyndns.org
Source: unknownDNS query: name: checkip.dyndns.org
Source: unknownDNS query: name: checkip.dyndns.org
Source: unknownDNS query: name: checkip.dyndns.org
Source: unknownDNS query: name: checkip.dyndns.org
Source: unknownDNS query: name: checkip.dyndns.org
Source: unknownDNS query: name: checkip.dyndns.org
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 131.186.113.70 131.186.113.70
Source: Joe Sandbox ViewIP Address: 216.146.43.71 216.146.43.71
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: checkip.dyndns.orgConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: checkip.dyndns.org
Urls found in memory or binary dataShow sources
Source: microsoftword.exe, 00000003.00000002.8341680286.00000000029CF000.00000004.sdmp, microsoftword.exe, 0000000C.00000002.8638565980.0000000002920000.00000004.sdmp, microsoftword.exe, 0000000D.00000002.8342276874.0000000002920000.00000004.sdmp, microsoftword.exe, 00000015.00000002.8700640976.0000000002B50000.00000004.sdmpString found in binary or memory: http://checkip.dyndns.org
Source: microsoftword.exe, 00000015.00000002.8700640976.0000000002B50000.00000004.sdmpString found in binary or memory: http://checkip.dyndns.org/
Source: microsoftword.exe, 0000000D.00000002.8342276874.0000000002920000.00000004.sdmpString found in binary or memory: http://checkip.dyndns.orgX
Source: microsoftword.exe, 00000003.00000002.8341680286.00000000029CF000.00000004.sdmpString found in binary or memory: http://checkip.dyndns.orgh
Source: microsoftword.exe, 00000015.00000002.8700640976.0000000002B50000.00000004.sdmpString found in binary or memory: http://checkip.dyndns.orgx&Oq
Source: microsoftword.exe, 0000000C.00000002.8638565980.0000000002920000.00000004.sdmpString found in binary or memory: http://checkip.dyndns.orgx&OqX

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Detected Agent Tesla keyloggerShow sources
Source: microsoftword.exe, 00000015.00000002.8692898899.0000000000402000.00000040.sdmpMemory string: get_Clipboard
Source: microsoftword.exe, 00000015.00000002.8692898899.0000000000402000.00000040.sdmpMemory string: set_Sendwebcam
Source: microsoftword.exe, 00000015.00000002.8692898899.0000000000402000.00000040.sdmpMemory string: get_ComputerName
Source: microsoftword.exe, 00000015.00000002.8692898899.0000000000402000.00000040.sdmpMemory string: get_UserName
Creates a window with clipboard capturing capabilitiesShow sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeWindow created: window name: CLIPBRDWNDCLASSJump to behavior

System Summary:

barindex
Initial sample is a PE file and has a suspicious nameShow sources
Source: initial sampleStatic PE information: Filename: 5PURCHASE ORDER.exe
Potential malicious VBS script found (suspicious strings)Show sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeDropped file: Set vHTRwmNd = CrEaTeobjEct("wSCriPt.sHELl")
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeDropped file: Set vHTRwmNd = CrEaTeobjEct("wSCriPt.sHELl")
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeDropped file: Set vHTRwmNd = CrEaTeobjEct("wSCriPt.sHELl")
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeDropped file: Set vHTRwmNd = CrEaTeobjEct("wSCriPt.sHELl")Jump to dropped file
Creates mutexesShow sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Reads the hosts fileShow sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample reads its own file contentShow sources
Source: C:\Users\user\Desktop\5PURCHASE ORDER.exeFile read: C:\Users\user\Desktop\5PURCHASE ORDER.exeJump to behavior
Tries to load missing DLLsShow sources
Source: C:\Users\user\Desktop\5PURCHASE ORDER.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\MyOtApp\MyOtApp.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\MyOtApp\MyOtApp.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeSection loaded: wow64log.dllJump to behavior
Source: C:\Windows\SysWOW64\ComputerDefaults.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeSection loaded: wow64log.dll
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeSection loaded: wow64log.dll
Binary contains paths to development resourcesShow sources
Source: wscript.exe, 00000006.00000003.7751129858.0000022B07678000.00000004.sdmpBinary or memory string: ;.VBp
Classification labelShow sources
Source: classification engineClassification label: mal100.phis.troj.spyw.evad.winEXE@25/14@4/2
Creates files inside the user directoryShow sources
Source: C:\Users\user\Desktop\5PURCHASE ORDER.exeFile created: C:\Users\user\AppData\Roaming\iphoneJump to behavior
Creates temporary filesShow sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile created: C:\Users\user\AppData\Local\Temp\temp.tmpJump to behavior
Executes visual basic scriptsShow sources
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iphone.vbs'
Parts of this applications are using Borland Delphi (Probably coded in Delphi)Show sources
Source: C:\Users\user\Desktop\5PURCHASE ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Roaming\MyOtApp\MyOtApp.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Roaming\MyOtApp\MyOtApp.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dllJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\497ab1dd171eeef956401f1aeb0b9fec\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Reads ini filesShow sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Reads software policiesShow sources
Source: C:\Users\user\Desktop\5PURCHASE ORDER.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Users\user\Desktop\5PURCHASE ORDER.exe 'C:\Users\user\Desktop\5PURCHASE ORDER.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe C:\Users\user\AppData\Roaming\iphone\microsoftword.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe C:\Users\user\AppData\Roaming\iphone\microsoftword.exe
Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iphone.vbs'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe 'C:\Users\user\AppData\Roaming\iphone\microsoftword.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\MyOtApp\MyOtApp.exe 'C:\Users\user\AppData\Roaming\MyOtApp\MyOtApp.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\MyOtApp\MyOtApp.exe 'C:\Users\user\AppData\Roaming\MyOtApp\MyOtApp.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe C:\Users\user\AppData\Roaming\iphone\microsoftword.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe C:\Users\user\AppData\Roaming\iphone\microsoftword.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe C:\Users\user\AppData\Roaming\iphone\microsoftword.exe
Source: unknownProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe C:\Users\user\AppData\Roaming\iphone\microsoftword.exe
Source: unknownProcess created: C:\Windows\SysWOW64\ComputerDefaults.exe unknown
Source: unknownProcess created: C:\Windows\SysWOW64\ComputerDefaults.exe 'C:\Windows\SysWOW64\computerdefaults.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe 'C:\Users\user\AppData\Roaming\iphone\microsoftword.exe'
Source: unknownProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe 'C:\Users\user\AppData\Roaming\iphone\microsoftword.exe'
Source: C:\Users\user\Desktop\5PURCHASE ORDER.exeProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe C:\Users\user\AppData\Roaming\iphone\microsoftword.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe C:\Users\user\AppData\Roaming\iphone\microsoftword.exeJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe 'C:\Users\user\AppData\Roaming\iphone\microsoftword.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\MyOtApp\MyOtApp.exeProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe C:\Users\user\AppData\Roaming\iphone\microsoftword.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\MyOtApp\MyOtApp.exeProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe C:\Users\user\AppData\Roaming\iphone\microsoftword.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe C:\Users\user\AppData\Roaming\iphone\microsoftword.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe C:\Users\user\AppData\Roaming\iphone\microsoftword.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess created: C:\Windows\SysWOW64\ComputerDefaults.exe unknownJump to behavior
Source: C:\Windows\SysWOW64\ComputerDefaults.exeProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe 'C:\Users\user\AppData\Roaming\iphone\microsoftword.exe'
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe 'C:\Users\user\AppData\Roaming\iphone\microsoftword.exe'
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: C:\Users\Admin\Desktop\IELibrary\IELibrary\obj\Debug\IELibrary.pdb source: microsoftword.exe, 00000003.00000002.8332034663.000000000043B000.00000040.sdmp, microsoftword.exe, 0000000C.00000002.8632986004.00000000021D0000.00000004.sdmp, microsoftword.exe, 0000000D.00000002.8332942407.000000000043B000.00000040.sdmp, microsoftword.exe, 00000015.00000002.8692898899.0000000000402000.00000040.sdmp
Source: Binary string: r\VB.net\stealers\firefoxx64\firefox\obj\Debug\firefox.pdb source: microsoftword.exe, 00000003.00000002.8332034663.000000000043B000.00000040.sdmp, microsoftword.exe, 0000000C.00000002.8632986004.00000000021D0000.00000004.sdmp, microsoftword.exe, 0000000D.00000002.8332942407.000000000043B000.00000040.sdmp, microsoftword.exe, 00000015.00000002.8692898899.0000000000402000.00000040.sdmp

Persistence and Installation Behavior:

barindex
Drops PE filesShow sources
Source: C:\Users\user\Desktop\5PURCHASE ORDER.exeFile created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeJump to dropped file
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile created: C:\Users\user\AppData\Roaming\MyOtApp\MyOtApp.exeJump to dropped file

Boot Survival:

barindex
Drops VBS files to the startup folderShow sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iphone.vbs
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iphone.vbs
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iphone.vbs
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iphone.vbsJump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)Show sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iphone.vbsJump to behavior
Stores files to the Windows start menu directoryShow sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iphone.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iphone.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iphone.vbsJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\iphone.vbs
Creates an autostart registry keyShow sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MyOtAppJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run MyOtAppJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Creates files in alternative data streams (ADS)Show sources
Source: C:\Users\user\Desktop\5PURCHASE ORDER.exeFile created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe:ZoneIdentifierJump to behavior
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile opened: C:\Users\user\AppData\Roaming\MyOtApp\MyOtApp.exe:Zone.Identifier read attributes | deleteJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile opened: C:\Users\user\AppData\Roaming\MyOtApp\MyOtApp.exe:Zone.Identifier read attributes | deleteJump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)Show sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)Show sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Contains long sleeps (>= 3 min)Show sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeThread delayed: delay time: 1200000Jump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeThread delayed: delay time: 1200000Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)Show sources
Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe TID: 4780Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe TID: 4780Thread sleep time: -1200000s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe TID: 5072Thread sleep count: 48 > 30Jump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe TID: 2968Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe TID: 2968Thread sleep time: -1200000s >= -30000sJump to behavior
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)Show sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeLast function: Thread delayed
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: microsoftword.exe, 00000003.00000002.8345052373.0000000004DA0000.00000002.sdmp, microsoftword.exe, 0000000C.00000002.8645773626.0000000004EC0000.00000002.sdmp, microsoftword.exe, 0000000D.00000002.8343699449.0000000004ED0000.00000002.sdmp, microsoftword.exe, 00000015.00000002.8701565247.0000000004F10000.00000002.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: microsoftword.exe, 00000003.00000002.8345052373.0000000004DA0000.00000002.sdmp, microsoftword.exe, 0000000C.00000002.8645773626.0000000004EC0000.00000002.sdmp, microsoftword.exe, 0000000D.00000002.8343699449.0000000004ED0000.00000002.sdmp, microsoftword.exe, 00000015.00000002.8701565247.0000000004F10000.00000002.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: microsoftword.exe, 00000003.00000002.8345052373.0000000004DA0000.00000002.sdmp, microsoftword.exe, 0000000C.00000002.8645773626.0000000004EC0000.00000002.sdmp, microsoftword.exe, 0000000D.00000002.8343699449.0000000004ED0000.00000002.sdmp, microsoftword.exe, 00000015.00000002.8701565247.0000000004F10000.00000002.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: microsoftword.exe, 0000000C.00000002.8631931618.000000000061D000.00000004.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: microsoftword.exe, 00000003.00000002.8345052373.0000000004DA0000.00000002.sdmp, microsoftword.exe, 0000000C.00000002.8645773626.0000000004EC0000.00000002.sdmp, microsoftword.exe, 0000000D.00000002.8343699449.0000000004ED0000.00000002.sdmp, microsoftword.exe, 00000015.00000002.8701565247.0000000004F10000.00000002.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Queries a list of all running processesShow sources
Source: C:\Users\user\Desktop\5PURCHASE ORDER.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for debuggers (devices)Show sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile opened: C:\Windows\WinSxS\FileMaps\$$_system32_21f9a9c4a2f8b514.cdf-ms
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeSystem information queried: KernelDebuggerInformationJump to behavior
Checks if the current process is being debuggedShow sources
Source: C:\Users\user\Desktop\5PURCHASE ORDER.exeProcess queried: DebugFlagsJump to behavior
Source: C:\Users\user\Desktop\5PURCHASE ORDER.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess queried: DebugFlagsJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\AppData\Roaming\MyOtApp\MyOtApp.exeProcess queried: DebugFlagsJump to behavior
Source: C:\Users\user\AppData\Roaming\MyOtApp\MyOtApp.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\AppData\Roaming\MyOtApp\MyOtApp.exeProcess queried: DebugFlagsJump to behavior
Source: C:\Users\user\AppData\Roaming\MyOtApp\MyOtApp.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess queried: DebugFlagsJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess queried: DebugFlagsJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess queried: DebugObjectHandleJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess queried: DebugFlags
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess queried: DebugObjectHandle
Enables debug privilegesShow sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess token adjusted: DebugJump to behavior
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeMemory allocated: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeSection loaded: unknown target pid: 4820 protection: execute and read and writeJump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Users\user\Desktop\5PURCHASE ORDER.exeProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe C:\Users\user\AppData\Roaming\iphone\microsoftword.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe C:\Users\user\AppData\Roaming\iphone\microsoftword.exeJump to behavior
Source: C:\Windows\System32\wscript.exeProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe 'C:\Users\user\AppData\Roaming\iphone\microsoftword.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\MyOtApp\MyOtApp.exeProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe C:\Users\user\AppData\Roaming\iphone\microsoftword.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\MyOtApp\MyOtApp.exeProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe C:\Users\user\AppData\Roaming\iphone\microsoftword.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe C:\Users\user\AppData\Roaming\iphone\microsoftword.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe C:\Users\user\AppData\Roaming\iphone\microsoftword.exeJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess created: C:\Windows\SysWOW64\ComputerDefaults.exe unknownJump to behavior
Source: C:\Windows\SysWOW64\ComputerDefaults.exeProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe 'C:\Users\user\AppData\Roaming\iphone\microsoftword.exe'
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeProcess created: C:\Users\user\AppData\Roaming\iphone\microsoftword.exe 'C:\Users\user\AppData\Roaming\iphone\microsoftword.exe'
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: microsoftword.exe, 0000000C.00000002.8632787095.0000000000DC0000.00000002.sdmp, microsoftword.exe, 00000015.00000002.8696509192.0000000000F30000.00000002.sdmpBinary or memory string: Shell_TrayWnd
Source: microsoftword.exe, 0000000C.00000002.8632787095.0000000000DC0000.00000002.sdmp, microsoftword.exe, 00000015.00000002.8696509192.0000000000F30000.00000002.sdmpBinary or memory string: Progman
Source: microsoftword.exe, 0000000C.00000002.8632787095.0000000000DC0000.00000002.sdmp, microsoftword.exe, 00000015.00000002.8696509192.0000000000F30000.00000002.sdmpBinary or memory string: ZProgram Manager
Source: microsoftword.exe, 0000000C.00000002.8632787095.0000000000DC0000.00000002.sdmp, microsoftword.exe, 00000015.00000002.8696509192.0000000000F30000.00000002.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\System.Security\2.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformationJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeQueries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)Show sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeKey opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\SessionsJump to behavior
Tries to harvest and steal browser information (history, passwords, etc)Show sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
Tries to harvest and steal ftp login credentialsShow sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xmlJump to behavior
Tries to steal Instant Messenger accounts or passwordsShow sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeKey opened: HKEY_CURRENT_USER\Software\PaltalkJump to behavior
Tries to steal Mail credentials (via file access)Show sources
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeFile opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.iniJump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
Source: C:\Users\user\AppData\Roaming\iphone\microsoftword.exeKey opened: HKEY_CURRENT_USER\Software\IncrediMail\IdentitiesJump to behavior

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
behaviorgraph top1 signatures2 2 Behavior Graph ID: 116881 Sample: 5PURCHASE ORDER.exe Startdate: 15/03/2019 Architecture: WINDOWS Score: 100 72 Detected Agent Tesla keylogger 2->72 74 May check the online IP address of the machine 2->74 76 Initial sample is a PE file and has a suspicious name 2->76 78 Antivirus detection for unpacked file 2->78 10 5PURCHASE ORDER.exe 4 2->10         started        14 MyOtApp.exe 1 2->14         started        16 MyOtApp.exe 1 2->16         started        18 wscript.exe 1 2->18         started        process3 file4 52 C:\Users\user\AppData\...\microsoftword.exe, PE32 10->52 dropped 54 C:\...\microsoftword.exe:Zone.Identifier, ASCII 10->54 dropped 88 Creates files in alternative data streams (ADS) 10->88 20 microsoftword.exe 1 10->20         started        23 microsoftword.exe 1 14->23         started        25 microsoftword.exe 1 16->25         started        27 microsoftword.exe 18->27         started        signatures5 process6 signatures7 80 Potential malicious VBS script found (suspicious strings) 20->80 82 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 20->82 84 Drops VBS files to the startup folder 20->84 86 Maps a DLL or memory area into another process 20->86 29 microsoftword.exe 17 20 20->29         started        33 microsoftword.exe 1 21 23->33         started        36 microsoftword.exe 4 25->36         started        process8 dnsIp9 58 checkip.dyndns.com 131.186.113.70, 49827, 49830, 49832 unknown United States 29->58